Legal

Data Processing Addendum

Last updated: April 19, 2026 · Effective immediately

0. Overview and how to execute

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Cuttalo srl, Italy (“Processor”) and the customer (“Controller”) using the paid tiers of DepScope. By subscribing to a Pro or Team plan and accepting our Terms, the Controller is deemed to have entered into this DPA. A counter-signed PDF can be requested at [email protected].

1. Definitions

  • GDPR: Regulation (EU) 2016/679.
  • Personal Data, Processing, Data Subject, Controller, Processor, Sub-processor: as defined in art. 4 GDPR.
  • Service: the DepScope service made available by Cuttalo under the Terms of Service.
  • Customer Personal Data: personal data processed by Cuttalo on the Controller's behalf in the course of providing the Service.

2. Roles and scope

For Customer Personal Data processed through the Service, Cuttalo acts as Processor on behalf of the Controller. Each Party will comply with its obligations under GDPR and applicable data protection laws.

3. Subject-matter, nature, purpose, duration

  • Subject-matter: provision of the Service and related support.
  • Nature and purpose: operating the API, storing account data, delivering authentication emails, metering usage, preventing abuse, billing.
  • Duration: for the duration of the Agreement, plus retention periods stated in the Privacy Policy.
  • Types of data: email address, API key fingerprints, IP address (hashed), User-Agent, request metadata, billing identifiers.
  • Categories of Data Subjects: the Controller's authorized users who access the Service.

4. Processor obligations (art. 28(3) GDPR)

Cuttalo shall:

  • Process Customer Personal Data only on documented instructions from the Controller (the Terms, this DPA, and the Controller's configuration of the Service constitute documented instructions);
  • Ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations;
  • Implement appropriate technical and organizational measures as described in Annex II;
  • Assist the Controller in responding to Data Subject requests, breach notifications, and DPIAs (arts. 32-36 GDPR);
  • Upon termination of the Service, delete or return all Customer Personal Data, unless law requires retention;
  • Make available information necessary to demonstrate compliance and allow for audits as described in § 8.

5. Sub-processors (art. 28(2) GDPR)

The Controller grants general authorization to Cuttalo to engage the sub-processors listed at /subprocessors. Cuttalo will give at least 30 days' prior notice before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds; if no workable solution is found, the Controller may terminate the affected service.

6. International transfers

Where Customer Personal Data is transferred outside the EEA, the Parties agree that the transfer shall be subject to the EU–US Data Privacy Framework (where applicable) and/or the Standard Contractual Clauses 2021/914, Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Sub- processor), which are hereby incorporated by reference. Annex I, II, and III to the SCCs are populated by reference to Annex I, II, III of this DPA.

7. Personal data breach

Cuttalo will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event within 48 hours, providing the information reasonably available to enable the Controller to comply with art. 33 GDPR.

8. Audits and information rights

The Controller may, on reasonable prior notice and no more than once per calendar year (unless a Personal Data Breach has occurred), request information necessary to demonstrate compliance. Cuttalo will make available audit reports, security documentation, and written responses. On-site audits may be arranged where strictly required by law, at the Controller's cost, under confidentiality.

9. Return and deletion

Within 30 days after termination of the Service, Cuttalo will delete or return, at the Controller's choice, all Customer Personal Data in its possession, subject to applicable legal retention obligations (e.g. art. 2220 Italian Civil Code for tax records).

10. Liability and precedence

Liability under this DPA is subject to the limitations in the Terms of Service, save for liability that cannot be limited under art. 1229 Italian Civil Code or GDPR art. 82. In case of conflict between this DPA and the Terms, this DPA prevails for matters relating to Processing of Customer Personal Data.

11. Governing law

Italian law; exclusive jurisdiction: Courts of Taranto, Italy, save for mandatory consumer-protection rules.

Annex I — Processing details

  • Data exporter: the Controller (customer).
  • Data importer: Cuttalo srl, Italy (Processor).
  • Nature / purpose: provision of the DepScope Service.
  • Categories of Data Subjects: Controller's authorized users.
  • Categories of personal data: email, hashed IP, User-Agent, API key fingerprints, request metadata, billing identifiers.
  • Frequency: continuous, for the duration of the Service.
  • Retention: see Privacy §5.

Annex II — Technical and organizational measures

See /security for the full description. Summary: TLS 1.2+, SHA-256 hashed API keys, no password storage, private network for DB, encrypted off-site backups on OVH Gravelines (EU), 6-hour automated alerts, 72-hour breach notification per GDPR.

Annex III — Authorized sub-processors

See /subprocessors for the current list and change-notification procedure.

← Back to Legal hub