1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Controller" / Titolare del Trattamento): the customer using ANAME AI services.
- Data Processor ("Processor" / Responsabile del Trattamento): ANAME AI, processing data on behalf of the Controller.
2. Subject and purpose of processing
ANAME AI processes personal data contained in documents uploaded by the Controller (notarial deeds, cadastral surveys, energy performance certificates, mortgages and other documents) in order to:
- Extract structured data via OCR and AI models
- Build the digital dossier (fascicolo digitale) for the case
- Perform cross-checks between documents
- Provide AI assistance for document analysis
3. Categories of data processed
- Personal data: names, surnames, dates of birth, fiscal codes (codici fiscali)
- Property data: addresses, cadastral data (dati catastali), income
- Financial data: amounts, rates, IBANs, payment methods
- Energy data: energy class, performance, certifying technicians
4. Security measures
ANAME AI implements the following technical and organisational measures:
- Anonymisation: sensitive data (names, fiscal codes, IBANs) are anonymised before being sent to third-party AI models (OpenAI). AI models receive only placeholders, never real data.
- Encryption: data transmission via HTTPS/TLS. PostgreSQL database with encrypted access.
- Data localisation: database and application servers in Europe (Render, Frankfurt).
- Authentication: access protected by JWT with expiry, rate limiting on endpoints.
- Isolation: each organisation accesses only its own documents (multi-tenancy with
organisation_id). - No training: personal data is never used for training third-party AI models.
5. Sub-processors
| Service | Provider | Purpose | Location |
|---|
| Hosting | Render | Application server and database | Frankfurt, EU |
| AI / Extraction | OpenAI | Data extraction from text (receives only anonymised data) | USA (DPA with SCCs) |
| OCR | Google Cloud Vision | PDF/image to text conversion | EU/USA (DPA with SCCs) |
| Frontend | Vercel | Web interface hosting | EU |
| Email | Resend | Transactional email delivery | USA (DPA with SCCs) |
6. Data subject rights
The Controller ensures data subjects the rights provided under the GDPR (Arts. 15–22): access, rectification, erasure, portability, restriction of processing, objection.
ANAME AI supports the Controller in exercising these rights by providing data export and account deletion tools.
7. Duration and termination
This DPA has the same duration as the service agreement. Upon termination, ANAME AI will delete all Controller data within 30 days, unless required by law.
8. Data breach
In the event of a personal data breach, ANAME AI commits to:
- Notify the Controller within 72 hours of becoming aware of the breach, pursuant to Art. 33 GDPR.
- Provide the Controller with all information necessary to assess the impact: nature of the breach, categories and number of data subjects affected, likely consequences, measures taken or proposed.
- Cooperate with the Controller for notification to the supervisory authority and, where necessary, communication to data subjects (Art. 34 GDPR).
- Document every breach, its consequences and the measures taken.
9. Contact
For data processing enquiries: privacy@anameai.com