DATA PROCESSING AGREEMENT (DPA)
Annex to the Terms of Service
Last Updated: December 2025
This Data Processing Agreement ("DPA") governs the rules for the processing of Personal Data within the scope of the Services provided by Twini and is entered into between:
The Customer subscribing to the Services (hereinafter "Controller"); and
Twini S.r.l., with registered office at Via Pietro Paleocapa 7, 20121 Milano (MI), Italy, VAT ID 13697330960 (hereinafter "Twini" or "Processor").
(The Controller and the Processor are hereinafter referred to individually as a "Party" and jointly as the "Parties").
PREAMBLE:
By purchasing Twini Services (including the "Conversational PDP Widget" and "AI-Optimized Product Data" modules), the Customer has accepted the Terms of Service ("Agreement"), of which this DPA forms an integral part.
The execution of the Agreement implies that Twini processes Personal Data on behalf of the Customer (e.g., end-user chats, Shopify order data).
The Parties intend to regulate such processing in compliance with Art. 28 of Regulation (EU) 2016/679 ("GDPR").
NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS
Capitalized terms not defined herein shall have the meaning ascribed to them in the GDPR or the Agreement.
"Personal Data": Any information relating to an identified or identifiable natural person ("Data Subject").
"Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Services": The AI-commerce platform provided by Twini, including product catalog processing and automated chat interactions.
2. SUBJECT MATTER AND APPOINTMENT
The Customer appoints Twini as Data Processor pursuant to Art. 28 of the GDPR. Twini accepts the appointment and agrees to process Personal Data exclusively for the purpose of executing the Agreement and in accordance with the documented instructions of the Customer.
3. CATEGORIES OF DATA AND DATA SUBJECTS
3.1. Categories of Data. In the execution of the Agreement, the Processor may process the following categories of data:
Identification and Contact Data: Name, surname, email, phone number, IP address, Shopify Order ID.
Browsing and Behavioral Data: Logs of activity on the Customer's e-commerce site, products viewed.
Conversational Data (User Content): Text, questions, and inputs provided by Data Subjects within the chat widget (Conversational PDP Widget).
Transactional Data: Purchase history, order details, and returns (excluding the direct processing of full credit card numbers, which are handled by third-party Payment Gateways).
3.2. Special Categories. Although the Service does not require the processing of special categories of data (Art. 9 GDPR - e.g., health data), the Customer acknowledges that Data Subjects may freely share such information in chats. Twini will process such data with the same security measures applied to common data.
3.3. Data Subjects. The data refers to the Customer's end customers (shoppers), visitors to the Customer's e-commerce site, and the Customer's employees accessing the dashboard.
4. OBLIGATIONS OF THE PROCESSOR (TWINI)
Twini agrees to:
Instructions: Process data only in accordance with the Customer's instructions and the Agreement. Specifically, Twini is prohibited from using Personal Data to train, fine-tune, or improve foundational AI models (LLMs) unless the Customer has explicitly opted into such processing via a separate written addendum.
Confidentiality: Ensure that persons authorized to process the data (employees and contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security: Implement all technical and organizational measures required by Art. 32 of the GDPR to ensure a level of security appropriate to the risk (e.g., encryption in transit and at rest, access controls).
Assistance: Assist the Customer, to the extent possible, in fulfilling requests to exercise Data Subject rights (e.g., right to erasure, access) and in ensuring compliance with obligations relating to security and Data Protection Impact Assessments (DPIA).
Deletion: Upon termination of the Service, delete or return all Personal Data to the Customer, unless storage is required by law.
5. INTERNATIONAL TRANSFERS (NON-EU)
5.1. The Customer acknowledges that Twini, in providing Artificial Intelligence services (e.g., via LLM providers such as OpenAI, Anthropic, or cloud infrastructure such as AWS), may transfer data to third countries (specifically the United States).
5.2. Such transfers shall take place exclusively on the basis of:
Adequacy Decisions of the European Commission (including the EU-US Data Privacy Framework); or
Standard Contractual Clauses (SCCs) approved by the European Commission, with the adoption of supplementary measures where necessary.
6. SUB-PROCESSORS
6.1. The Customer expressly authorizes Twini to engage other data processors ("Sub-processors") for the execution of specific activities (e.g., hosting, AI model providers, analytics).
6.2. Twini shall impose on such Sub-processors, by way of a written contract, the same data protection obligations as set out in this DPA. Twini remains fully liable to the Customer for the performance of the Sub-processors' obligations.
6.3. The list of current Sub-processors is maintained in Twini's Privacy Policy. The Customer may request an updated list at any time.
7. DATA BREACH
In the event of a Personal Data Breach, Twini agrees to:
Notify the Customer without undue delay after becoming aware of the breach (and in any event within 48 hours);
Provide the information necessary to allow the Customer to notify the breach to the Supervisory Authority and/or Data Subjects, where required by Arts. 33-34 of the GDPR.
8. AUDIT AND INSPECTIONS
Twini shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for audits or inspections conducted by the Customer (or an auditor mandated by the Customer), upon at least 30 working days' written notice and at the Customer's expense, provided that such inspections do not compromise the security of Twini's other customers.
9. APPLICABLE LAW AND JURISDICTION
This DPA is governed by Italian Law. Any dispute shall be subject to the exclusive jurisdiction of the Court of Milan.