Terms Of Service

Athics – Terms of Service and SLA

These Terms of Service constitute a legal agreement between you and Athics S.r.l. for the use of the software platforms Crafter.ai (https://crafter.ai/it/) and Portrait (https://portrait-profiling.ai) (hereinafter jointly referred to as the “Software”). By using either of the services, you agree to be bound by the terms and conditions set forth in this document. Athics S.r.l. reserves the right to modify these Terms at any time, for any reason, and without prior notice.

Restrictions

Unless you have received prior written consent from Athics S.r.l., you may not:

• Reproduce, distribute, or transfer the Software, or parts of it, to third parties.
• Sell, lease, rent, assign, or sublicense the Software or parts of it.
• Grant rights to any other person.
• Use the Software in violation of any applicable Italian or international law or regulation.

All copyright notices, intellectual property statements, and logos contained in the Software files and interface must remain intact.

Misuse and Awareness

The following rules apply jointly to Crafter.ai and Portrait (collectively, the “Services”).

The User agrees not to use the Services in any unlawful, discriminatory, or unethical manner, and to ensure meaningful human oversight at every stage of any decision-making process that may affect the rights or interests of individuals, in accordance with the GDPR, the forthcoming AI Act, and other applicable regulations.

By way of example and without limitation:

1. Recruitment and Personnel Management
   • Using the Services to automatically exclude candidates from a recruitment process, or to make decisions on promotions, dismissals, or other significant outcomes without qualified human supervision, supported by transparent and documented criteria.
2. Predictive Profiling and Scoring
   • Generating reputational, risk, or reliability scores that affect access to credit, insurance policies, or other essential services without independent and traceable review by human operators.
3. Access to Essential Services
   • Denying, limiting, or adjusting access to healthcare, education, social housing, energy, or water based on outputs without human oversight to ensure fairness, accuracy, and non-discrimination.
   • Associating psychometric profiles with differentiated treatment without verification of legitimacy and purpose by a responsible human.
4. Manipulation and Persuasive Communication
   • Using chatbots or psychometric profiles for non-transparent political or commercial micro-targeting, or to spread misinformation without proper human audit and supervision.
   • Running campaigns that exploit cognitive vulnerabilities of specific groups (e.g., minors, elderly people, persons with disabilities) without ethical review and human oversight of generated content.
5. High-Risk Contexts
   • Applying the Services in automated decision-making in healthcare, judicial processes, social assistance, or public safety (e.g., triage, predictive policing) without final human intervention capable of confirming, modifying, or rejecting the automated outcome.
   • Profiling minors under 18 or protected categories without explicit consent from legal guardians or equivalent legal safeguards.
6. Unlawful Data Collection
   • Analyzing texts or communications of third parties (CVs, emails, chats, social media) without a valid legal basis or the informed consent of the data subjects.

The User/Client is required to take all necessary measures to ensure a responsible and lawful use of the Services. The following obligations are indicative and not exhaustive:

• Data Protection Impact Assessment (DPIA) – If the use of the Services involves processing of personal data likely to result in high risks to the rights and freedoms of individuals, the User must conduct a DPIA under Article 35 of the GDPR, clearly identifying where human intervention occurs in the process.
• Fundamental Rights Impact Assessment (FRIA) – In anticipation of the full application of the AI Act, the User must prepare a FRIA (Fundamental Rights Impact Assessment) for all uses of the Services considered “high-risk AI systems” as defined in Annex III of the Regulation. This assessment must include technical, organizational, and human oversight measures to prevent harmful effects on individuals.
• Transparency – Data subjects must be clearly informed about the use of AI systems, the decision-making logic involved, and their right to human review.

Technical Support

Athics S.r.l. currently does not provide direct telephone support. No guarantees are given regarding response times to email support requests, although Athics S.r.l. will make every effort to respond promptly.

Refunds

Athics S.r.l. does not offer refunds for the Software. For assistance, please contact technical support at support@athics.ai.

Indemnity

You agree to indemnify and hold harmless Athics S.r.l. from any third-party claim, action, or proceeding, as well as any expense, liability, damage, settlement, or fee arising from your use or misuse of the Software or any breach of these Terms.

Disclaimer of Warranty

The Software is provided “as is”, without any warranty of any kind, either express or implied, including but not limited to warranties of quality, performance, non-infringement, merchantability, or fitness for a particular purpose. Athics S.r.l. does not guarantee that the Services will be continuously available or error-free.

Limitation of Liability

You assume all risks associated with the installation and use of the Software. In no event shall the authors or copyright holders of the Software be liable for any claims, damages, or other liabilities arising from or in connection with the use of the Software. You are solely responsible for determining the appropriateness of the Software and assume all risks associated with its use, including but not limited to risks of program errors, damage to equipment, data loss, or operational disruptions.

DATA PROCESSING AGREEMENT EX ART. 28

Between

The Company (‘Client’) as the Controller pursuant to EU Regulation No. 679/2016 (hereinafter referred to as ‘GDPR’)

E

ATHICS S.R.L. (“Athics”), – P.IVA 02804960355 – rea re315151 – Via Meuccio Ruini 10, 42124 – Reggio Emilia (RE) as Processor, in relation to the performance of all tasks assigned to it, for which it shall process data.

DESCRIPTION OF THEPROCESSING / SERVICE	Description	The services offered by Athics, depending on what the Customer subscribes to, apply for: 1) SaaS platform Crafter.ai 2) Subscription to the Portrait Platform
	Purpose	Crafter.ai: Creation and management of chatbots Portrait: real-time AI psychometric profiling API service
	Processing type	The collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, comparison or interconnection, deletion
PERSONAL DATA	Data category	Common data. Generally provided spontaneously by the data subject when interacting with the Service provided by the Controller. It is the responsibility of the Controller to indicate which data is to be requested from the Data Subject when using the Service.
	Special personal data (sensitive data)	Possibly present if requested by the Controller and/or entered voluntarily by the data subject.
	Erasure Deadline	In connection with the Controller’s instructions indicated in the contract or until the conclusion of the relationship with the Controller to technical deletion times.
DATA SUBJECT	Data subject category	It’s depending on the area in which the Controller intends to use the Service provided by the Manager.
	Consent (YES/NO)	Where appropriate, the onus is on the Controller to provide information on this.
TRANSFER	Third countries, international organisations	Any transfers to third countries will be carried out in accordance with current legislation:• to countries recognised as safe by the EU Commission;• to countries that have international agreements with Europe on data protection;• to entities that have entered into legally binding agreements with the Data Controller to provide adequate guarantees for the protection of Data Subjects as required by law.
SECURITY INSTRUCTIONS and SPECIFIC INSTRUCTIONS FOR PROCESSING	Technical and organisational measures to be taken	See:Annex I – Portrait/Crafter.ai
SUB-PROCESSOR REGISTER		DigitalOcean: Cloud-hosting (https://www.digitalocean.com/legal/terms-of-service-agreement) OpenAI: Optional LLM module (https://openai.com/policies/row-terms-of-use/)

This agreement shall be valid for the duration of the Services purchased by the Client.

The Controller entrusts the Processor with the processing of personal data also as a result of his experience, skills and reliability that guarantee compliance with the current provisions on processing, including the application of the Data Protection Regulation (GDPR). as assessed following a request for appropriate guarantees and/or presentation with documents of the proposed service. The Processor within the scope of the tasks assigned to it is obliged to:

• only process data in accordance with the instructions provided by the Controller;
• ensure that the natural persons authorised by the supplier for processing activities are bound by confidentiality obligations contractually entered into with the supplier;
• to adopt the technical and organisational measures indicated in the initial prospectus suitable for guaranteeing the protection of the data used on behalf of the Controller in order to achieve a level of security appropriate to the risk inherent in the processing; 
• follow up any requests made by data subjects (access, rectification, cancellation
  portability, opposition following discussion with the Controller giving feedback to the data subject and informing the Controller;
• reporting within a reasonable period of time any data breaches that have occurred during the processing activity. In particular, it shall immediately inform the Controller if an event concerning the data may constitute a ‘data breach’. Within the following 48 hours, it will provide as much detail as possible using the Italian Privacy Authority’s template for ‘data breach’ reports as a means of gathering information. It will respond promptly to any further requests from the Controller useful for the assessment of the activities to be performed pursuant to Articles 33 and 34 of GDPR;
• at the Controller’s option, erase or return all personal data after the provision of services relating to the processing has ended and erase existing copies, unless required by law to retain the data;
• make available to the Controller all information necessary to demonstrate compliance with what has been agreed;
• allow auditing activities to be carried out on the processes related to the contractually agreed processing of data;
• inform the Controller if any of its instructions appear to be contrary to the GDPR, giving reasons for such indication. In the event of the Controller’s confirmed willingness to continue, the Controller shall indemnify the Processor against any negative consequences arising from compliance with the request.

The Processor may use another Processor (hereinafter, ‘sub-processor’) to handle specific processing activities.

The Controller authorises the Processor to use, on a general basis, the sub-processors.

The Processor shall inform the Controller in writing of any planned changes concerning the addition or replacement of other sub-processors.

This information must clearly indicate the delegated processing activities, the identity and addresses of the sub-Processor and the details of the outsourcing contract. The Controller may object to the appointment of these sub-Processors within 30 days.

The processor undertakes to follow the instructions of the Controller and to report these commitments to any sub-.

This Agreement, also intended as an update to previous agreements, shall enter into force on the date of the signing of the Agreement with the Controller and shall also apply to all data and information acquired by the Controller in the preceding and/or pre-contractual phase.

ANNEX I – PORTRAIT/CRAFTER.AI 

Technical and organisational measures, including technical and organisational measures to ensure data security

N	Measures	Detail:
01	pseudonymisation and encryption measures for personal data	All data in transit are transferred using the https protocol. At the customer’s e-mail request, data at rest can be encrypted, anonymised and/or deleted according to an agreed timetable.
02	measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services on an ongoing basis	According to specific contractual agreements, data may be backed up with agreed retention times. Please refer to the policies of the cloud provider (DigitalOcean) for the implementation of the backup service.
03	measures to ensure the ability to promptly restore the availability of and access to personal data in the event of a physical or technical incident;	Enabling the backup service enables the implementation of a recovery plan (default: 7 daily backups)
04	procedures for regularly testing, verifying and evaluating the effectiveness of technical and organisational measures to ensure security of processing	On an annual basis, Vulnerabilty Assessment Tests, Penetration Tests, data protection training also aimed at phishing management are carried out.
05	user identification and authorisation measures	On the platform, the customer can independently define and manage their own credentials with the possibility of activating 2FA. On the platform, the Rollbar service is used to manage the log of all events (including authentication events)
06	data protection measures during transmission	All data in transit are transferred using the https protocol.
07	data protection measures during storage	Data at rest can be encrypted, anonymised and/or deleted in accordance with an agreed timetable at the customer’s e-mail request.
08	measures to ensure the physical security of the places where personal data are processed	For all details, please refer to the documentation of the Cloud Provider where all servers reside: https://www.digitalocean.com/trust/certification-reports
09	measures to ensure the recording of events	The Rollbar service is used on the platform to manage the log of all events (including those related to authentications)
10	measures to ensure system configuration, including configuration by default	The offer of the Services is scalable and the initial setting is defined by the Controller
11	internal IT and IT security management and governance measures	Computer Security Manual + Training
12	certification/guarantee measures for processes and products	The manager is not certified but uses certified sub-managers (https://www.digitalocean.com/trust/certification-reports)
13	measures to ensure data minimisation	The offer of the Services is scalable and the initial setting is defined by the Controller
14	measures to ensure data quality	Each bot is hosted on a dedicated machine
15	measures to ensure limited data retention	The setting is decided by the Controller
16	measures to ensure accountability	Instructions for in-house processors. Agreements ex. Art. 28 GDPR with external controllers. The DPO oversees compliance with the correct procedures, GDPR compliance and the Porcessor’s policies.
17	measures to enable data portability and ensure deletion	The setting is defined by the Controller on its own systems.The Manager provides the Controller with methods and tools both to carry out these activities independently and to guarantee support in the event of special requests.