Data Processing Agreement
Effective: May 2026 — Last updated: 10 July 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "Customer") and ARX S.r.l. (Tax Code / P.IVA 04384231207), with registered office at Via Pellegrino Matteucci 24, 40137 Bologna, Italy, operating the Connecto service ("Processor"), with registered contact at info@connectodigital.com, and supplements the Terms of Service.
2. Scope and Purpose
The Processor processes personal data on behalf of the Controller to provide the Connecto platform, including LinkedIn outreach automation, AI message generation, and campaign analytics.
AI message generation is an integral and essential function of the Service, not an optional feature. It is performed as part of service delivery and is necessary for the performance of the contract (Art. 6(1)(b) GDPR); it is not based on consent and cannot be disabled independently of the Service. Manual templates fallback is provided only as a degraded user experience when CV is not uploaded; AI generation remains the primary value proposition and integral service function of Connecto.
3. Categories of Data Subjects
- Customer employees/representatives (account holders)
- LinkedIn users targeted by Customer campaigns ("Leads")
4. Types of Personal Data
- Account data: name, email, LinkedIn profile URL, CV text
- Lead data: name, headline, company, LinkedIn URL, location (publicly available on LinkedIn)
- Usage data: campaign configuration, message templates, analytics
5. Processing Duration
Processing continues for the duration of the Service Agreement. Upon termination, personal data is deleted within 30 days, except where retention is required by law.
6. Processor Obligations
- Process data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data at the end of the service
- Make available all information necessary to demonstrate compliance
7. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare | CDN, DNS, WAF, DDoS protection | USA (5 EU offices) | SCCs (Art. 46 GDPR) |
| Google Analytics 4 | Web analytics (consent-gated, Google Consent Mode v2) | Ireland (Google Ireland Ltd) / USA (Google LLC) | SCCs (Art. 46 GDPR) |
| Google OAuth | "Sign in with Google" authentication | Ireland (Google Ireland Ltd) | Within EU |
| Inngest | Background jobs & queue | San Francisco, USA | SCCs (Art. 46 GDPR) |
| iubenda | Cookie consent, privacy policy hosting | EU (Italy) | Within EU |
| OpenAI | AI message generation (GPT-4o-mini) | USA | SCCs (Art. 46 GDPR) |
| PostHog | Product analytics (consent-gated) | EU Cloud (eu.posthog.com) | Within EU (Iubenda preset shows USA — outdated) |
| Resend | Transactional email | USA | EU-US Data Privacy Framework + SCCs |
| Sentry | Error tracking | USA | SCCs (Art. 46 GDPR) |
| Stripe | Payments (Checkout, Portal, Connect) | USA | PCI DSS + SCCs (Art. 46 GDPR) |
| Supabase Auth | User authentication | EU Frankfurt | Within EU (Iubenda preset shows Singapore — outdated) |
| Supabase Database | PostgreSQL, RLS, Storage | EU Frankfurt (eu-central-1) | Within EU |
| Unipile | LinkedIn API (hosted auth, search, messaging) | Riorges, France (Scaleway DCs) | Within EU + SOC 2 Type II |
| Vercel | Hosting & serverless functions | Frankfurt (fra1), Germany | Within EU + SCCs (CDN edge global) |
8. International Transfers
Where personal data is transferred outside the EEA, the Processor ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
9. Security Measures
- Encryption at rest and in transit (TLS 1.3, AES-256)
- Row-Level Security (RLS) on all database tables
- Role-based access control
- Regular security audits and penetration testing
- Automated backup and disaster recovery
- LinkedIn credentials never stored (Unipile hosted auth)
10. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, providing all information required under Art. 33 GDPR.
11. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable notice and confidentiality obligations.
12. Contact
For DPA-related inquiries: info@connectodigital.com