Hivenue
Working draft. These terms are pending legal review and use placeholder company details.

Data Processing Agreement

Last updated: [9 July 2026]. This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Hivenue Srl ("Processor") and is drafted in line with article 28 GDPR.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller to provide the Hivenue platform, for the duration of the subscription plus the retention window in section 8.

2. Nature and purpose of processing

Hosting, storage, display, analysis and automation of workspace data: store orders and customers, helpdesk email content, advertising data, dispute records, analytics events and workspace content, as configured by the Controller through the integrations it enables.

3. Categories of data subjects and data

Data subjects: the Controller's customers, staff and end users. Data categories: identification and contact data, order and transaction data, communication content, device and usage data collected by the first-party pixel. No special categories of data are intended to be processed.

4. Instructions

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers, unless required by Union or Member State law. The service configuration and this DPA constitute the Controller's instructions.

5. Confidentiality and personnel

Persons authorised to process personal data are bound by confidentiality obligations and access data strictly on a need-to-know basis.

6. Security measures (annex)

  • EU hosting (Frankfurt) for database, storage and authentication.
  • AES-256-GCM envelope encryption for integration credentials and tokens.
  • Workspace isolation enforced with row-level security at the database layer.
  • TLS in transit; immutable audit logging of sensitive operations.
  • Role-based access control inside each workspace.

7. Sub-processors

The Controller authorises the sub-processors listed in the Privacy Policy. The Processor will notify the Controller of intended changes at least [15] days in advance, giving the opportunity to object. Transfers outside the EEA rely on Standard Contractual Clauses.

8. Assistance, breaches, deletion

The Processor assists the Controller with data subject requests (articles 15 to 22 GDPR) and with security obligations. Personal data breaches are notified to the Controller without undue delay and no later than [48] hours after becoming aware. Upon termination, workspace data is deleted after a [60]-day export window, unless law requires longer retention.

9. Audits

The Processor makes available the information necessary to demonstrate compliance and allows audits, at most [once a year] and with [30] days' notice, at the Controller's expense.

10. Liability and precedence

Liability follows the main agreement. In case of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.