Data Processing Agreement (DPA) — eSay CRM

Agreement pursuant to art. 28 of Regulation (EU) 2016/679 (GDPR) between:

• Data Controller ("Controller"): the eSay user who enters and manages their contacts/customers' data in the CRM;
• Data Processor ("Processor"): LANGA Corp. Srl, Piazza IV Novembre, 4 — 20124 Milano (MI), Italia, VAT IT10637600965.

This DPA supplements the eSay Specific Conditions (ES.2) and the Galaxy Terms.

DPA.1 Subject and duration of processing

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the eSay CRM service (contact management, communications, pipelines, marketing automations). Processing lasts for the entire service duration and the post-termination retention period (60 days, cf. ES.3).

DPA.2 Categories of data and data subjects

Data category	Data subjects
Personal data (name, surname, email, phone, address)	Controller's contacts/customers
Commercial data (pipeline, notes, communication history)	Controller's contacts/customers
Communication data (emails sent/received, automations)	Controller's contacts/customers

No special category data (art. 9 GDPR) is processed unless the Controller voluntarily enters it (in which case the Controller is solely responsible).

DPA.3 Processor obligations

LANGA Corp. Srl, as Processor, undertakes to:

• Process data only on documented instructions from the Controller and for the purposes of the eSay service;
• Ensure that persons authorized to process data are committed to confidentiality;
• Implement the security measures set out in DPA.5;
• Not transfer data outside the EEA without appropriate safeguards (DPA.7);
• Assist the Controller in fulfilling data-subject rights requests (access, rectification, erasure, portability);
• Assist the Controller with data protection impact assessments (DPIA) and prior consultation where necessary;
• At the end of the service, return or delete all personal data (cf. DPA.8);
• Make available to the Controller the information necessary to demonstrate compliance with art. 28 GDPR obligations.

DPA.4 Sub-processors

The Controller authorizes LANGA Corp. Srl to engage the following sub-processors:

Sub-processor	Purpose	Location
Hetzner Online GmbH	Server infrastructure hosting	Germany (EU)
Easy Infrastructure (Hetzner Online GmbH)	Transactional email	Germany (EU)
Hetzner Online GmbH	Backup/disaster recovery	Germany (EU)

LANGA Corp. Srl informs the Controller with at least 30 days' prior notice before adding or replacing a sub-processor. The Controller may object on reasonable grounds; if the objection is not resolved, the Controller may terminate the service. Each sub-processor is bound by the same obligations as this DPA.

DPA.5 Security measures (art. 32 GDPR)

LANGA Corp. Srl implements the following technical and organizational measures:

• Encryption: data in transit via TLS 1.2+; data at rest encrypted on disk;
• Access control: multi-factor authentication for administrators; principle of least privilege; access logging;
• Backup: daily backup with 30-day retention; periodic restore testing;
• Isolation: each Controller's data logically separated;
• Monitoring: AEGIS Tech Shield system for continuous security and status monitoring;
• Updates: security patches applied within 14 days of publication;
• Training: authorized personnel trained on data protection.

DPA.6 Breach notification

In case of a personal data breach, LANGA Corp. Srl notifies the Controller without undue delay and in any event within 72 hours of becoming aware, providing:

• Nature of the breach and approximate categories/number of data subjects affected;
• DPO/contact point details;
• Likely consequences of the breach;
• Measures taken or proposed to remedy the breach.

The Controller remains responsible for notification to the supervisory authority (art. 33 GDPR) and communication to data subjects (art. 34 GDPR).

DPA.7 International transfers

Data is processed on servers located in the European Union (Hetzner, Germany). Should transfer to third countries become necessary (e.g. for non-EU sub-processors), LANGA Corp. Srl ensures appropriate safeguards under GDPR Chapter V (adequacy decisions, standard contractual clauses, BCRs).

DPA.8 Data return and deletion

Upon termination of the eSay service: the Controller may export all data in CSV/JSON format (cf. ES.3); LANGA Corp. Srl maintains data access for 60 days after expiry; after 60 days, data is permanently deleted from all systems, except where legal retention obligations apply (e.g. 10-year fiscal retention for billing data). Upon request, LANGA Corp. Srl provides written confirmation of deletion.

DPA.9 Right of audit

The Controller has the right to verify compliance with this DPA through:

• Information and documentation requests to LANGA Corp. Srl;
• Audit conducted by the Controller or an independent third-party auditor, upon reasonable notice (at least 30 days) and respecting confidentiality.

LANGA Corp. Srl cooperates reasonably with the audit. Audit costs are borne by the Controller, unless the audit reveals a material non-compliance.

DPA.10 Contact and governing law

Data protection contact: legal@langa.tv. This DPA is governed by Italian law and the GDPR; jurisdiction: Tribunale di Milano.