Data Processing Agreement

1. Scope and roles

This Data Processing Agreement ("DPA") is entered into between the Organizer (the "Controller") and Rinoova S.r.L., VAT no. IT18432621003, registered office Via Jacopo della Quercia 32, 00155 Roma (RM), Italy (the "Processor", "Rinoova"), and forms an integral part of the Terms of Service. It applies whenever the Controller, in using the Rifesta service (the "Service"), causes Rinoova to process personal data of the Controller's event Guests and other individuals ("Controller Personal Data"). It is governed by Article 28 of Regulation (EU) 2016/679 ("GDPR"). For account, billing and security data Rinoova acts as an independent controller under its Privacy Policy, and this DPA does not apply to that processing.

2. Subject matter, duration, nature and purpose

Rinoova processes Controller Personal Data to provide the Service — collection, storage, processing, display to event Guests and synchronisation of event Content to destinations chosen by the Controller — as described in Annex 1. Processing lasts for the term of the Terms of Service and until deletion under Section 9.

3. Processor obligations

Rinoova shall:

• process Controller Personal Data only on the Controller's documented instructions, including the instructions embodied in the Service and this DPA, unless required otherwise by EU or Member State law (in which case it informs the Controller, unless the law prohibits it);
• ensure that persons authorised to process the data are bound by confidentiality;
• implement the technical and organisational security measures set out in Annex 2 (Article 32 GDPR);
• assist the Controller, by appropriate measures, in responding to data subject requests (Articles 12-23 GDPR);
• assist the Controller in ensuring compliance with the obligations on security, breach notification, data protection impact assessments and prior consultation (Articles 32-36 GDPR);
• make available to the Controller the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits under Section 8;
• immediately inform the Controller if, in its opinion, an instruction infringes data protection law.

4. Controller obligations

The Controller warrants that it has a lawful basis to collect and have processed the Controller Personal Data, that it has provided its Guests with the required information, and that its instructions to Rinoova comply with data protection law. The Controller is responsible for the accuracy and lawfulness of the data it, and its Guests, upload.

5. Sub-processors

The Controller grants Rinoova general authorisation to engage sub-processors. The current sub-processors are listed in Annex 3. Rinoova will inform the Controller of any intended addition or replacement of a sub-processor with reasonable notice, giving the Controller the opportunity to object on reasonable data-protection grounds. Rinoova imposes on each sub-processor, by contract, data protection obligations equivalent to those in this DPA, and remains fully liable to the Controller for the performance of each sub-processor's obligations.

6. International transfers

Where processing involves a transfer of Controller Personal Data outside the EEA, Rinoova ensures an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses or an adequacy decision, as further described in the Privacy Policy.

7. Personal data breach

Rinoova notifies the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data, providing the information reasonably available to enable the Controller to meet its own notification obligations under Articles 33-34 GDPR.

8. Data subject requests and audits

If Rinoova receives a request from a data subject relating to Controller Personal Data, it forwards the request to the Controller and does not respond directly, save to direct the data subject to the Controller. The Controller may verify Rinoova's compliance with this DPA by reviewing the documentation and security information Rinoova makes available; where that is insufficient, the Controller may request an audit on reasonable prior notice, no more than once per year (save for cause or a supervisory authority's request), at the Controller's expense and subject to confidentiality.

9. Deletion or return of data

On termination of the Service, or earlier at the Controller's written request, Rinoova deletes or returns the Controller Personal Data at the Controller's choice, and deletes existing copies, unless retention is required by law. Event Content is in any case deleted according to the retention period of the Controller's plan. Copies held in routine encrypted backups are deleted on backup rotation.

10. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. This DPA does not extend Rinoova's aggregate liability beyond the cap stated there, except to the extent such limitation is not permitted by mandatory law.

11. Term and governing law

This DPA takes effect when the Controller accepts it (including upon activation of a paid plan) and remains in force for as long as Rinoova processes Controller Personal Data. It is governed by Italian law; in case of discrepancy between language versions, the English version prevails.

Annex 1 — Details of processing

• Subject matter: provision of the Rifesta event photo-collection service.
• Duration: the term of the Terms of Service, plus the retention period of the Controller's plan.
• Nature and purpose: collection, hosting, storage, processing, display to event Guests and synchronisation of event Content.
• Types of personal data: identification and contact data of Guests; photographs and videos and their metadata, which may depict identifiable persons.
• Categories of data subjects: the Controller's event Guests and other individuals depicted in or associated with the Content.

Annex 2 — Technical and organisational measures

• Encryption of data in transit (TLS); encrypted storage of third-party access tokens.
• Tenant isolation at database level through row-level security.
• Hashed credentials; least-privilege access for personnel and services.
• Immutable audit logging of authentication and consent events.
• Transitory handling of upload originals and configurable retention.
• Regular updates, backups and monitoring.

Annex 3 — Sub-processors

Google Analytics is used by Rinoova as a controller for its own websites and is not a sub-processor of Controller Personal Data.

Contact

Rinoova S.r.L. — legal@rinoova.com.