POWERED BY
POWERED BY
Last updated: 03.03.2026
This Data Protection Addendum (“Addendum” or “DPA”) forms an integral part of the principal agreement/contract governing the provision of Syllex services (the “Agreement”) between Convivo S.r.l. – Startup Innovativa pursuant to D.L. 179/2012, with registered office at Piazzale Sant’Antonio 8/A, 67100 L’Aquila (AQ), Italy, VAT number 02206750669, REA AQ-217165 (“Convivo” or “Processor”), and the business customer (school/institution/company) using Syllex (“Customer” or “Controller”). This DPA applies to Personal Data which Convivo processes on behalf of the Customer in the provision of Syllex services (“Services”).
Unless otherwise indicated, terms beginning with a capital letter shall have the meaning attributed to them by Regulation (EU) 2016/679 (“GDPR”). Furthermore: “Privacy Laws” means the GDPR and any applicable national legislation on personal data protection. “Customer Personal Data” means personal data processed by Convivo on behalf of the Customer. “Sub-Processor” means third parties appointed to process Personal Data. “Restricted Transfer” means transfers to third countries not covered by an adequacy decision. “SCC” means the Standard Contractual Clauses approved by the European Commission.
“Include” means “includes without limitation”, statutory references include subsequent amendments and implementing regulations. In case of conflict between the Agreement and the DPA on the subject of privacy, the DPA shall prevail.
The Client is the Data Controller of personal data, and Convivo is the data processor limited to the personal data processed in order to provide the Services. Contact/personnel management data may also be processed by Convivo as the Data Controller for administrative/contractual purposes.
The Client guarantees to process data and use the Services in compliance with Privacy Laws, to provide information to data subjects, to give Convivo lawful documented instructions, not to upload unnecessary or unlawful data, and to be responsible for the content uploaded and the profiles assigned to users.
Convivo shall process the Customer's Personal Data solely for the purpose of providing the Services and in accordance with the Customer's documented instructions, unless required by law, in which case Convivo shall inform the Customer where permitted.
Convivo ensures that authorised staff are bound by confidentiality obligations and only access data on a “need-to-know” basis.
Convivo implements appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk, including, by way of example, encryption of data in transit (TLS/HTTPS), access control and credential management, logging and monitoring, backup and recovery procedures, infrastructural security measures, and environment segregation.
The Customer authorises Convivo to appoint Sub-Processors for the provision of the Services, on the understanding that each Sub-Processor is bound by contractual obligations in accordance with the GDPR and is subject to appropriate security measures. Convivo may update the list of Sub-Processors and provide prior notice where requested.
As of the latest update, Convivo can use, among others: Amazon Web Services (AWS) for cloud hosting/infrastructure, MongoDB for database services, Google (Gemini) for AI services.
Where a transfer to third countries not covered by an adequacy decision is necessary, transfers will only take place on valid legal grounds, using SCCs and, where required, with necessary supplementary measures, and Convivo will provide useful information for the required assessments.
Convivo assists the Client, in accordance with its technical and operational capabilities, to enable data subjects to exercise their rights (access, rectification, erasure, restriction, objection, portability) in accordance with the Client’s instructions. If Convivo receives a request directly from a data subject, it forwards it to the Client without undue delay.
Convivo will notify the Customer, without undue delay, of any personal data breach concerning the Customer's Personal Data, providing reasonably sufficient information to enable the Customer to fulfil their notification obligations to the Authorities and/or data subjects.
Convivo will assist the Client with conducting Data Protection Impact Assessments (DPIAs) and with any prior consultations, limited to processing activities carried out as Controller and with available information.
On termination of the Services, at the Client's request, Convivo shall return the Client's Personal Data in a reasonable format where possible or shall delete it, save for any legal obligations requiring its retention. Residual copies in backups may persist for limited technical periods with restricted access.
Convivo shall provide the Customer with information necessary to demonstrate compliance with this DPA. The Customer may request audits or inspections reasonably during business hours, minimising the impact on systems and security. Compliance may also be demonstrated through available documentation, attestations, or reports.
Assistance requested under Articles 9–13 is included in standard services where compatible. Extraordinary requests due to complexity or urgency may incur additional costs agreed between the Parties.
The responsibilities of the Parties in relation to this DPA are governed by the Main Agreement, notwithstanding any mandatory provisions of law.
In the event of any conflict between this DPA and any other document between the Parties relating to data protection, this DPA shall prevail regarding privacy matters.
Parts List: Account Holder (Customer) and Account Manager (Convivo).
Subject and duration of treatment: provision of Syllex Services for the duration of the Contract.
Purpose: access and profile management, content hosting and storage, educational functionalities, AI processing of content, security, logging, abuse prevention, technical support.
Types of Personal Data: user data, institutional emails, technical identifiers (logs), uploaded educational content, usage metadata.
Stakeholder categories teachers, institution staff, authorised students, collaborators.
Technical and Organisational Measures (TOMs) TLS/HTTPS, access management, logging/auditing, backup, disaster recovery, environment segregation, sub-contractor agreements.