Data Processing Addendum (DPA)
Last Updated: June 1, 2026
This Data Processing Addendum ("DPA") forms an integral part of the Software as a Service (SaaS) Agreement or Master Services Agreement (the "Agreement") entered into by and between KulinariQ S.r.l. ("Gustaio" or "Processor") and the corporate entity identifying itself as the customer in the Agreement ("Client" or "Controller").
This DPA governs the processing of personal data in connection with the Gustaio Workbite and Gustaio Experience platform modules and associated enterprise integrations.
1. Definitions
- "Applicable Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Italian Legislative Decree no. 196/2003 ("Codice Privacy") as amended by Legislative Decree no. 101/2018, and any other applicable national implementing laws, as amended or replaced from time to time.
- "Garante" means the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), which is the competent Supervisory Authority for the Processor.
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" shall have the meanings given to them in the GDPR.
- "Sub-processor" means any third-party data processor engaged by Gustaio to assist in providing the Services, who processes Personal Data on behalf of the Controller.
2. Role of the Parties & Scope
- 2.1 Roles: The Parties acknowledge and agree that with respect to the provisioning of employee rosters and account creation data via API or directory sync, the Client acts as the Data Controller and Gustaio acts as the Data Processor.
- 2.2 Scope of Instructions: Gustaio shall process Personal Data exclusively on behalf of and in accordance with the documented instructions of the Client. The Agreement and this DPA constitute the Client's complete and finalized instructions to Gustaio.
- 2.3 Compliance: If Gustaio is unable to comply with the Client's instructions for any reason, or if Gustaio believes an instruction infringes Applicable Data Protection Law, Gustaio shall immediately inform the Client.
3. Confidentiality
Gustaio ensures that all personnel authorized to process the Personal Data have committed themselves to strict confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
4. Security of Processing
- 4.1 Technical and Organizational Measures: Gustaio shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Schedule 2 of this DPA.
- 4.2 Updates: Gustaio may update or modify its security measures from time to time, provided that such updates do not decrease the overall level of security guaranteed under this DPA.
5. Sub-processors
- 5.1 Prior Authorization: The Client grants a general written authorization to Gustaio to engage Sub-processors to deliver the cloud infrastructure and platform modules. An up-to-date list of current Sub-processors is maintained in Schedule 1 of this DPA.
- 5.2 Notification of Changes: Gustaio shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors via email or an admin dashboard announcement at least fourteen (14) days in advance, thereby giving the Client the opportunity to object to such changes.
- 5.3 Flow-Down Contractual Obligations: Where Gustaio engages a Sub-processor, Gustaio shall impose the same data protection obligations on the Sub-processor as those set out in this DPA by way of a formal written contract.
6. Data Subject Rights
Taking into account the nature of the processing, Gustaio shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR. If Gustaio receives a request directly from a Data Subject, it will redirect the Data Subject to the Client without undue delay.
7. Personal Data Breaches
- 7.1 Notification: Gustaio shall notify the Client without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting the Client's employee data.
- 7.2 Cooperation: Gustaio shall reasonably cooperate with the Client to assist in investigating, mitigating, and reporting the breach to regulatory authorities or Data Subjects as required under GDPR Articles 33 and 34.
8. Audit Rights
Gustaio shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. Gustaio shall allow for and contribute to audits, including inspections, conducted by the Client or an independent auditor mandated by the Client. Such audits may occur no more than once per calendar year, upon at least thirty (30) days' written notice.
9. Assistance with Compliance
Gustaio shall provide reasonable assistance to the Client in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to Gustaio.
10. Term and Termination
This DPA shall remain in effect for the duration of the underlying SaaS Agreement. Upon termination of the Agreement, Gustaio shall, at the choice of the Client, safely delete or return all Personal Data to the Client, and delete existing copies unless European Union or national law requires storage of the personal data.
11. Governing Law & Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the Republic of Italy. The Parties agree that any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Bolzano (Bozen), Italy. The competent Supervisory Authority for all matters relating to the Processor's data protection obligations is the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority).
Schedule 1: Details of Processing
A. List of Parties
- Data Controller: The Client designated in the SaaS Agreement.
- Data Processor: KulinariQ S.r.l. (Gustaio), Via Anton Steger 11, 39031 Brunico (BZ), Italy.
B. Description of Processing
- Categories of Data Subjects: Active corporate employees, frontline staff, and designated administrative users of the Client.
- Types of Personal Data Processed: Full Name, Corporate/Work Email Address, Phone Number, and Unique Corporate Employee ID tokens. (Note: Passwords are never accessed or stored).
- Purpose of Processing: To automate user provisioning, facilitate frictionless single sign-on (SSO), track corporate lunch subsidy parameters, and manage company benefit allocations.
- Duration of Processing: The duration of the underlying Agreement plus the period from the expiry of the Agreement until the formal deletion of data.
- Location of Processing: All databases and core processing facilities are located strictly within the European Union (EU).
C. Approved Sub-processors
| Sub-processor | Service | Location |
|---|
| Google Cloud Platform (Google Ireland Ltd.) | Cloud Infrastructure, Firebase & Firestore Database Hosting | EU (europe-west) |
| Vercel Inc. | Web Application Hosting & Edge Delivery | EU (Frankfurt) |
Schedule 2: Technical & Organisational Measures (TOMs)
Gustaio maintains robust safeguards, including but not limited to:
- Access Control & Authentication: Cryptographic, short-lived token validation. Production systems use Multi-Factor Authentication (MFA) and least-privilege access control.
- Data Isolation: Logical multi-tenant separation ensuring data records are strictly partitioned per client.
- Encryption: Personal Data is encrypted in transit using TLS 1.2/1.3 and encrypted at rest within cloud-hosting storage environments.
- Availability & Resilience: Automated daily backup schedules stored securely across redundant EU locations.
- Vulnerability Management: Regular code review, automated dependency vulnerability alerts, and rapid security patching protocols.
KulinariQ S.r.l.
Via Anton Steger 11, 39031 Brunico (BZ), Italy
VAT: IT 03291090219
Contact: support@gustaio.ai