Normax Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between:

• Not a Design Company S.r.l., with registered office at Via Cipro 1, 25124 Brescia (BS), Italy, VAT / Tax ID 04730070986 ("Processor" or "NaDC");
• the customer using Normax in the course of its professional or business activity ("Controller" or "Customer").

For the purposes of this DPA:

• the Customer acts, as a rule, as controller of the personal data uploaded, transmitted or otherwise processed through Normax;
• Not a Design Company S.r.l. acts as processor solely for the processing necessary to provide Normax to the Customer;
• processing in which NaDC acts as an independent controller for its own purposes, such as account registration, service security, abuse prevention, billing, legal compliance and support, as described in the Privacy Policy, is excluded from this DPA.

This DPA governs the processing of personal data carried out by NaDC on behalf of the Customer in connection with the use of Normax.

The DPA takes effect from the date of acceptance of the Terms and Conditions or from the start of processing on behalf of the Customer, if earlier, and remains in force for the entire duration of the contractual relationship and for the period strictly necessary to delete, return or render inaccessible the Customer's personal data in accordance with this DPA and the Terms.

NaDC processes the Customer's personal data only to the extent necessary to:

• host, store, organise and make available documents, prompts, outputs and other data uploaded by the Customer;
• authenticate authorised users and manage access to the service;
• perform searches, classifications, summaries, analyses and other features requested by the Customer;
• ensure security, technical logging, backups, operational continuity, maintenance and support;
• comply with lawful instructions from the Customer that are compatible with the operation of the service.

NaDC does not process the Customer's personal data for incompatible own purposes and does not sell the Customer's data to third parties.

The categories of personal data processed may include, depending on how the Customer uses Normax:

• identification and contact data contained in documents or prompts;
• professional, administrative, contractual and compliance-related data;
• metadata, application logs and technical data strictly necessary for the operation of the service;
• any other personal data entered by the Customer or its authorised users.

Categories of data subjects may include:

• employees, collaborators, consultants and representatives of the Customer;
• the Customer's customers, suppliers, partners or counterparties;
• any other natural person whose data is contained in materials uploaded by the Customer.

The Customer instructs NaDC to process personal data solely:

• to provide Normax in accordance with the Terms and Conditions, technical documentation and configurations activated by the Customer;
• on the basis of instructions given through use of the service by the Customer and its authorised users;
• within the limits necessary to comply with legal obligations applicable to the Processor.

If NaDC considers that an instruction from the Customer violates applicable data protection law, it will inform the Customer without undue delay, unless prohibited by law.

The Customer:

• warrants that it has an appropriate legal basis for processing personal data through Normax and for communicating it to NaDC;
• remains responsible for the accuracy, quality, relevance and lawfulness of uploaded data;
• undertakes not to use Normax for processing that requires measures or guarantees not offered by the service, unless otherwise agreed in writing;
• undertakes not to upload data that is excessive or unnecessary for the purposes pursued.

NaDC ensures that persons authorised to process personal data:

• are bound by legal or contractual confidentiality obligations;
• receive appropriate instructions on access limits and applicable security measures;
• access personal data only to the extent strictly necessary for the performance of their duties.

Taking into account the state of the art, implementation costs, the nature of the service and risks to the rights and freedoms of natural persons, NaDC implements appropriate technical and organisational measures, including:

• user authentication and secure session management;
• segregation between Customer access and administrative access;
• encryption of data in transit using secure protocols;
• protections at rest provided by the cloud infrastructure used;
• technical logging, security monitoring, backups and incident response procedures;
• handling of bots, malicious traffic and abuse;
• maintenance, patching and vulnerability management processes applied to infrastructure and service logic.

Normax does not offer customised end-to-end encryption per Customer nor a data residency different from that indicated in this DPA and the Terms.

Taking into account the nature of the processing and information reasonably available, NaDC will assist the Customer, to the extent reasonably necessary, to:

• respond to requests to exercise data subjects' rights;
• handle personal data breaches, notifications to the supervisory authority and communications to data subjects, where applicable;
• carry out data protection impact assessments and prior consultations, when required by law and relevant to processing carried out through Normax.

If NaDC receives a request directly from a data subject relating to data processed on behalf of the Customer, it will forward it to the Customer unless it is legally required to handle it differently.

In the event of a personal data breach concerning data processed by NaDC on behalf of the Customer, NaDC will inform the Customer without undue delay after becoming aware of it, providing information reasonably available and useful to enable the Customer to comply with its legal obligations.

The Customer authorises NaDC to use the third-party services used by Normax as of the date of this DPA, 1 April 2026.

The suppliers used are as follows:

• Google Cloud (Google Ireland Limited) as cloud infrastructure provider for hosting, authentication, database and storage of application data, with data hosted in the European Union;
• Anthropic PBC (United States) as sub-processor for AI processing features;
• Stripe Payments Europe Limited as independent controller for payments, subscriptions and billing;
• Google Ireland Limited for usage analytics and abuse prevention, limited to technical, telemetry, browsing and security data necessary for the respective functions;
• Iubenda S.r.l. as processor solely for the Privacy Policy and Cookie Policy published in the Normax footer and related marketing consent records; consent records necessary for use of the `platform.normax.app` platform are managed directly by NaDC.

For the purposes of this DPA:

• the suppliers listed above, when they process the Customer's personal data on behalf of NaDC, act as sub-processors or authorised suppliers;
• analytics and abuse-prevention suppliers are not used to analyse the content of documents uploaded by the Customer;
• Stripe processes payment data under its own terms and, for such activities, acts as an independent controller under applicable law and contractual documentation.

When a supplier processes the Customer's personal data on behalf of NaDC, NaDC requires that supplier to assume data protection obligations substantially consistent with those set out in this DPA, to the extent required by applicable law.

For payment and billing services, the Customer must consult Stripe's documentation, including the Stripe Services Agreement, Stripe Services Terms and Stripe Privacy Policy.

If NaDC introduces, replaces or removes a sub-processor relevant to the provision of Normax, it will notify the Customer with at least 30 days' prior notice by updating this DPA, the Terms and Conditions, applicable privacy documentation or by email to the address associated with the account. Within that period the Customer may object on reasonable grounds to the new sub-processor; if the objection cannot be resolved within a reasonable time, the Customer may terminate the contract with immediate effect, without further charges beyond payment for services actually rendered up to the termination date.

For certain analysis or output generation features, Normax uses Anthropic Claude.

In relation to this supplier:

• NaDC transmits to Claude only data, document extracts, technical prompts, instructions and metadata strictly necessary for the specific requested operation;
• before sending to Claude, NaDC applies minimisation criteria and does not transmit the Customer's company name or personal data when such elements are not necessary for the requested processing;
• content sent to Claude is not used by NaDC or Anthropic to train general-purpose models;
• Anthropic retains data sent to Claude for up to 30 days solely for security and abuse monitoring purposes, in accordance with the documentation referenced in this DPA.

For further details, the Customer must consult Anthropic's public documentation referenced in this DPA:

• Anthropic legal terms - archive
• Anthropic privacy / retention details - archive

As of the date of this DPA, 1 April 2026, Customer data stored directly by NaDC for the provision of Normax is hosted in the European Union.

Transfers of or access to personal data outside the EEA occur only to the extent strictly necessary for the use of the suppliers indicated in section 11, and in particular:

• Anthropic PBC, for AI features;
• Stripe, for payments, subscriptions and billing;
• analytics and abuse-prevention suppliers, limited to technical, telemetry, browsing and security data necessary for the respective functions.

Where such transfers are subject to the GDPR or equivalent legislation, NaDC will adopt measures required by applicable law, which may include:

• adequacy decisions;
• standard contractual clauses;
• reasonable supplementary measures;
• other lawful transfer mechanisms provided for by applicable legislation.

Upon the Customer's request and taking into account the self-service nature of the service, NaDC will make available information on applicable security measures and compliance with this DPA, within the limits permitted by confidentiality, security and protection obligations towards other customers.

On-site audits, customised reviews, extended questionnaires and enterprise requests require a separate agreement.

Upon termination of the contractual relationship, NaDC will erase or render inaccessible personal data processed on behalf of the Customer in accordance with applicable retention periods for the service, unless retention is required by law or is strictly necessary for handling disputes, security or fraud prevention for the minimum necessary time.

If the user or the Customer wishes to request deletion of the account, they must write to info@normax.it from the address associated with the account. After receipt of the request and completion of reasonably necessary verification, NaDC undertakes to erase from its servers all user data associated with the account, including uploaded documents, subject to the retention limits indicated above.

This DPA supplements the Normax Terms and Conditions and applicable privacy documentation. In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to aspects concerning the processing of personal data carried out by NaDC on behalf of the Customer.