← Back to Cucinovo

Data Processing Addendum

Last updated: 13 May 2026

1. Scope and parties

This Data Processing Addendum (“DPA”) supplements the Terms of Service between AIMTECH DIGITAL S.R.L.(“Processor”, “Cucinovo”, “we”) and you, the Business Customer (“Controller”).

When you use Cucinovo to store or process personal data about your staff, suppliers, or other individuals, you act as the data controller and we act as your data processor within the meaning of Article 28 GDPR. This DPA sets out the terms of that processing.

2. Subject matter and duration

  • Subject matter: hosting, storage, and processing of personal data you upload to Cucinovo.
  • Duration: for as long as you maintain an active Cucinovo account, plus the retention periods described in our Privacy Policy Section 6.
  • Nature and purpose: providing the Cucinovo recipe and kitchen management platform, including recipe storage, ingredient management, cost calculation, shopping lists, prep lists, event catering, and supplier management.

3. Categories of data and data subjects

  • Categories of data subjects: your team members (staff accounts), your suppliers (contact details), and any other individuals whose data you enter into the platform.
  • Categories of personal data: names, email addresses, phone numbers, physical addresses, fiscal identifiers, role assignments, and any other data you choose to enter.

4. Processor obligations

We shall:

  • Process personal data only on your documented instructions (which include the Terms and this DPA), unless required by EU or Member State law.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures as described in our Privacy Policy Section 9.
  • Not engage another processor without your prior general authorisation. Our current sub-processors are listed at /legal/subprocessors. We will notify you at least 30 days before adding a new sub-processor.
  • Assist you, taking into account the nature of the processing, in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
  • Assist you with obligations under Articles 32–36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of the processing and the information available to us.
  • Notify you without undue delay after becoming aware of a personal data breach.
  • At your choice, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage.
  • Make available to you all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits shall be conducted with reasonable notice and during business hours, at your cost.

5. Sub-processors

You grant us general authorisation to engage sub-processors. The current list is maintained at /legal/subprocessors. We will notify you at least 30 days before adding or replacing a sub-processor. If you object, you may terminate the affected services by cancelling your subscription.

6. International transfers

Where personal data is transferred outside the EEA, we rely on the mechanisms described in our Privacy Policy Section 5 (EU Standard Contractual Clauses, adequacy decisions, and supplementary technical measures).

7. Technical and organisational measures

We implement the security measures described in our Privacy Policy Section 9, including: TLS encryption in transit, encryption at rest, bcrypt password hashing, AES-256-GCM encryption of integration secrets, CSRF protection, CSP nonces, role-based access control, EU-region hosting, automated dependency scanning, and restricted production access.

8. Contact

For questions about this DPA, contact privacy@cucinovo.com.