The Supplier Data used to provide this Dataset is provided by GBG’s Supplier, Trinsic Technologies, Inc. GBG is obliged under the terms of its agreement with its Supplier to ensure that all End Users agree to comply with the following licensing provisions:  

1. DEFINITIONS 

1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the Agreement: 

“End User Data” means any data, including where relevant any personal data, relating to an End User that is (a) provided by the Data Subject to End User, or (b) collected, accessed, or otherwise obtained by GBG on behalf of an End User and processed solely in accordance with the terms of the Agreement.  

 

2. USE OF THE DATASET 

2.1. End User shall not:  

(a) reproduce, display, download, modify, create derivative works of or redistribute the Dataset; 

(b) attempt to reverse engineer, decompile, disassemble or access the source code for the Dataset or any component thereof; 

(c) execute unauthorized automated tests or load balancing against the Dataset or Services; 

(d) introduce to the Dataset any unauthorized data, malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code, or any data that infringes, misappropriates, or otherwise violates the intellectual property rights or other rights of any third party; 

(e) use the Dataset or any component thereof, in the operation of a service bureau to support or process any content, data, or information of any party other than End User;  

(f) sell, transfer, sublicense, assign, or otherwise permit any party, other than the then-currently Authorised Users, to access the Dataset; 

(g) access or use the Dataset to deliberately create a competing product or service; or  

(h) use the Dataset for any purpose that is unlawful, harassing, abusive, tortious, threatening, harmful, invasive of privacy, vulgar, defamatory, false, intentionally misleading, trade libelous, pornographic, obscene, patently offensive, promotes racism, bigotry, hatred, or physical harm of any kind, or is otherwise objectionable.  

2.2. End User acknowledges and agrees that GBG may immediately suspend End User’s access and use of the Dataset if GBG has reasonable evidence that cause it, in good faith, to believe the End User has violated clause 2.1 above. GBG will cooperate and work with the End User to restore access in a timely manner once any suspected breach has been cured, unless such breach gives rise for GBG to terminate pursuant to the terms of the Agreement. 

2.3 Prior to taking this Dataset, the End User must enter into the SPID Participation Agreement attached at Annex 1. 

2.4 End User acknowledges that, as a regulated and registered aggregator of the Supplier Data, Supplier is required to ensure ongoing compliance in connection with the use of the Supplier Data. End User agrees to collaborate with Supplier in good faith in connection with Supplier’s required monitoring and control activities. 

2.5 In the event the Agenzia per l'Italia Digitale (“AgID”) contacts End User directly, End User agrees it will notify GBG immediately and will not correspond directly with AgID until GBG and End User have discussed End User’s intended communication, to the extent permitted under applicable law. 

2.6 Further, End User acknowledges that GBG may require End User’s cooperation with GBG and/or Supplier (and/or AgID) in connection with regulatory compliance matters. End User agrees that it will fully cooperate with GBG and/or Supplier (and/or AgID) in connection with (a) any and all regulatory requests or inquiries made by AgID (or other relevant regulatory authority) in connection with Supplier’s obligations as an aggregator of the Supplier Data and (b) any corrective, mitigating, or remedial actions that GBG and/or Supplier (and/or AgID) may request in connection with End User’s use (or past use) of the Supplier Data.  

2.7 End User will fully comply will all applicable law governing the use of the Supplier Data, including without limitation relevant portions of: Legislative Decree No. 82 of 7 March 2005, Prime Ministerial Decree (DPCM) of 24 October 2014, Regulation (EU) No. 910/2014 (eIDAS Regulation), and GDPR – Regulation (EU) 2016/679, as each of the foregoing (and as each applicable law to the extent not listed here) may be amended or updated from time to time. Further, End User will comply in all material respects with all guidelines, rules, notices, terms, and other communications published by AgID relating to the SPID system, including (without limitation) those of DT 75/2023, 2 Mar 2023 found at this link [https://trasparenza.agid.gov.it/page/9/details/2813/determinazione-n-752023-del-2-marzo-2023-emanazione-del-regolamento-che-disciplina-ladesione-al-sistema-pubblico-per-la-gestione-dellidentita-digitale-di-cittadini-e-imprese-spid-da-parte-dei-soggetti-aggregatori.html]. GBG and/or Supplier will provide End User with the most accurate and up to date information in this regard; however, End User acknowledges that compliance is ultimately its own responsibility. 

2.8 End User acknowledges that it is required by applicable regulation to, and will, collect and retain transaction data sufficient to: (i) record events relating to requests for access to End User’s services that interact with the Supplier Data; (ii) document all digital identity operations carried out through the Supplier Data by End User; and (iii) attribute those operations to the relevant individual digital identity provider (collectively, the “SPID Log Data”). End User agrees that: (a) Supplier may and will collect and store SPID Log Data on End User’s behalf as a data processor; (b) End User authorises Supplier to share SPID Log Data with AgID or other relevant authorities strictly to comply with law or regulations; (c) Supplier may and will retain each record of SPID Log Data for a period of twenty-four (24) months; and (d) the retention period for SPID Log Data and authorization for Supplier’s use of the same will survive any termination of the Agreement and in no event cease prior to the end of the twenty-four (24) month retention period applicable to each record of SPID Log Data collected. 

2.9 End User is responsible for ensuring the authorized use of End User Data obtained through the Service matches the actual use of such End User Data and, if End User becomes aware (or suspects) any new or additional use of End User Data that exceeds the explicit scope of the authorised use through the Service, End User will promptly notify Supplier, and Supplier will re-register the actual use case with AgID to ensure ongoing compliance. In addition, End User will provide to Data Subjects in a simple and clear way: (i) information establishing that the digital identity and any identifying attributes provided for the purpose of accessing the End User’s services are verified, respectively, with the issuing identity providers; (ii) information specifying which identifying attributes, including qualified ones, are necessary to access the End User’s services; (iii) information about the methods of providing the service, and any variation in the methods of service provision; (iv) a notice listing the laws and regulations that govern the provision of the Service (which will be published and maintained for accuracy by End User); and (v) information relating to the status, uptime, and proper functioning of End User’s service that connects to the Service which shall be monitored on a regular basis by End User. All communication and disclosure between End User and Data Subjects must be done in a manner compliant with applicable regulation and in alignment with good industry practice. 

2.9 Front-Line End User Support. End User will offer reasonable support and assistance to Data Subjects in resolving any problems that may occur during authentications with the Service. If End User becomes aware of any issue that should be reported to Supplier and/or GBG pursuant to these Additional Terms or the SPID Participation Agreement, End User agrees to promptly inform Supplier and/or GBG of the same. If the cause of the authentication issue is related to the Data Subject’s SPID ID Provider, and End User believes it to be the right course of action, End User may provide the Data Subject the helpdesk resources for the applicable identity provider in conformance with the documentation provided and maintained by Supplier. 

2.10 Acknowledgement and Registration. End User acknowledges that it will be registered in the special register referred to in art. 1, paragraph 1, (s) of the Decree of the President of the Council of Ministers and End User authorises Supplier and/or GBG to take the necessary actions (and agrees to cooperate with Supplier and/or GBG in connection with) effecting such registration. 

2.11 Agreement to report violations. End User agreed that in the event of any suspected violation of the terms, rules, or regulations applicable to the use of the Supplier Data or of the obligations deriving therefrom to AgID, the End User will report and give notice of such report to Supplier and/or GBG, to allow appropriate measures to be taken to remedy the suspected violation. End User acknowledges that Supplier and/or GBG, should it detect within the scope of its activity, any suspected violation of the terms, rules, or regulations applicable to the Service or of the obligations deriving therefrom, to AgID, may give notice of such report to End User, to allow appropriate measures to be taken to remedy the suspected violation. 

 

3. REPORTING

3.1 End User will comply with the following reporting requirements: (i) End User will report any malfunction in the core SPID system that End User observes to GBG within twenty-four (24) hours of discovery; (ii) End User will report any observed or suspected security incident affecting the core SPID system to GBG within twenty-four (24) hours of discovery; (iii) End User will immediately report to GBG any detected or suspected anomalous, fraudulent, or unauthorized use of the core SPID service; and (iv) End User will report to the relevant data protection authority and to GBG within (and no later than) twenty-four (24) hours from becoming aware of any security incident, violation, or intrusion of the personal data of any users of the Dataset. 

3.2 Supporting Reporting Requirements. GBG acknowledges End User’s reporting requirements set out in these Additional Terms and the SPID Participation Agreement and agrees to facilitate such requirements in cooperation with End User and Supplier. GBG will provide End User, the Supplier-supplied Session ID and shall undertake any additional actions as deemed necessary by Supplier in order to facilitate the End User’s reporting obligations to Supplier. 

 

4. UPDATES 

4.1 End User understands and agrees that these Additional Terms may be updated at any time in AgID’s or Supplier’s sole discretion. If an update is made, End User’s continued use of the Dataset will be conditioned upon Supplier receiving written acceptance of the updated Additional Terms within fifteen (15) days of the date on which End User was notified of the update. If such notice is sent by GBG to the End User, to facilitate such acceptance from the End User, GBG must receive such acceptance within seven (7) days of End User being notified of the update by GBG. 

 

5. INFORMATION REQUESTS

5.1. GBG and/or the Supplier may receive requests, or be contractually required by government entities, regulatory authorities, or the ID Provider, to provide or obtain information about End User and/or Data Subjects as a condition of the use of the Dataset. The End User authorizes GBG and its Supplier to provide End User Data to such authorities (or their designated representatives) in response to such requests and, if the requested information is not already in GBG’s or its Supplier’s possession, End User will promptly provide all necessary information to GBG for this purpose. 

 

6. USE OF ID PROVIDER MARKS

6.1. End User is granted a limited, non-exclusive, royalty-free license to use the marks of the ID Provider (the list of which can be found at https://www.agid.gov.it/it/piattaforme/spid/identity-provider-accreditati which may be updated from time to time)  which can be identified from each subProviderID detail provided in the API response received by End User through use of the Dataset (“ID Provider”), subject to any communicated limitations, conditions, usage guidelines, or approval procedures, for the purpose of: (i) indicating to actual and prospective customers that End User is authorized to make available the Supplier Data, (ii) identifying the ID Provider as an offered verification method within End User’s services. End User acknowledges that the right to use the ID Provider’s mark is not guaranteed and that any licence to use an ID Provider mark granted hereunder may be revoked at any time at the sole discretion of GBG, the Supplier or ID Provider. End User agrees not to alter, obscure, or misuse ID Provider marks or use them in a way that could cause confusion, diminish their distinctiveness, or imply that End User is an exclusive provider or partner of the ID Provider. 

 

7. SERVICE LEVELS

7.1. The End User acknowledges and accepts that any downtime or performance degradation caused by the ID Provider is beyond GBG's reasonable control and shall be considered an exception to the availability of the Services. 

 

8. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS

8.1 End User shall inform the Data Subject that their data shall be transferred to the Supplier in the United States as part of the use of this Dataset. 

8.2 End User will not transfer End User Data obtained through the Dataset to any third party without the explicit direction and informed consent of the End User and will undertake to ensure any such third-party recipient agrees to keep and follow all applicable laws governing the use of the Dataset. 

 

9. SURVIVAL

9.1 The following will survive any expiration or termination of these Additional Terms and any termination or cessation of use of the Dataset: (i) End User’s obligation to comply with clauses 2.3-2.6, 2.9, 3.2, 4 and 8.2; and (ii) any other provisions of these Additional Terms which must survive to be effective. 

 

 

 

Annex 1 

SPID Participation Agreement 

 

This SPID Participation Agreement (“SPID Agreement”) is executed by the undersigned (“Client”) in favor of Trinsic Technologies, B.V., a Netherlands company (“Aggregator”) (each a “Party” and collectively the “Parties”), for the purpose of formally recognizing the relationship between the Parties and confirming understanding of the obligations arising under governing law in connection with the registration and ongoing use of digital identity systems (Sistema Pubblico di Identità Digitale or “SPID”).  

1. Relationship Between Relevant Parties

Client acknowledges that Aggregator is a private entity authorized to provide services involving user identification and authentication in compliance with the Codice dell’Amministrazione Digitale (Legislative Decree No. 82/2005, as amended) (“CAD”) and the implementing regulations issued by the Agenzia per l’Italia Digitale (“AgID”). The Parties understand and intend that, under this relationship: 

a) Aggregator operates as an accredited aggregator (“soggetto aggregatore”) that is authorized to facilitate the registration of private service providers who wish to verify users’ access through SPID; 

b) Client is a private service provider (“fornitore di servizi privato”, or “soggetto aggregato”), and will be registered in the special register referred to in art. 1, paragraph 1 of the DPCM as it relates to the CAD, and is bound to comply with all relevant provisions of Italian law, including restrictions and obligations governing SPID participation; 

c) Client acknowledges that AgID is the applicable regulator for SPID tasked with enforcing the scheme rules through audits and other enforcement actions. As such, AgID has the authority to supervise all activities related to this Agreement, as authorized by Article 14-bis, paragraph 2, letter i) of the CAD, and may sanction the Client directly for violations in accordance with Article 32-bis of the CAD; and 

d) Client hereby directs Aggregator that Client wishes to, and will, receive the SPID services through the Aggregator in connection and cooperation with the Parties’ authorized partner, ______ (“Partner”). Client acknowledges that it is a controller with respect to the SPID services and represents that it has duly appointed Partner as Client’s processor pursuant to applicable law.   

2. Obligations and Representations of Client

2.1 Client  acknowledges that private entities whose legal representative, managing officer, or member of a control body has been convicted by final judgment for crimes committed through computer systems may not participate in the SPID system, pursuant to Article 64, paragraph 2-quinquies, of the CAD and the Decree of the President of the Council of Ministers of 24 October 2014 (GU No. 285 of 9 December 2014), as amended by the DPCM of 19 October 2021. Client represents and warrants that no such conviction exists with respect to its officers, directors, or controlling persons and authorizes Aggregator to verify this representation through reasonable investigation and checks. 

2.2 Client represents and warrants to Aggregator that: (a) Client has entered into an agreement with Partner that establishes the terms applicable to (and required for) Client’s use of the SPID services in connection with Partner; (b) Client has entered into a data processing agreement with Partner through which Client has duly appointed Partner to be Client’s processor pursuant to the requirements of GDPR, including (without limitation, and where applicable) entry into GDPR required standard contractual clauses and a commitment by Partner to disclose downstream sub-processors to Client; (c) that Client will maintain the foregoing agreements for so long as Client continues to receive the SPID services through Aggregator; and (d) that Client will strictly comply with all terms in the foregoing agreements.  

2.3 Client acknowledges that it is required by applicable regulation to, and will, collect and retain transaction data sufficient to: (a) record events relating to requests for access to Client’s services that interact with the SPID services; (b) document all digital identity operations carried out through the SPID services by Client; and (c) attribute those operations to the relevant individual digital identity provider (collectively, the “SPID Log Data”). Client agrees that: (i) Aggregator may and will collect and store SPID Log Data on Client’s behalf as a data processor; (ii) Client hereby authorizes Aggregator to share SPID Log Data with AgID or other relevant authorities strictly to comply with law or regulations; (iii) Aggregator may and will retain each record of SPID Log Data for a period of twenty-four (24) months; and (iv) Client’s authorization for Aggregator to store and use the SPID Log Data will survive the termination of this SPID Agreement and in no event cease prior to the end of the twenty-four (24) month retention period applicable to each record of SPID Log Data collected.  

2.4 Client understands that it may be contacted by AgID and agrees to collaborate with both Aggregator and AgID in connection with monitoring and control activities. In particular, and without limitation, Client will: (a) report to the relevant data protection authority and Aggregator within (and no later than) twenty-four (24) hours from becoming aware of any event, violation, or intrusion of the personal data of any users of the SPID service; (b) send to Aggregator, upon Aggregator’s request, in aggregate form, all data requested by it for statistical purposes, which data may be provided to AgID and made public in aggregate form; and (c) immediately communicate to Aggregator any circumstance that may hinder, delay, or otherwise affect Client’s ability to execute its obligations in connection with this SPID Agreement.  

2.5 Client will report any suspected violation of the terms, rules, or regulations applicable to the SPID services or of the obligations deriving therefrom to AgID, and give notice of such report to Aggregator, to allow appropriate measures to be taken to remedy the suspected violation. Client acknowledges that Aggregator, should it detect within the scope of its activity, any suspected violation of the terms, rules, or regulations applicable to the SPID services or of the obligations deriving therefrom, to AgID, and give notice of such report to Client, to allow appropriate measures to be taken to remedy the suspected violation.  

2.6 Client will promptly comply with the following reporting requirements: (i)  Client will report any malfunction in the SPID services that Client observes to Aggregator within twenty-four (24) hours of discovery; (ii) Client will report any observed or suspected security incident affecting the SPID services to Aggregator within twenty-four (24) hours of discovery; (iii) Client will immediately report to Aggregator any detected or suspected anomalous, fraudulent, or unauthorized use of the SPID services. Client may make such reports to Aggregator through Partner, provided that Partner will promptly and without undue delay forward all such reports to Aggregator.  

2.7. Client may instruct Partner to fulfil its reporting obligations under Sections 2.5 and 2.6 on its behalf, where appropriate. 

3. Obligations and Representations of Aggregator

3.1 By entering into this SPID Agreement, Client (as controller and service provider with respect to the SPID services) hereby directs Aggregator (as a processor), to transfer the verification data obtained through the SPID services to Client by way of Partner—which is Client’s duly appointed processor.  

3.2 Aggregator will undertake to provide Client (where applicable, per Client’s direction herein, via Partner) with the most accurate and up to date information regarding the guidelines, rules, notices, terms, and other communications published by AgID as they relate to the regulation of the SPID system in order to assist Client in its obligation to comply the relevant regulatory provisions and laws. 

3.3 Client acknowledges and agrees that Aggregator may conduct reasonable checks, including applicable background screening, identity verification, or business entity verification (including beneficial ownership information), to confirm Client’s representation made in Section 2.1 and fulfill its contractual obligation to ensure compliance with Article 64, paragraph 2-quinquies, of the CAD and the Decree of the President of the Council of Ministers of 24 October 2014 (GU No. 285 of 9 December 2014), as amended by the DPCM of 19 October 2021.  

3.4 In order to support Client in complying with the “Tracing and conservation of supporting documentation" requirement referred to in Article 29 of the regulation containing "The implementing methods for the realization of SPID", in the event of termination or non-renewal of the agreements referred to in Section 2.3 or the non-renewal or termination of this SPID Agreement, Aggregator will provide Client a copy of all SPID Log Data from the preceding twenty-four (24) month period free of charge and in electronic format, upon Client’s written request via email to legal@trinsic.id. 

4. Acknowledgment of Understanding

4.1 By signing below, the Parties affirm that they understand and agree to be bound by this SPID Agreement, including Client’s acknowledgment of, and agreement to comply with, the Italian legal provisions, obligations, and restrictions referenced herein. 
 
Executed this ___ day of ____________, 20__ 

Client (Authorized Signatory)	Aggregator (Authorized Signatory)
Name: _______________________  Title: _______________________  Signature: _______________________	Name: _______________________  Title: _______________________  Signature: _______________________