Data Processing Agreement (DPA)

Version: 1.0 Effective date: 04 May 2026 Last updated: 04 May 2026 Language: English (courtesy translation — the Romanian version prevails)

Important note on this courtesy translation. This English version is a courtesy translation of the official Romanian Data Processing Agreement (Acord de Prelucrare a Datelor). In case of any discrepancy or interpretive divergence, the Romanian-language version prevails as the legally binding document.

NOTICE — BETA STAGE. The Bits CRM Service is in BETA stage. The technical data-processing configurations may evolve. Bits CRM exercises reasonable diligence to keep this Agreement up to date and will notify modifications in accordance with section 17.

Preamble

This Data Processing Agreement (hereinafter the “Agreement” or “DPA”) is entered into between:

The Bits CRM Customer, the natural or legal person who has created an account and accepted the Terms and Conditions of the platform, acting as data controller for the personal data processed through the platform (hereinafter the “Customer” — in GDPR terms, the controller), on one hand, and
BITS DIGITAL SOLUTIONS S.R.L., CUI 51905748, J2025039656002, share capital RON 200, official email office@64bits.it, registered office disclosed upon written and reasoned request, in its capacity as Processor on behalf of the Customer (hereinafter the “Processor”), on the other hand,

collectively referred to as the “Parties” and individually as a “Party”.

The Agreement governs the processing of personal data by the Processor on behalf of the Customer, in connection with the use of Bits CRM Services, in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law no. 190/2018 implementing GDPR in Romania, Romanian Law no. 506/2004, and other applicable legislation.

Acceptance mechanism

The Agreement is concluded electronically, by acceptance of the Bits CRM Terms and Conditions, into which this DPA is incorporated by reference. By accepting the Terms and Conditions, the Customer confirms full and unreserved acceptance of this Agreement in the version published at https://bitscrm.ro/en/data-processing-agreement at the time of acceptance.

For enterprise customers requiring custom modifications (additional clauses, specific annexes, formal electronic signing), the standard DPA may be adapted by bilateral negotiation — request via office@64bits.it.

Documents incorporated by reference

This Agreement is to be read together with:

Terms and Conditions — https://bitscrm.ro/en/terms-and-conditions
Privacy Policy — https://bitscrm.ro/en/privacy-policy

In case of conflict between the Terms and Conditions and this Agreement, on matters of personal data protection, this Agreement prevails.

1. Definitions

In this Agreement, the terms below have the meaning provided by GDPR art. 4 or, as the case may be, the meaning attributed in the Bits CRM Terms and Conditions:

Personal data — any information relating to an identified or identifiable natural person (GDPR art. 4(1)).
Processing — any operation or set of operations performed on personal data (GDPR art. 4(2)).
Customer — the Bits CRM Customer, acting as data controller under GDPR; the entity who determines the purposes and means of processing the Customer Content.
Processor (or Bits CRM) — BITS DIGITAL SOLUTIONS S.R.L., acting as GDPR processor; processes data on behalf of the Customer, in accordance with the Customer’s instructions.
Data subject — the natural person whose data is processed (the Customer’s end clients, contacts, prospects, partners, etc.).
Customer Content — personal data and other information uploaded, created, transmitted or processed by the Customer or its Users through the Bits CRM platform.
Services — the features of the Bits CRM platform, as described in the Terms and Conditions.
Services we rely on — third-party technology providers essential for the operation of the Services (sub-processors).
Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (GDPR art. 4(12)).
Supervisory authority — the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), https://dataprotection.ro.

2. Subject matter, duration, nature and purpose of processing

2.1 Subject matter

The subject matter of the processing is Customer Content containing personal data, processed through the Bits CRM platform for the purpose of providing the Services subscribed to by the Customer.

2.2 Duration

The Agreement applies:

throughout the duration of the contract between the Parties governed by the Bits CRM Terms and Conditions;
and during the post-termination retention period set out in section 15.

2.3 Nature of processing

Processing includes, without limitation: storage, organisation, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, restriction, erasure or destruction, transmission to sub-processors strictly for the operation of the Services.

2.4 Purpose of processing

The provision of Bits CRM Services (CRM, e-Factura invoicing, payments, calendar, appointments, drive, collaborative notes, task management, video meetings, AI assistant, OCR, push notifications, RBAC) at the instruction of the Customer, in accordance with its configurations in the platform.

Full details of the processing are presented in Annex A.

3. Types of data and categories of data subjects

The specific types of personal data processed and the categories of data subjects are described in detail in Annex A and may include, depending on the use made by the Customer:

identification and contact data of end clients, contacts, partners;
fiscal data (CUI/CIF) of contracting entities;
financial data (invoices, payments, amounts);
communications (e-mail, SMS, in-app messages);
content of documents, files, scanned images;
prompts and AI output entered/generated by the Customer’s users;
exceptionally and under the exclusive responsibility of the Customer: sensitive data (health data for medical clinics; data under professional secrecy for lawyers; data about minors for teachers etc.).

4. Customer obligations

The Customer assumes the following obligations, in its capacity as data controller:

4.1 Legal basis

The Customer ensures that it has a valid legal basis (GDPR art. 6 and, where applicable, art. 9 or 10 GDPR) for each processing of personal data carried out through the platform.

4.2 Information of data subjects

The Customer fulfils its information obligations under GDPR art. 13 and 14 towards data subjects whose data it uploads to the platform.

4.3 Data subject rights

The Customer is primarily responsible for the exercise of data subject rights (access, rectification, erasure, restriction, portability, objection), with the assistance of the Processor in accordance with section 8.

4.4 Lawful instructions

The Customer transmits to the Processor only lawful instructions, in accordance with GDPR and applicable legislation. The Customer ensures that the instructions given by configuring the Services are within the limits of the purposes declared to data subjects.

4.5 Lawful Customer Content

The Customer is responsible for ensuring that the Customer Content does not infringe third-party rights, does not contain unlawfully collected data, and complies with the fiscal, professional and marketing obligations applicable to its activity.

4.6 Compliance with Law 506/2004

For the use of commercial communication features (e-mail/SMS marketing, recording of calls/meetings), the Customer complies with Romanian Law 506/2004 art. 12 — opt-in, soft opt-in, sender identification, unsubscribe mechanism — and ensures the consent / adequate information of recipients.

4.7 Sensitive data

If the Customer uploads to the platform data from special categories under GDPR art. 9 or data on criminal convictions (GDPR art. 10), the Customer ensures that it has a special legal basis (explicit consent, legal obligation, vital interest, etc.) and applies adequate additional safeguards.

5. Processor obligations

In accordance with GDPR art. 28(3), the Processor assumes the following obligations:

5.1 Processing only on documented instructions

The Processor processes personal data exclusively on the basis of documented instructions from the Customer, including with regard to international transfers, except where processing is required by Union or Romanian law.

The following are considered documented instructions: this Agreement, the Bits CRM Terms and Conditions, the configurations made by the Customer in the platform, written instructions transmitted to office@64bits.it.

If the Processor has a legal obligation to process data outside these instructions, it informs the Customer of that obligation before processing, except where applicable law prohibits such information on important grounds of public interest.

If an instruction of the Customer infringes, in the Processor’s view, GDPR or other EU/RO data protection provisions, the Processor promptly informs the Customer.

5.2 Personnel confidentiality

The Processor ensures that all persons authorised to process personal data are bound by confidentiality obligations, through employment contracts, non-disclosure agreements (NDA) or equivalent statutory obligations.

5.3 Technical and organisational measures

The Processor implements adequate technical and organisational measures, in accordance with GDPR art. 32, to ensure a level of security appropriate to the risk. Details are presented in Annex B. These measures may evolve during the BETA stage of the platform.

5.4 Sub-processors

See section 6 below.

5.5 Assistance with data subject requests

The Processor assists the Customer, to the extent of the technical and organisational possibilities of the Services, in fulfilling the obligation to respond to data subject requests regarding their rights (GDPR art. 15-22), including:

providing exports of data;
deleting or anonymising specified data;
restricting processing;
correcting inaccurate data.

Assistance is free of charge for reasonable requests. For manifestly unfounded or excessive requests (in particular due to repetitive nature), the Processor may refuse or charge a reasonable fee based on administrative costs (GDPR art. 12(5)).

5.6 Assistance with the Customer’s obligations (art. 32-36)

The Processor assists the Customer in ensuring compliance with its obligations under GDPR art. 32-36, taking into account the nature of processing and the information available to the Processor:

implementation of security measures (art. 32);
breach notification (art. 33-34);
carrying out data protection impact assessments (DPIA — art. 35);
prior consultation with the supervisory authority (art. 36).

5.7 Breach notification

In accordance with GDPR art. 33(2), the Processor notifies the Customer without undue delay after becoming aware of a personal data breach, with a target term of 48 hours.

The notification includes, to the extent of the information available at the time of notification:

the nature of the breach;
the categories and approximate number of data subjects affected;
the categories and approximate number of records affected;
the likely consequences of the breach;
measures taken or proposed to remedy the breach and mitigate its possible adverse effects;
the point of contact for further information.

The Customer remains responsible for notifying the breach to ANSPDCP within 72 hours (GDPR art. 33) and, where applicable, to data subjects (GDPR art. 34), using the information received from the Processor.

Procedural details are in section 10.

5.8 Return / deletion of data upon termination

Upon termination of the provision of Services, at the choice of the Customer, the Processor returns all personal data to the Customer or deletes it and destroys existing copies, except where Union or Romanian law requires further storage. Details are in section 15.

5.9 Making available compliance information

The Processor makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR art. 28. For details on the audit regime, see section 12.

6. Sub-processors

6.1 General authorisation

The Customer generally authorises the Processor to use sub-processors for the provision of the Services, subject to the obligations below.

6.2 Current categories

The current categories of sub-processors (Services we rely on) are listed in Annex C. They include, by way of example and without being exhaustive:

cloud infrastructure provider (database hosting, object storage, cache);
transactional email provider;
payment processing provider (PCI-DSS certified);
artificial intelligence model provider;
video meeting infrastructure provider;
anti-bot protection provider (CAPTCHA);
mobile push notifications provider.

6.3 Detailed list

The detailed list of sub-processors, with the specific provider names, jurisdiction and applicable third-party DPA, is available upon written and reasoned request transmitted to office@64bits.it, possibly under a reasonable confidentiality obligation, in order to protect the software design and commercial strategy.

6.4 Sub-processor obligations

The Processor ensures that each sub-processor is engaged through a written contract imposing data protection obligations equivalent to those in this Agreement, in particular regarding technical and organisational measures and the confidentiality obligation.

6.5 Notification of changes

The Processor notifies the Customer of the addition or replacement of a sub-processor with at least 30 calendar days prior notice, by email to the address associated with the account and/or by in-app notification.

6.6 Right to object

Within 30 days of the notification, the Customer may object on reasoned grounds to the change, by written notification to office@64bits.it. Reasonable grounds may include specific data protection risks, compliance with the Customer’s sectoral requirements or other objective reasons.

In case of a reasoned objection:

The Parties engage in good-faith dialogue to find an acceptable solution (for example, configurations that exclude the relevant sub-processor for certain components);
If a solution cannot be reached within a reasonable time (max. 30 additional days), the Customer may terminate the Terms and Conditions without penalty and without prejudice to its rights through termination. The termination takes effect at a date agreed by the Parties, but no later than the entry into force of the change.

6.7 Processor liability

The Processor remains fully liable to the Customer for the obligations of the sub-processor, within the limits set out in this Agreement and the Terms and Conditions.

7. International transfers

Certain Services we rely on may process data outside the European Economic Area (EEA), in particular: AI model providers, payment processors and transactional email providers may have components operated from the United States of America or other third jurisdictions.

7.1 Adequate safeguards

These transfers are covered by adequate safeguards under GDPR art. 46:

Standard contractual clauses adopted by the European Commission through Decision (EU) 2021/914;
EU-US Data Privacy Framework (Decision (EU) 2023/1795), for certified entities;
Other mechanisms recognised by GDPR (binding corporate rules, specific derogations, etc.), where applicable.

7.2 Schrems II — supplementary measures

For transfers to third countries that do not benefit from an adequacy decision, the Processor performs (directly or in coordination with sub-processors) a Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020, including the analysis of:

the laws of the recipient jurisdiction regarding access by public authorities to data;
supplementary contractual, organisational and technical measures (encryption, pseudonymisation, etc.);
residual risks.

TIA documents are available upon written request transmitted to office@64bits.it, except for information for which the Processor is bound by confidentiality.

7.3 Authorisation by acceptance

By accepting this Agreement, the Customer authorises the international transfers necessary for the operation of the Services, conditional on the adequate safeguards above.

8. Assistance with data subject rights

8.1 Requests received directly by the Processor

If a data subject’s request reaches the Processor directly (at office@64bits.it), and the request concerns data processed on behalf of a Customer, the Processor:

redirects the request to the Customer within maximum 5 working days;
informs the data subject that the request has been redirected to the competent data controller;
does not respond on the merits of the request without instructions from the Customer.

8.2 Technical assistance

At the Customer’s request, the Processor offers technical assistance for fulfilling its obligations to data subjects, within the technical possibilities of the Services:

Access (art. 15) — structured exports of relevant data;
Rectification (art. 16) — modification tools available in the platform;
Erasure (art. 17) — deletion tools; operational deletion requested at office@64bits.it;
Restriction (art. 18) — marking/temporary blocking of data;
Portability (art. 20) — exports in structured format (JSON, CSV, ZIP);
Objection (art. 21) — configuration tools for certain processing.

8.3 Cost

Assistance is free of charge for reasonable requests. For manifestly unfounded or excessive requests, the Processor may charge a reasonable fee or refuse the request, subject to GDPR art. 12(5).

9. Technical and organisational measures (TOM)

The technical and organisational measures implemented by the Processor to ensure a level of security appropriate to the risk are presented in Annex B.

These measures are aligned with GDPR art. 32, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, as well as the risks for the rights and freedoms of natural persons.

The Processor periodically reviews and updates TOM to adapt to the evolution of threats and technology. TOM modifications may be implemented without prior notice if they maintain or improve the level of security. Modifications that significantly reduce the level of security will be notified to the Customer in accordance with section 17.

10. Breach notification

10.1 Definition

“Personal data breach” has the meaning provided in GDPR art. 4(12) — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

10.2 Term

The Processor notifies the Customer without undue delay after becoming aware of a breach, with a target term of 48 hours. This term allows the Customer to fulfil its obligation to notify ANSPDCP within a maximum of 72 hours (GDPR art. 33).

10.3 Notification content

The notification includes, in accordance with GDPR art. 33(3):

(a) description of the nature of the breach, including the categories and approximate number of data subjects affected, the categories and approximate number of records affected;
(b) the name and contact details of the contact point for further information (DPO or equivalent);
(c) the likely consequences of the breach;
(d) measures taken or proposed by the Processor to remedy the breach and mitigate its possible adverse effects.

If it is not possible to provide all information at the same time, it may be provided in phases without undue further delay.

10.4 Cooperation

The Processor cooperates with the Customer in:

investigating the breach;
preparing the notification to ANSPDCP;
preparing (where applicable) the communication to data subjects (GDPR art. 34);
documenting the breach in accordance with GDPR art. 33(5).

10.5 Documentation

The Processor internally documents all breaches that have affected it, regardless of the notification to the Customer, in accordance with GDPR art. 33(5).

11. Impact assessments and prior consultation

When the Customer is required to carry out a data protection impact assessment (DPIA) — in particular for high-risk processing (large-scale sensitive data, profiling with legal effects, systematic monitoring etc.) — the Processor reasonably assists the Customer, within the limits of the information necessary for the Customer to fulfil its obligation under GDPR art. 35.

Information made available upon the Customer’s written request:

description of the processing operations at a level adequate for a DPIA (see Annex A);
the technical and organisational measures applied, at the level of detail set out in Annex B;
categories of sub-processors and international transfers (see Annex C);
general, aggregated statistics on security incidents — upon reasoned request.

Limits:

The Processor is not required to disclose information that constitutes trade secrets, protected know-how, internal software design, technical architecture details, network configurations, or other information whose disclosure could affect the security of the Services or the commercial strategy of the Processor. These limits are recognised by GDPR art. 28 (assistance is “reasonable, taking into account the nature of processing and the information available to the processor”) and by Directive (EU) 2016/943 on trade secrets.
The information provided is confidential and may be made available under a reasonable confidentiality obligation (NDA), at the Processor’s request.
Manifestly excessive requests, or those exceeding the actual needs of a DPIA (for example, requests for source code, detailed infrastructure diagrams, operational secrets), may be refused with reasons.

For DPIAs concerning AI features or other new components, the Processor may additionally provide a brief description of the data flow and the providers involved (at the level of categories), without disclosing implementation details.

If the Customer, following a DPIA, is required to consult ANSPDCP before starting processing, the Processor offers reasonable assistance (clarifications, additional information at the level already presented in Annexes A, B, C) at the Customer’s request, subject to the same trade-secret protection limits set out in 11.1.

12. Audit and inspection

12.1 Customer’s right

The Customer has the right to verify the Processor’s compliance with the obligations set out in GDPR art. 28 and this Agreement, in accordance with the regime described below.

12.2 Modality

Given the multi-tenant SaaS nature of the Services and the BETA stage of the platform, the Processor offers the following forms of demonstrating compliance:

(a) Response to reasonable information requests — at the written request of the Customer transmitted to office@64bits.it, the Processor provides within a reasonable term (max. 30 days) information about TOM, sub-processors, international transfers, audit logs relevant to the Customer’s account, and other data protection-related aspects.

(b) Third-party certifications, when available — the Processor intends to obtain recognised certifications (for example ISO/IEC 27001 — audit in progress) and SOC 2-type reports (planned). These reports/certificates will be provided to the Customer upon request, possibly under a confidentiality obligation (NDA), and will constitute sufficient proof of the Processor’s compliance in the areas covered.

(c) On-site audits — at present, given the BETA stage and the multi-tenant nature of the Services, on-site audits at the Processor’s premises are not available through the standard DPA. Such audits may be negotiated bilaterally, within a custom enterprise contract, with costs borne by the Customer (except in cases of demonstrated substantial non-compliance).

12.3 Frequency

Information requests under 12.2(a) may be made a maximum of once per calendar year, except where:

there is a reasoned suspicion of substantial non-compliance;
a breach has been notified in accordance with section 10;
a supervisory authority requests the Customer information about the Processor.

12.4 Confidentiality

All information obtained by the Customer in the audit exercise is confidential and may be used exclusively for the purpose of verifying compliance.

12.5 Cost

The costs of audit activities are borne by the Customer, except where the audit reveals substantial non-compliance of the Processor — in which case the reasonable costs are borne by the Processor.

13. Liability

13.1 Contractual liability between Parties

Contractual liability between the Customer and the Processor for breaches of this Agreement is limited to the level set out in the Bits CRM Terms and Conditions, section 11.3 — that is, the amount actually paid by the Customer in the 12 months preceding the event giving rise to liability.

In accordance with GDPR art. 82:

The Customer and the Processor are liable for damage caused by processing that infringes GDPR;
The Customer is liable for damage caused by processing that does not comply with GDPR;
The Processor is liable for damage caused by processing only where it has not complied with the obligations of GDPR specifically directed at processors or where it has acted outside or contrary to the lawful instructions of the Customer;
The Customer and the Processor are jointly liable for the entire damage, the data subject being able to claim compensation from either of them;
Internal recourse between the Customer and the Processor is made proportional to the fault of each.

Contractual limitations between the Customer and the Processor do not affect the joint liability towards data subjects — this liability is mandatory and cannot be excluded or limited contractually.

13.3 Exclusions

The limitations of liability in this Agreement and the Terms and Conditions do not apply to:

wilful misconduct and gross negligence of a Party (Romanian Civil Code art. 1355(2));
bodily injury;
mandatory liability towards data subjects (GDPR art. 82);
GDPR administrative fines (art. 83) — each Party is liable for fines received under its own breaches.

14. Duration

This Agreement enters into force at the moment of acceptance of the Bits CRM Terms and Conditions and remains in force for the entire duration of the contract between the Parties, as well as for the post-termination retention period set out in section 15.

The Agreement cannot be unilaterally terminated by a Party without the simultaneous termination of the Terms and Conditions — given that the Agreement is an auxiliary instrument of the principal contractual relationship.

Post-termination obligations (return/deletion of data, confidentiality, assistance with data subject requests for breaches discovered after termination) survive the termination of the contract.

15. Return / deletion of data upon termination

15.1 Customer’s choice

Upon termination of the Services (for any reason), the Customer may choose:

(a) Full export of the data — available for a period of 90 days from termination, through the standard tools of the platform or by request to office@64bits.it;
(b) Immediate deletion — at the express request of the Customer, deletion may begin before expiry of the 90 days, under the exclusive responsibility of the Customer for the loss of data.

15.2 Default procedure

In the absence of an express choice from the Customer, the data remains accessible for export for 90 days from termination; after this term, the data is irreversibly deleted from the primary production systems.

15.3 Backups

Backups may contain data for an additional limited period (max. 35 days), after which they are rotated and deleted in accordance with the Processor’s backup policy. During this period, the data in the backup is operationally inactive and can no longer be accessed or processed except for exceptional purposes (incident recovery).

15.4 Exceptions for legal obligations

Certain categories of data are retained after termination of the contract, in accordance with applicable legal obligations:

Invoices and fiscal documents — 10 years under art. 25 of Romanian Accounting Law no. 82/1991;
Audit logs — in accordance with internal security policy, to the extent necessary for compliance with regulatory requirements;
Other data subject to specific legal retention obligations.

15.5 Confirmation

At the express request of the Customer, the Processor confirms in writing the deletion performed, indicating the deleted data and that retained in accordance with legal obligations.

16. Confidentiality

16.1 Mutual obligation

Each Party undertakes to keep the confidentiality of sensitive information received from the other Party in connection with this Agreement, including information about technical architecture, sub-processors, audit logs, breach reports, TIAs.

16.2 Exceptions

The confidentiality obligation does not apply to information:

already public at the time of disclosure or which subsequently becomes public without the fault of the receiving Party;
already known to the receiving Party without confidentiality obligation;
developed independently without the use of the confidential information received;
disclosed with the written consent of the disclosing Party;
the disclosure of which is imposed by a legal obligation (court order, official request from authority). In this case, the obligated Party promptly notifies the other Party (to the extent permitted by law) and discloses only the necessary minimum.

16.3 Duration

The confidentiality obligation remains in force for the duration of the contract and for 3 years after termination, or longer for specific categories provided in the Terms and Conditions.

17. Final provisions

17.1 Applicable law

This Agreement is governed by Romanian law and by GDPR as a directly applicable EU regulation, in accordance with the Terms and Conditions section 16.1.

17.2 Jurisdiction

Jurisdiction aligns with Terms and Conditions section 16.2:

B2B (businesses): the courts having competence at the Processor’s registered office;
B2C (consumers): the courts at the Consumer’s domicile (mandatory).

17.3 Prevailing law

In case of conflict between this Agreement and the Terms and Conditions on matters of personal data protection, this Agreement prevails.

17.4 Modifications

The Processor may modify this Agreement with prior notice of at least 30 days by email to the address associated with the account and/or in-app, except for modifications imposed by mandatory legislative changes (entering into force immediately) or those that have no substantial adverse effect on the Customer.

In case of substantial adverse modification, the Customer has the right to free termination of the Terms and Conditions before the entry into force of the modification.

Public versioning on the dedicated page, with the effective date clearly marked.

17.5 Severability

If a clause of this Agreement is declared null or unenforceable, the other clauses remain in force. The affected clause will be replaced with a valid clause that reflects as closely as possible the original intention, within the limits permitted by law.

17.6 Language

The Romanian version of this Agreement is the official and prevailing version. Translations (English or other languages) are provided as a courtesy, without equal legal value. In case of discrepancy, the Romanian-language text prevails.

17.7 Notifications

All official notifications to the Processor are transmitted to office@64bits.it. Notifications to the Customer are transmitted to the email address associated with the account and/or by in-app notification.

Annex A — Description of processing

Element	Detail
Subject matter	Processing of Customer Content containing personal data, for the purpose of providing the Bits CRM Services.
Duration	Throughout the duration of the T&C contract + post-termination retention period (90 days for export, then deletion; backups max. 35 days; legal exceptions).
Nature	Storage, organisation, structuring, adaptation, retrieval, consultation, use, disclosure by transmission to sub-processors, restriction, erasure.
Purpose	Provision of Bits CRM Services (CRM, invoicing, payments, calendar, appointments, drive, notes, task management, video meetings, AI, OCR, push) at the Customer’s instruction.
Categories of data processed	(a) identification data (name, surname, email, phone, avatar); (b) contact data (addresses, phones); (c) fiscal data (CUI/CIF, tax status); (d) financial data (invoices, payments, amounts, payment instruments — without card data); (e) communications (email, SMS, in-app messages); (f) uploaded files and documents (PDF, scans, images); (g) AI prompts and output; (h) exceptionally and under the Customer’s responsibility: sensitive data (health, professional secrecy, data about minors).
Categories of data subjects	(a) end clients and prospects of the Customer; (b) professional contacts; (c) partners and collaborators; (d) employees and team members of the Customer added as users; (e) natural persons mentioned in communications or documents.
Special categories (GDPR art. 9, 10)	NOT collected or required by Bits CRM. If the Customer uploads such data through the platform, it ensures on its own responsibility a special legal basis (GDPR art. 9(2) for sensitive data; art. 10 GDPR for criminal convictions) and applies adequate safeguards.

Annex B — Technical and organisational measures (TOM)

In accordance with GDPR art. 32, the Processor implements the following measures:

B.1 Technical measures

Access control:

Authentication with individual credentials;
Two-factor authentication (2FA TOTP) — available, strongly recommended;
Role-based access control (RBAC), with granular permissions;
Limited-duration session tokens with immediate revocation.

Encryption:

Encryption in transit (TLS) for all communications;
Encrypted storage for sensitive data (for example CNP);
Modern hashing for passwords.

Operational security:

Rate-limiting on sensitive points (authentication, share links);
Anti-bot protection (CAPTCHA) on publicly exposed forms;
Monitoring of infrastructure and security events;
Audit logging for privileged actions.

Resilience:

Daily automated backups, 30-day retention;
Point-in-time recovery capability for the last 7 days;
Periodic testing of restoration procedures.

B.2 Organisational measures

Strict need-to-know access — personnel have access only to data necessary for performing their tasks;
Confidentiality obligations through employment contracts and NDAs;
Periodic training of personnel on data protection and GDPR compliance;
Formalised procedures for managing security incidents;
Provider evaluation — verification of sub-processors before selection;
Internal policies for retention, deletion and backup management;
Dedicated point of contact for data protection requests (office@64bits.it).

B.3 Specific measures for international transfers

Standard Contractual Clauses (Decision 2021/914/EU) with relevant sub-processors;
Transfer Impact Assessment (TIA) documented for third jurisdictions;
Supplementary measures where necessary (end-to-end encryption, pseudonymisation).

B.4 Review

TOM is periodically reviewed and updated according to:

evolution of security threats;
new legal and regulatory requirements;
feedback from security incidents;
recommendations from ANSPDCP, EDPB or other competent authorities.

Annex C — Sub-processors (categories)

As of the date of issue of this Agreement, the Processor uses sub-processors from the following categories for the operation of the Services:

Category	Function	Typical location
Cloud infrastructure provider	Database hosting, object storage (files), cache	EU / US with adequate safeguards
Transactional email provider	Sending transactional emails (confirmations, alerts, invoices)	EU / US
Payment processing provider (PCI-DSS)	Card and electronic payment processing	EU / US
AI model provider	AI Assistant inference, OCR, embeddings	EU / US
Video meeting provider	SFU infrastructure for video meetings	EU
Anti-bot protection provider	CAPTCHA on sensitive points	EU / Global
Push notification provider	Delivery of push notifications to mobile devices	EU / US

The detailed list with the specific provider names, exact jurisdictions, third-party DPAs and supplementary transfer measures is available upon written and reasoned request transmitted to office@64bits.it, possibly under a reasonable confidentiality obligation (NDA), to protect the software design and commercial strategy.

Notification of changes and the right to object are governed by section 6 of this Agreement.

Closing note

Application in BETA stage. Technical processing configurations may evolve. Material modifications will be notified in accordance with section 17.

Related documents:

End of Data Processing Agreement — version 1.0 — 04 May 2026.

The Romanian-language version is the official and prevailing version. This English version is a courtesy translation.