Data Processing Agreement
Version 1.1
Bentivoglio Consulting, LLC (EIN 35-2899869) with registered office at 131 Continental Dr, Suite 305, Newark, DE 19713, United States, email info@nexelia.ai
This Data Processing Agreement (hereinafter DPA) is an integral and substantial part of the contract stipulated between Bentivoglio Consulting, LLC (hereinafter the Company) and the Client (Registered User).
This DPA and the other provisions of the Contract are complementary. However, in case of conflict, the DPA shall prevail over the Contract.
PREMISES
Firstly, it is necessary to specify—for the purpose of a correct interpretation of what is agreed upon in this agreement—that the Client acts as the Data Controller for the data provided and processed through the NEXELIA AI service, while Bentivoglio Consulting, LLC will act exclusively as the Data Processor.
In compliance with the provisions of Article 28 of the GDPR, this agreement defines the methods, conditions, and instructions based on which the Data Processor, during the contractual relationship, must process the Client's personal data.
The Company adopts technical and organizational security measures (reviewed, updated, and implemented with the necessary frequency for the specific types of processing) that provide sufficient guarantees to be considered compliant with the aforementioned Article 28, ensuring the protection of the rights of the data subjects.
For clients subject to GDPR, the Company operates through its EU representative, AUTOMATION GENIUS BY K.D.L. (P.IVA 02789630692), with registered office in Bucchianico (CH), Italy, contrada Santa Maria Maggiore n. 4.
The premises are an integral part of what is provided below.
1. Subject
The services provided by NEXELIA AI can only be purchased by registered users ("direct clients") on the relevant site platform. Users, during the registration phase and when purchasing services, commit to providing their personal data correctly and up-to-date. The data provided are of a personal nature (such as, for example, personal details, navigation data, payment data, etc.), and will be collected and processed in electronic format.
Users, through the use of the services provided, may process personal and special category data of third parties ("indirect clients," i.e., clients of the registered users); in this case, the registered users are considered Data Controllers for the personal and special category data of their clients, with NEXELIA AI acting as the Data Processor on behalf of the registered users.
The registered users assume all responsibilities and obligations provided for by the relevant legislation, guaranteeing that such processing is based on suitable legal bases pursuant to Articles 6 and/or 9 and/or 10 of the GDPR. For these reasons, the registered users undertake to provide full indemnity against any dispute, claim, or request for compensation for damage from processing that may come from third parties not adequately informed about the processing carried out exclusively on behalf of the Data Controller.
For the reasons expressed above, on behalf of their registered users, personal data defined as "special category" data pursuant to Article 9 and 10 of the GDPR (defined as "sensitive data" and "judicial data" in the previous legislation) may also be processed. The processing of the latter will be subject to additional security measures compared to the processing of other data.
Automated processes and profiling are carried out exclusively on behalf of the direct clients using the service, never for autonomous purposes. For these reasons, in order to make the service more and more performant for the direct client, the data provided may be used to "train" the artificial intelligence.
Data not necessary for the purpose of managing the specified purposes below will be destroyed upon collection, or processed in an anonymous or aggregated form for statistical purposes.
With the acceptance of the Contract, this DPA is considered perfected and accepted by the Client who, pursuant to Article 28 of the GDPR, appoints the Company as the Data Processor regarding the personal data processed within the execution of the Contract.
The Processor sets up its data processing organization to protect the specific needs of the Controller, guaranteeing the following:
1.1) The processing of personal data is necessary only for the purpose of fulfilling the contractual relationship; no processing will be carried out autonomously.
1.2) Confidentiality of the processed data and the types of processing performed.
1.3) Transfer of data to non-EU countries where strictly necessary for the operation of the NEXELIA AI services, ensuring the use of secure software that declares in its general conditions to be compliant with the GDPR, appointed as data processors by Bentivoglio Consulting, LLC (and, consequently, appointed as sub-processors of the clients of the NEXELIA AI services).
1.4) Adoption of suitable and adequate technical and organizational security measures:
Antivirus with integrated firewall for PCs at all workstations.
A handbook with best practices for correct data processing has been distributed to all collaborators (including but not limited to, limited administrator access, correct password management, control of access logs, no hard copies).
Software with a legal headquarters in the EU or otherwise compliant with the GDPR is used as declared in the general conditions for product purchase and/or subscription.
Data minimization and segregation: only relevant data, complete with respect to the specific purposes of the service, are collected and processed. The entire platform is built with privacy by design and by default principles: pseudonymization of sensitive data in AI requests where possible, segregation of roles, and strict access limitations.
IT infrastructure and security: all devices and platforms are protected via strong authentication/MFA, access segmentation, log monitoring, periodic vulnerability assessment, and proactive software updates. Encrypted backups and disaster recovery via provider; encryption in transit (TLS/SSL) and at-rest (where offered).
Audit, logging, and access control: detailed audit logs for all sensitive activities, periodic review of access and privacy/security policies, internal incident response team.
Management of deletion/rights requests: documented flow for receiving/managing rights requests pursuant to Articles 15-22 GDPR from any data subject (direct or indirect), including deletion with cloud processors, if requested. Business customer support also in exercising rights towards third-party providers.
Risk assessment and improvement: DPIA updated periodically with the evolution of the software; evaluation of new processing before the release of new features.
Communication and transparency: specific privacy policies for direct clients, dedicated FAQ sections, legal support, and helpdesk in case of questions on the use, management, transfer, and deletion of data.
1.5) Periodic verification and updating of the measures listed above.
1.6) Continuous and adequate training of employees and data processors.
1.7) Timely communication to the Controller of any data breaches or violations.
1.8) Assistance to the Controller to follow up on data subject requests.
1.9) Collaboration with the Data Controller in relation to verification activities.
Finally, upon termination of the contractual relationship, the data of indirect clients will be deleted or anonymized. The data of indirect clients may also be deleted upon their request in the exercise of their right (withdrawal of consent or opposition).
2. Client's Sub-Processors
Bentivoglio Consulting, LLC, in order to improve its service and make it increasingly performant, may make use of its own service providers, who are appointed as Data Processors and, consequently, are Sub-Processors of the client using the NEXELIA AI service. The providers, in some cases, have their legal headquarters outside the EU but declare in their general conditions (as well as in their DPA signed by Bentivoglio Consulting, LLC) that they adhere to and are compliant with European data protection regulations. The automated processes and profiling are necessary by virtue of the service offered and are carried out exclusively on behalf of the clients using the service, never for autonomous purposes.
The Client/Data Controller, with the perfection of this DPA, expressly authorizes the Company to involve third-party providers necessary for the provision of the services covered by the Contract. The Processor, upon the Client's request, will make the updated list of sub-processors available.
Current Sub-Processors include but are not limited to:
OpenAI Inc. (AI language models)
Anthropic PBC (AI language models)
Bubble.io (Platform infrastructure)
Amazon Web Services (AWS) (Cloud hosting)
Stripe (Payment processing)
Postmark (Email services)
Gupshup.io (Messaging channels)
Meta Platforms (WhatsApp, Messenger, Instagram integration)
3. Client's Obligations
The Client assumes all responsibilities and obligations provided for by the relevant legislation, guaranteeing that the processing carried out through NEXELIA AI is based on suitable legal bases pursuant to Articles 6 and/or 9 and/or 10 of the GDPR. For these reasons, the users registered to the NEXELIA service undertake to provide full indemnity against any dispute, claim, or request for compensation for damage from processing that may come from third parties not adequately informed about the processing carried out exclusively on behalf of the Data Controller.
All operations performed through the use of credentials entail the automatic attribution of the operations to the Client. Therefore, the Client acknowledges and accepts that the Company may use any information obtainable from its computer systems to monitor access to the Services to prove the operations carried out by the Client.
In the event that the Client acts as a data processor on behalf of third parties, they guarantee to have received authorizations from them and to have informed them that Bentivoglio Consulting, LLC has been appointed as their Sub-Processor.
4. DPA Duration
The DPA will be effective for the entire duration of the contract.
5. Liability
The Company may be held liable only for damages caused in violation of the obligations provided for by the GDPR as a Data Processor.
6. Deletion of Personal Data
For the purpose of executing the NEXELIA AI service, the Controller will process the data provided for the entire duration of the contractual relationship and, subsequently to the conclusion, they will be stored for 10 years from the date of termination for accounting, tax, and legal compliance purposes. Subsequently, they will be destroyed or processed in an anonymous or aggregated form for statistical purposes.
The personal data of third parties provided by registered users will be deleted or anonymized at the time the contractual relationship between the parties ceases and, consequently, the appointment of Bentivoglio Consulting, LLC as the Data Processor for registered users.
Furthermore, the personal data of third parties provided by registered users will also be deleted or anonymized if the registered user communicates the withdrawal of consent by their clients for the specific service.
For the purpose of marketing, the Controller will process the data provided for the entire duration of the contractual relationship and, subsequently to the conclusion, for 1 year from the date of termination in order to offer the client any promotional offers for the renewal of services. Subsequently, they will be destroyed or processed in an anonymous or aggregated form for statistical purposes.
7. International Data Transfers
For clients subject to GDPR, all transfers of personal data to countries outside the European Economic Area (EEA) are conducted in accordance with Chapter V of the GDPR. The Company ensures that appropriate safeguards are in place, including but not limited to:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Binding Corporate Rules where applicable
Other legally recognized transfer mechanisms under GDPR Article 46
The Company, through its EU representative AUTOMATION GENIUS BY K.D.L., ensures full compliance with EU data protection requirements for all EU-based clients.
8. Contact Information
For any questions or requests related to this DPA, clients may contact:
Bentivoglio Consulting, LLC
131 Continental Dr, Suite 305
Newark, DE 19713, United States
Email: info@nexelia.ai
EU Representative (for GDPR matters):
AUTOMATION GENIUS BY K.D.L.
Contrada Santa Maria Maggiore n. 4
66011 Bucchianico (CH), Italy
P.IVA: 02789630692
Last Updated: February 2025
Version: 1.1
Copyright @ Nexelia.ai | Tutti i diritti riservati
131 Continental Dr Suite 305, 19713, Newark, United States
Just enter the details below, and watch how your business grow
You're agreeing to our Terms & Conditions. We won't sell your info ever. We will only email you relevant offers and info. Seriously. View our full Privacy Policy to see why. Unsubscribe at any time.