DPA - Expandi Group

Expandi Data Processing Agreement


1. The object of the following conditions is to define the operating modalities by which the Data Processor (Expandi Ltd and all its subsidiaries) undertakes to carry out, on behalf of the Data Controller (Customer), the processing of personal data that uploads or otherwise provides Expandi Ltd in connection with the services and the processing of any personal data that Expandi Ltd provides to Customer in connection with the service. Where Expandi Ltd, (38 Craven Street, London WC2N 5NG, UK): the holding company represents the companies within the group. You can see the full list of the companies here.


The parties agree, in relation to the data processing activities, the following:
2.1 That the data of the data subjects will be processed exclusively for the purposes inherent in the execution of the service.
2.2 That the type of personal data and the categories of data subjects to the processing will be limited only to those provided for in the service.
2.3 Expandi LTD shall process personal data only on documented instruction of the Data Controller.


3.1 Expandi LTD shall ensure that persons entitled to the processing of personal data have previously signed a confidentiality agreement (Non-disclosure agreement NDA).
3.2 Expandi LTD shall appoint, within the meaning of article 28, par. 2 of Regulation (EU 2016/679), another Data Processor, exclusively after explicit approval by the Data Controller.
3.3 Expandi LTD shall maintain the technical and organizational measures in order to ensure a level of security appropriate to the risk.
3.4 Customers reserve the right to verify and monitor the compliance status of the Data Processor with the information provided in the field of data protection, including through periodic audits by its personnel or external appointed personnel.


4.1 Expandi LTD shall assist the Data Controller using appropriate technical and organizational measures, in order to comply with the obligations of the Data Controller to respond the requests for the exercise of the rights of the data subjects under Article 15 of the EU regulation 2016/679.
4.2 In the event that Expandi LTD has advanced requests from the data subject about the exercise of his or her rights relating to the personal data owned by Data Controller, for example and not exhaustively: rectification, cancellation and limitation, data portability, Expandi LTD will have to inform Data Controller, without delay, and in any case not beyond the terms of the law.
4.3 In the event that Data Controller is obligated to provide information on personal data to other Data Controllers or third parties, Expandi LTD shall be obliged to cooperate by providing all necessary information.


5.1 Expandi LTD shall not disclose the data to third parties, to the public administration or to the judicial authority, without the prior authorization of Data Controller. In the event that European Union law or national law requires data communication and access to them, Expandi LTD shall communicate the data to the applicant and, subsequently, notify the event to the Data Controller, also communicating this legal obligation, unless the right prohibits such information for relevant reasons of public interest.


6.1 Unless different dispositions of law, Expandi LTD , depending on the choice of Data Controller, shall delete or return the personal data upon the due date or suspension of the services. Expandi LTD undertakes to delete existing copies, at the request of the Data Controller, unless the law of the European Union or Member States provides for the retention of data beyond the limit set by the Data Controller.


7.1 Expandi LTD must maintain, and from time to time update, the register containing the names and contact details of Expandi LTD’s sub- suppliers.
7.2 Expandi LTD shall maintain a log of access to personal data by a public administration, judicial authority or third part audit.
7.3 Expandi LTD shall maintain a record of the violations involving personal data of the data subjects.
7.4 In addition, Expandi LTD shall fill in the register of processing activities, pursuant to article 24, taking care to inform, when requested, the Data Controller of the categories of processing activities carried out on behalf of the Data Controller, and of any subcontractors involved.


8.1 Expandi LTD will inform Data Controller of further notice and documents relating to the international transfer data mechanism in accordance with article 46 of GDPR.


9.1 The engagement of Expandi LTD’s sub - supplier, requires Data Controller’s explicit prior written approval by using Certified Mail, if possible, otherwise, by e-mail. Expandi LTD will notify Data Controller in advance and without undue delay of any changes to Expandi LTD’s sub - supplier in accordance with the previous and explicitly approved list.
9.2 Expandi LTD shall impose the same data protection obligations as set out in this DPA on any approved Expandi LTD’s sub - supplier.
9.3 In case of Expandi LTD, in accordance with art. 28, par. 4 European Regulation 679/2016, appoint a Expandi LTD’s sub - supplier, to the latter are imposed the same obligations in force between the controller and Expandi LTD.
9.4 Expandi LTD remains responsible for its sub - processors and liable for their acts and omissions as for its own acts and omissions and any references to Expandi LTD ’s obligations, acts and omissions in this DPA shall be construed as referring also to Expandi LTD ’s sub - processors.


10.1 Expandi LTD will inform Data Controller without undue delay of any suspected non-compliance with applicable Data Protection Laws or relevant contractual terms of this DPA or in case of serious disruptions to operations or any other irregularities in the processing of the Data Controller Personal Data. Expandi LTD will promptly investigate and rectify any non-compliance as soon as possible and upon Data Controller’s request, provide Data Controller with all information requested with regard to the suspected non-compliance.
10.2 Expandi LTD will notify Data Controller without undue delay (and in no event later than 24 hours) after becoming aware of a Personal Data Breach in respect of the Services. Expandi LTD will promptly investigate the Personal Data Breach and will provide Data Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify Supervisory Authorities or Data Subjects).
10.3 To clarify, Expandi LTD will inform, at first Data Controller of any data breach, secondly Expandi LTD will inform Data Controller of any sub - Expandi LTD s’ data breach within 24 hours from the incident detection.


11.1 This DPA will remain valid until the discontinuance of the Services. Expandi LTD will maintain maximum confidentiality on data and information concerning the Controller of which it became aware of the fulfilment of its obligations.
11.2 Expandi LTD, at the expiration of the Services, must interrupt each operation of Data processing or it must provide for their complete cancellation, in both cases it must release a written statement stating that at Expandi LTD does not own any copy. In the case of request of the Data Controller, Expandi LTD must indicate the technical methods and procedures used for the cancellation and destruction.


12.1 Contentious, enquire and litigations between Parties concerning the DPA must be established forward the Court of Milan.
12.2 Italian Law governs this DPA.


Expandi LTD will maintain all technical and organizational security measures in accordance with GDPR Data Security Principles, for protecting Data Controller Personal Data against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction.


In the field of processing activities, which are the object of this DPA, Controller provides that Expandi LTD observes these security measures during processing activities:

  1. Maintain data Subject data within protected archives in mobile devices and in shared storage devices. In case of encryption it is recommended to choose a cryptographic key that is appropriate to the nature of the personal data involved.
  2. Limit the spread of data Subject data to authorized parties.
  3. Allow the access to personal data by users according to the rule of “minimum privilege”.
  4. Use of an appropriate user’s authentication system on the systems that process personal data.
  5. Record and monitor system users’ access to personal data in order to guarantee a clear and verifiable chain of responsibility.
  6. Keep the relevant access log (anomalies) on the system and personal data for the duration of processing activity.
  7. Record all access to the system logs by users with administrative rights.
  8. Prohibit the use of shared users among users for access to the systems and data.
  9. Logically segregate the network, so that “Guest” users cannot access the same subnet and users of the company’s system. In general, where it is possible to use multiple logical subnets (VLANs) each with specific rules (ACL) for access to service and network resources.
  10. Use the appropriate security protocol for Wi-Fi networks.
  11. Physically segregate the network, so that only authorized personnel can access the network devices.
  12. Use only secure communication protocols such as TLS 1.2 and SSH for client – server communication sessions.
  13. Allow remote access to IT resources only and exclusively through secure channels that make data traffic non traceable (IPsec, etc.).
  14. Store cryptographic keys used for applications and communications in special "containers".
  15. Inhibit the access by users of the systems to the TOR network (The Onion Routing).
  16. Only use mobile storage systems (USB) with adequate cryptographic protection in the transportation of personal data of the data subjects.
  17. Provide MDM / MDA solutions if users use or store personal data of the data subjects on mobile devices, whether they are owned by the company (COPE) or promiscuous (BYOD).
  18. Use the SFTP protocol for massive data transfer, prohibit the use of FTP.
  19. Inhibit the use by users of personal private cloud systems (ex: DropBox, Gdrive, Wetransfer etc) for the storage and transfer of files containing personal data of the interested parties.
  20. Use only instant-messaging systems that use the OTR (Off the record) protocols.
  21. Use PGP or S / MIME protocols for cryptographic security of email content.
  22. Provide adequate systems able to guarantee the continuity of the service provided (business continuity) on behalf of the owner, such that, in the event of a security incident, the same does not compromise the availability of data and service provided on behalf or in favour of the holder.
  23. Provide appropriate accident management procedures such that each security incident is detected, registered and processed by specialized personnel in its resolution. Each incident must be recorded in the incident register of the person in charge and then communicated to the data controller.