Emotion AI Video Conference Appointment as Data Processor (DPA)

AI Custom Action Eye

Effective April 1, 2024


This document outlines the appointment of Cynny S.p.A. as the Data Processor by a Data Controller for the MorphCast Emotion AI Video Conference service, in accordance with the GDPR. It details the responsibilities and obligations of the Data Processor, including processing personal data exclusively for fulfilling the service’s obligations, ensuring data security, assisting in data protection impact assessments, notifying of data breaches, managing data transfers outside the EU, and maintaining records of processing activities. The Data Processor must also appoint system administrators, ensure confidentiality, and comply with inspection and control measures by the Data Controller. The use of sub-processors is allowed with the Data Controller’s consent. The agreement remains effective until the termination of the service, with provisions for the return or destruction of personal data. The document is governed by Italian law and limits liabilities as specified in the service agreement.

Appointment as Data Processor pursuant to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the “GDPR”)

This deed of appointment (hereinafter, the Appointment) is stipulated by and between Cynny S.p.A. (“Cynny”), enrolled at the Business Registry of Florence, VAT number No. IT06340560488, D-U-N-S® number 434193325 (hereinafter, the “Data Processor”) and the business user that is interested in the activation of the service MorphCast Emotion AI Video Conference (hereinafter, the “Data Controller”). The Data Processor and Data Controller are hereinafter referred to as the “Parties”. 


  1. the Data Controller uses the “MorphCast Emotion AI Video Conference”, based on the terms and conditions available at this link:  MorphCast Emotion AI Video Conference – Terms of Use (hereinafter, the “Agreement”);
  2. for the execution of the Agreement, the Data Processor must process on behalf of the Data Controller the personal data indicated under Annex A to this Appointment (the “Personal Data”);
  3. the Data Controller has ascertained that the Data Processor provides sufficient guarantees as to the fact that the data processing carried out by the latter meets the requirements of the GDPR and guarantees the protection of the rights of the data subjects.

In view of the foregoing, being the Whereas and Annexes an integral and substantial part of this Appointment, the Parties hereby agree and stipulate as follows. 

1. Appointment

During the execution of the assignment covered by the Appointment, the Data Processor shall Process the Personal Data as provided for in the Appointment and/or in accordance with the instructions relating to the Processing of Personal Data that the Data Controller shall supply from time to time. 

The Processing covered by the Appointment will be carried out exclusively by electronic means. 

The Data Processor undertakes for itself, for its employees, as well as for any other parties that cooperate and/or are part of its organization, to Process the Personal Data exclusively for the purposes of fulfilling and executing its obligations under the Agreement, in full compliance with the provisions of the Appointment, as well as the provisions of the GDPR and any other legislation concerning the protection of personal data applicable in Italy, including the provisions of any Supervising Authority (hereinafter, “Privacy Law”). 

For the purposes of this Appointment, the terms used in capitalized letters shall have the meaning ascribed in this Appointment or under the GDPR.

2. Obligations of the Data Processor

  1. Security Measures 

Bearing in mind the state of the art and implementation costs, the nature, subject, context and purposes of the processing, and the risks of varying probability and gravity to the rights and freedoms of natural persons, shall adopt appropriate technical and organisational measures to guarantee a level of security appropriate to the risk. The Data Processor also undertakes to assist the Data Controller, based on the nature of the Processing of the Personal Data and the information available to the Data Processor, in ensuring compliance with its obligations,  to reply to requests from data subjects to exercise their rights, reporting any data breach, assessing the impact on data protection and preventive consultations pursuant to Article 32-36 of GDPR.

  1. Data protection impact assessment 

The Data Processor shall provide the Data Controller with reasonable assistance with any data protection impact assessment required by article 35 of the GDPR and prior consultation with any supervisory authority by the Data Controller required by article 36 of the GDPR, in all cases only with regard to the processing of the Data Controller’s personal data by the Data Processor.

  1. Data breach 

Pursuant to Article 33 of the GDPR, the Data Processor shall notify the Data Controller without undue delay, and in all cases within twenty-four (24) hours after it became aware of or had reasonable grounds for suspecting a personal data breach. The Data Processor shall supply the Data Controller with sufficient information to enable the Data Controller to fulfil any obligation to report a Personal Data Breach under Data Protection Laws.

  1. Possible extra-UE transfers 

The Personal Data governed by this Appointment will be Processed in the Italian territory, in another member state of the European Union or in the European economic area. If Personal Data are transferred to subjects outside the territory of the EU member states, the Data Processor ensures that the Processing of Personal Data by these subjects takes place in compliance with the Privacy Law. In particular, in the absence of a prior written consent from the Data Controller, it is guaranteed that the transfer will take place, alternatively, on the basis of: 

  1. an adequacy decision of the Commission pursuant to Article 45 GDPR;
  2. standard contractual clauses referred to in Article 46, paragraph 2, GDPR;
  3. binding corporate rules governing the transfer of personal data to a third country in accordance with the provisions of Article 47 GDPR; 
  4. other guarantees or specific circumstances for the transfer of personal data recognized by the GDPR, for example pursuant to Article 46, paragraph 3, and Article 49 of the GDPR.
  5. Record of Processing activities 

The Data Processor undertakes to draw up and keep up to date the Record of Processing activities in accordance with the provisions of Article 30 of the GDPR. 

  1. Requests of the Data Subjects and of the authorities 

The Data Processor shall notify the Data Controller without delay if it receives a request from a data subject, the Supervisory Authority and/or another competent authority under the relevant Data Protection Laws with regard to the Data Controller’s Personal Data.

  1. System administrators 

The Data Processor appoints one or more system administrators (“System Administrators“) for the Processing of the Personal Data carried out with electronic tools, in compliance with the provisions contained in the provision dated 27.11.2008 of the Italian Supervisory Authority. To this end, the Data Processor will:

  • assess in advance the subjective features of the persons to whom it intends to assign the function of System Administrator, appointing as System Administrators only people with proven ability, experience and reliability in relation to the protection of Personal Data, in particular with reference to security measures; 
  • specifically list the scope of operations assigned;
  • provide, upon request, the identification details of the System Administrators and the functions assigned to them individually, maintaining an updated document list for this purpose;
  • record the logical accesses of the System Administrators, through complete registrations, including time references and description of the event that generated them, unalterable (with the possibility of verifying this integrity) and kept for at least six months;
  • verify the work of the System Administrators through internal audits carried out at least annually.
  1. Trustworthiness and Non-Disclosure 

The Data Processor shall adopt reasonable measures to ensure the trustworthiness of any authorised person who may have access to the processed personal data.

The Data Processor undertakes to: 

  • identify in writing the persons authorised to Process Personal Data and provide them with instructions relating to the operations to be carried out, ensuring correct compliance with the instructions given;
  • ensure that the persons authorised to Process Personal Data are committed to confidentiality and that they Process such Personal Data by observing these instructions provided by the Data Controller and the Privacy Law. 

3. Inspections and controls

3.1 In order to verify compliance with the Appointment’s provisions, the Data Controller may organise visits and inspections, on a reasonable basis, at the Data Processor’s premises, where the Personal Data are stored under Annex A, or through documentary audits. In the latter case, the Data Processor will send the required documentation, where reasonable, to the Data Controller, via e-mail, it being understood that the shipping costs by other means shall be borne by the Data Controller.

3.2 The visits and inspections can be carried out by the Data Controller only upon prior written notice to be received by the Data Processor with a minimum notice of 15 (fifteen) working days. The Data Controller is aware that any of such visits and inspections can significantly disrupt Data Processor’s business activities. The Data Controller warrants that its auditors will endeavour to avoid causing any interruptions, interference, disservices and /or damage to Data Processor’s equipment, personnel and / or business activities during or as a result of the control or inspection. Each control request must in any case meet the following requirements: 

  1. to be conducted by an internationally recognized independent auditing firm;
  2. it must take place during Data Processor’s normal business hours, subject to a mutually agreed scope of control;  
  3. the duration of the inspection must be reasonable and, in any case, shall not last more than eight hours within one business day; 
  4. the scope of the inspections will in any case be strictly limited to the Processing of the Personal Data, being expressly prohibited access to any other information; controls will not be authorised if they interfere with the Data Processor’s ability to provide its services;
  5. the inspections must be carried out in full compliance with Data Processor’s obligations of confidentiality and /or other contractual and /or legal obligations; 
  6. the costs and expenses of the audits shall be fully borne by the Data Controller. 

4. Use of sub-processors 

The Data Processor currently uses other data processors for the execution of specific Processing activities under this Appointment (hereinafter “Sub-Processor”), as mentioned under Annex B. 

In addition to the above, by signing this Appointment, the Data Controller grants to the Data Processor a general written authorization to the appointment of new and/or further Sub-Processors. 

The Data Processor undertakes to make available to the Data Controller the list of its Sub-Processors, upon its written request. Should the Data Processor appoint new or additional other Sub-processors, the Data Controller will inform the Data Processor by e-mail (referring to the contact details provided in the registration to the service under the Agreement).

If the Data Controller has reasonable grounds to object to the appointment of new and/or further Sub-processors and is able to prove that this would cause a significant risk to the protection of Personal Data, the Data Controller shall send a written notice to the Data Processor detailing the reasons of its position. If the above conditions are met, the Data Processor will collaborate with the Data Controller in order to agree on a commercially reasonable alternative solution which might be acceptable by both Parties. If an agreement cannot be found and/or in the event of partial impossibility of providing the services in the absence of such agreement, the Parties will define in good faith, on a case-by-case basis, how to continue to provide the services in compliance with the terms of the Agreement. 

The Data Processor will engage the Sub-processors through written agreements asking them to provide at least the level of Personal Data’s protection required by this Appointment. 

5. term and termination of the Appointment 

5.1 The Appointment produces its effects starting from the date of entry into force of the Agreement and shall remain in force until its termination, regardless of the cause of the aforesaid termination.

5.2 In the event of termination of the Agreement or of this Appointment for any reason or title, the Data Processor, in accordance with the instructions given in writing by the Data Controller, undertakes: (i) to return the Personal Data; or alternatively (ii) to completely destroy the aforementioned Personal Data by final cancellation of the latter from its systems.  

6. final provisions 

6.1 The Parties acknowledge and agree that, to the maximum extent permitted under applicable law, the limitation of liabilities provided by the Agreement shall apply also to the present Appointment. 

6.2 If you have any questions about this document, please contact privacy@cynny.com or mail your request to the following postal address: Cynny S.p.a., Via Delle Mantellate n. 8, 50129 Firenze (Italy). Cynny has also appointed a Data Protection Officer, who may be reached at the email address info@agiledpo.it.

6.3 This Appointment is governed by Italian law. Any dispute related to this Appointment shall be decided exclusively by the Court of Florence (Italy).

Accepted electronically by the Data Controller

[x] The Data Processor declares to have carefully examined and specifically approved the following articles of this Appointment for the purposes of Articles 1341 and 1342 of the Italian Civil Code: 6.1 (limitation of liability), 6.3 (jurisdiction).

Annex A

Categories of Personal Data  name entered by the guest before joining the video conference/webinar; with a certain degree of accuracy, the dominant emotions according to the model of Paul Ekman; mood, level of attention and involvement (Russell’s circumflex model of affects based on arousal and valence).
Purpose of the data Processing performed by the Data Processor in favour of the Data Controller Live data view during video conference/webinar and dashboard view of data after video conference/webinar
Activities allowed on the Personal DataDisplay reserved for the data controller
Place of storage of the Personal Data European Union

Annex B

AWS (Amazon Services) – Amazon Virtual Private Cloud