Data Processing Agreement
Last updated: [9 July 2026]. This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Hivenue Srl ("Processor") and is drafted in line with article 28 GDPR.
1. Subject matter and duration
The Processor processes personal data on behalf of the Controller to provide the Hivenue platform, for the duration of the subscription plus the retention window in section 8.
2. Nature and purpose of processing
Hosting, storage, display, analysis and automation of workspace data: store orders and customers, helpdesk email content, advertising data, dispute records, analytics events and workspace content, as configured by the Controller through the integrations it enables.
3. Categories of data subjects and data
Data subjects: the Controller's customers, staff and end users. Data categories: identification and contact data, order and transaction data, communication content, device and usage data collected by the first-party pixel. No special categories of data are intended to be processed.
4. Instructions
The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers, unless required by Union or Member State law. The service configuration and this DPA constitute the Controller's instructions.
5. Confidentiality and personnel
Persons authorised to process personal data are bound by confidentiality obligations and access data strictly on a need-to-know basis.
6. Security measures (annex)
- EU hosting (Frankfurt) for database, storage and authentication.
- AES-256-GCM envelope encryption for integration credentials and tokens.
- Workspace isolation enforced with row-level security at the database layer.
- TLS in transit; immutable audit logging of sensitive operations.
- Role-based access control inside each workspace.
7. Sub-processors
The Controller authorises the sub-processors listed in the Privacy Policy. The Processor will notify the Controller of intended changes at least [15] days in advance, giving the opportunity to object. Transfers outside the EEA rely on Standard Contractual Clauses.
8. Assistance, breaches, deletion
The Processor assists the Controller with data subject requests (articles 15 to 22 GDPR) and with security obligations. Personal data breaches are notified to the Controller without undue delay and no later than [48] hours after becoming aware. Upon termination, workspace data is deleted after a [60]-day export window, unless law requires longer retention.
9. Audits
The Processor makes available the information necessary to demonstrate compliance and allows audits, at most [once a year] and with [30] days' notice, at the Controller's expense.
10. Liability and precedence
Liability follows the main agreement. In case of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.