Author Archives: secfull_admin

RCS for Business Privacy Policy

The definitions in the “RCS Business Messaging Terms and Conditions” apply, available at: https://www.secfull.com/terms-of-rcs-for-business-service/ .

This Data Protection Policy (hereinafter the “Policy”) has been defined to allow the Customer to know and be aware of the ways in which his personal data is processed by LEA in the provision of the RCS Service.

1. Privacy Policy

(a) Customer acknowledges and accepts the terms set forth in Data Protection Agreement (” DPA LEA’s“), available at: https://www.secfull.com/data-protection-agreement/ . Customer acknowledges and accepts that the technical and organizational measures mentioned in the DPA may not be fully implemented, but will be implemented upon full general availability.

(b) Customer: (i) grants LEA (including its affiliates and subcontractors) a non-exclusive, worldwide right to use, modify, adapt and process Customer Data to analyze, develop, test and manage, provide and support the RCS Services and/or any products of LEA and its affiliates; and (ii) acknowledges that neither LEA, nor its affiliates nor LEA’s respective suppliers exercise any control over LEA Data and act as mere or passive conduits in the transmission and management of LEA Data.

(c) Customer warrants, represents, and undertakes to LEA that it owns and maintains all rights, licenses, and consents necessary to provide LEA with any data for the purposes described in this Policy. LEA may require Customer to provide evidence of such rights whenever necessary and in accordance with the terms of the Agreement.

(d) The Customer acknowledges, authorizes, and agrees that LEA may retain, store, use, and disclose the data solely for the purpose, and to the extent necessary, to provide and improve the RCS Services and to satisfy applicable legal, accounting, or regulatory requirements. LEA will establish procedures to ensure compliance with applicable laws.

(e) The Customer acknowledges, consents and agrees that LEA may process the Customer’s contact and contractual data for the purposes of managing and developing customer relationships and that such information may be shared with Affiliates for the purposes described.

(f) Customer will collect and retain all Personal Data necessary to use the RCS Services, as well as any required consents associated with such Personal Data, in compliance with applicable Data Protection Law.

 

Data Protection Agreement

This Data Protection Agreement (the “ DPA ”) is an integral part of the contract for services offered by LEA (governed by the “ Contract ”) to the Customer.

1. Definitions

  1. of the Customer “Personal Data ” means all personal data processed by LEA on behalf of the Customer to perform the Services provided for in the Main Contract.
  2. “Applicable Data Protection Laws” means the GDPR, as implemented in the national law of each Member State (and the United Kingdom) and as amended, replaced, or repealed from time to time, and the laws implementing, replacing, or supplementing the GDPR and all laws applicable to the processing of customer personal data, including the California Consumer Privacy Rights Act of 2020, which amends the California Consumer Privacy Act of 2018 Cal. Civ. Code § 1798.100 et seq. (“ CCPA ”).
  3. GDPR ” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  4. “LEA Infrastructure” means (i) LEA’s physical facilities; (ii) the hosted infrastructure; (iii) LEA’s corporate network and non-public internal network, software and hardware necessary to provide the Services and controlled by LEA; in each case to the extent they are used to provide the Services.
  5. Restricted Transfer ” means a transfer of Customer Personal Data from LEA to a sub-processor where such transfer would be prohibited by applicable data protection laws (or by the terms of data transfer agreements entered into to address data transfer restrictions of applicable data protection laws) in the absence of adequate safeguards required for such transfers under applicable data protection laws.
  6. Services ” means the services provided to the Customer by LEA under the Main Contract.
  7. Standard Contractual Clauses ” means the most recent version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the version in force at the date of this DPA is the one annexed to Decision 2021/914 (EU) of the European Commission of 4 June 2021).
  8. The terms “ consent ”, “ controller ”, “ data subject ”, “ Member State ”, “ personal data ”, “ personal data breach ”, “ processor ”, “ sub-processor ”, processing ”, “ supervisory authority ” and “ third party ” have the meaning given to them in Article 4 of the GDPR.
  9. Compliance with applicable data protection laws

LEA and the Client shall comply with the provisions and obligations imposed by the Applicable Data Protection Laws and shall ensure that their employees and sub-processors comply with the provisions of the Applicable Data Protection Laws.

2. Details and scope of processing

The Processing of Customer Personal Data under the Contract will be carried out in accordance with the following provisions and as required by Applicable Data Protection Laws. The Parties may amend this policy from time to time, as they deem reasonably necessary to meet such requirements.

Scope and duration of personal data processing: The scope and duration of personal data processing are set out in the Main Agreement.

Nature and purpose of personal data processing: Pursuant to the Agreement, LEA provides the Customer with certain services that involve the processing of personal data. These processing activities include (a) providing the Services; (b) identifying, preventing, and resolving technical and security issues; and (c) responding to Customer support requests.

Types of personal data to be processed: Personal data sent to the LEA network, the extent of which is determined and controlled by the Data Controller at its sole discretion, may include name, email address, telephone numbers, IP address, and other personal data included in contact lists and the content of messages or calls.

Independent Data Controller Exclusion : Notwithstanding anything else herein, when processing personal data in the course of providing communications services as part of the Services, including the transmission and exchange of SMS messages via telecommunications networks and other messages and communications, including email, voice, and other media via other communication platforms, regardless of whether the Customer acts as a controller or processor, LEA acts as an independent data controller and not as a joint controller, in order to provide its communications services and perform its necessary functions and activities as a communications service provider, including taking measures necessary to prevent spam and fraud and controlling, securing, and maintaining its network, managing its business and compliance functions, and complying with its obligations under applicable laws.

Categories of data subjects to whom the personal data refers: senders and recipients of emails and SMS messages, voice calls, or other communications.

  • LEA will process Customer Personal Data exclusively (i) to fulfill its obligations under the Master Agreement and (ii) in accordance with the documented instructions described in this DPA or as otherwise indicated by Customer from time to time. Such Customer instructions will be documented in the applicable order, service description, support ticket, other written communications, or as indicated by Customer using the Services.
  • If LEA reasonably believes that a Client instruction is contrary to the provisions of the Agreement or this DPA, or violates the GDPR or other applicable data protection provisions, it must promptly inform the Client. In either case, LEA will be entitled to postpone execution of the relevant instruction until it has been modified by the Client or agreed upon between the Client and LEA.
  • Customer is solely responsible for the use and handling of personal data sent or transmitted through the Services, including: (i) verifying recipient information, such as phone number or address, and ensuring it is correctly entered into the Services; (ii) reasonably notifying any recipient of the insecure nature of emails or messages as a means of transmitting personal data (where applicable); (iii) reasonably limiting the amount or type of information disclosed through the Services; and (iv) encrypting all personal data transmitted through the Services, where appropriate or required by applicable law (e.g., through the use of encrypted attachments, PGP toolset, or S/MIME). Information uploaded to the Services, including message content, is stored in encrypted form at the time of processing by the LEA Infrastructure.

3. Data Controller and Data Processor

For the purposes of this DPA, Customer is the controller of its Personal Data and LEA is the processor of such data, except where Customer acts as a processor of its Personal Data, in which case LEA is a sub-processor.

LEA shall always have a designated representative to assist the Client (i) in responding to requests relating to Data Processing received from Data Subjects; and (ii) in fulfilling all applicable legal information and disclosure obligations associated with Data Processing. Such assistance may be requested at lea @ lexetars.com .

The Customer guarantees that:

  1. The processing of Customer Personal Data is based on legal bases for processing, as may be required by applicable data protection laws and that it has obtained and will maintain throughout the term of the Master Agreement all necessary rights, authorizations, registrations and consents in accordance with and as required by applicable data protection laws in relation to LEA’s processing of Customer Personal Data under this DPA and the Master Agreement;
  2. has the right and holds all necessary rights, permissions and consents to transfer the Customer Personal Data to LEA and otherwise permit LEA to process the Customer Personal Data on its behalf, so that LEA may lawfully use, process and transfer the Customer Personal Data in order to provide the Services and perform LEA’s other rights and obligations under this DPA and the Master Agreement;
  3. will inform its Data Subjects about the use of Data Processors in the processing of their personal data, to the extent required by applicable Data Protection Laws; and,
  4. will respond within a reasonable time and to the extent reasonably practicable to requests from data subjects regarding the processing of their personal data and will promptly provide LEA with appropriate instructions.

4. Confidentiality

LEA ensures that all its personnel and those of its sub-processors authorized to process Customer Personal Data are subject to confidentiality commitments or professional or statutory obligations of confidentiality and are trained in the relevant data security and protection requirements.

5. Technical and organizational measures

In relation to Customer Personal Data, LEA shall (a) take and document reasonable and appropriate measures in relation to the security of the LEA Infrastructure and the platforms used to provide the Services as described in the Agreement and (b) upon reasonable request and at Customer’s expense, assist Customer in ensuring compliance with Customer’s obligations under Applicable Data Protection Laws.

LEA’s internal operating procedures must comply with the specific requirements of effective data protection management.

6. Requests from the interested party

LEA provides specific tools to assist customers in responding to requests received from data subjects. When LEA receives a complaint, inquiry, or request (including requests submitted by data subjects to exercise their rights under Applicable Data Protection Laws) relating to the Customer’s Personal Data directly from data subjects, LEA will notify the Customer. Taking into account the nature of the processing, LEA will assist the Customer, using appropriate technical and organizational measures, to the extent reasonably possible, in fulfilling the Customer’s obligation to respond to requests to exercise the rights of such data subjects.

7. Personal data breaches

LEA will notify the Customer without undue delay upon becoming aware of a personal data breach affecting the Customer’s Personal Data. LEA, taking into account the nature of the processing and the information available to it, will use commercially reasonable efforts to provide the Customer with sufficient information to allow it, at its own expense, to comply with any reporting or information obligations to regulators, data subjects, and other entities regarding such personal data breach, to the extent required by Applicable Data Protection Laws.

8. Data protection impact assessments

LEA, taking into account the nature of the processing and the information available, will provide the Customer, at the latter’s expense, with reasonable assistance in carrying out data protection impact assessments and in prior consultations with supervisory authorities or other competent regulatory authorities, as requested by the Customer to fulfill its obligations under applicable data protection laws.

9. Audits

LEA will make available to Customer, upon reasonable request, such information as is reasonably necessary to demonstrate compliance with this DPA.

The Client or a third-party auditor may, upon reasonable written request, conduct an audit of LEA’s processing of the Client’s personal data, to the extent necessary in accordance with data protection laws and without interrupting LEA’s business operations and ensuring confidentiality.

The above right of audit shall apply to Customer in the event that LEA has not provided sufficient evidence of its compliance with the provisions of this DPA. Sufficient evidence shall mean the submission of: (i) a certification of compliance with ISO 27001 or other standards implemented by LEA (scope as defined in the certificate); or (ii) an audit report or attestation from a third party. An audit as described shall be conducted at Customer’s expense and shall require reasonable notice from Customer of at least thirty (30) days.

10. Return or destruction of the Customer’s personal data

The Customer may, by providing written notice to LEA no later than the time of termination of the Contract, request the return and/or deletion of all copies of the Customer’s Personal Data in the possession or control of LEA and its subprocessors. LEA will provide a copy of the Customer’s Data in a format that can be read and further processed.

Within ninety (90) calendar days of account closure, LEA will delete all personal data processed under this DPA, unless the Customer requests its return as described in the previous point. This provision does not affect any legal obligations of the Parties to retain data for the retention periods established by law or by the Agreement.

Any additional costs arising from the return of personal data after termination or expiration of the Contract will be borne by the Customer.

11. Data transfers

The Customer acknowledges and accepts that, in connection with the performance of the Services provided for by the Contract, LEA may transfer personal data within its corporate group.

LEA will never transfer personal data to third parties without the Customer’s prior and explicit consent.

If, for purely technical reasons beyond LEA’s control, personal data is processed outside the country in which LEA has its registered office, LEA will ensure an adequate level of protection of personal data through organizational, technical, and contractual measures, as required by applicable Data Protection Laws and this DPA.

12. Sub-processing

The Client generally authorizes LEA to appoint subprocessors in accordance with this DPA. LEA will ensure that the subprocessors are bound by written agreements requiring them to provide at least the level of data protection required of LEA by this DPA. The Client also authorizes LEA to continue using the subprocessors already appointed as of the date of this DPA.

LEA will be responsible for the acts and omissions of any sub-processors, as it is to the Customer for its own acts and omissions in relation to the matters covered by this DPA.

13. Applicable law and jurisdiction

The parties to this DPA submit to the choice of jurisdiction stipulated in the Master Agreement with respect to any dispute or claim arising in any way out of this DPA, including disputes relating to its existence, validity or termination or the consequences of its invalidity.

This DPA and all non-contractual or other obligations arising out of or in connection with it shall be governed by the laws of the country or territory stipulated for such purpose in the Main Agreement.

Except as provided above, all obligations arising out of or in connection with the provisions of this DPA shall be governed by the laws of Italy.

14. Order of precedence

With respect to the subject matter of this DPA, in the event of any inconsistency between the provisions of this DPA and any other agreement between the Parties, including the Agreement, agreements entered into or purported to be entered into after the date of this DPA shall prevail over the provisions of this DPA.

15. Separation

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions of this DPA will remain valid and in effect. The invalid or unenforceable provision will be (i) modified as necessary to ensure its validity and enforceability, preserving as much as possible the intentions of the parties, or, if that is not possible, (ii) construed as if the invalid or unenforceable portion had never been contained herein.

16. Resolution

This DPA and the Standard Contractual Clauses will terminate automatically upon termination of the Agreement.

Terms of RCS for Business Service

The following terms (the “RCS for Business Terms and Conditions”) apply to the RCS Service provided via the LEX ET ARS ® (hereinafter “LEA”) API, which owns the SECFULL ® trademark (hereinafter “Secfull”). By accepting these terms, you declare that you have the authority to bind the Customer to the RCS Business Messaging Terms and Conditions.

In addition to the RCS Messaging Terms and Conditions, the RCS Service is further subject to the general terms and conditions accepted by the Customer during the service contracting process (the “Contract”).

1. Definitions

  • A2P stands for Application-to-Person and refers to the RCS sent by the RCS agent to a user.
  • RCS Agent is a programmatic entity that sends messages to users on behalf of a company displaying its brand.
  • Client is the LEA Client, the legal entity associated with the company name identified during the RCS Service contracting procedure.
  • P2A stands for Person-to-Application and refers to the RCS sent by a user to the RCS agent.
  • RCS stands for Rich Communication Services, which is a messaging protocol for providing more comprehensive messaging services.
  • RCS for Business is the version of RCS for businesses, allowing them to communicate with their customers in a richer and more interactive way. RCS for Business allows companies to create more engaging campaigns and provide a more effective customer experience. Companies can use their own branding to make their messages more recognizable and trustworthy.
  • RCS Service means the provision of sending/receiving RCS to the End User (A2P), via the RCS agent and the Secfull RCS+ platform and from the platform to the End User (P2A) for the Customer’s corporate messaging, limited to Italy.
  • The end user is the person who owns a mobile telephone and receives the RCS.

2. RCS Services

In exchange for payment of the Fees, LEA undertakes to make the RCS Services available to the Customer, which may be used in accordance with the terms established herein.

3. RCS Agent

An RCS Agent must be registered, and the Client authorizes LEA to complete the registration on behalf of the Client. The Client must complete any RCS Agent registration process requested by LEA and provide LEA with any additional information reasonably necessary to complete the registration process. The Client warrants that all information provided to LEA is complete, truthful, and accurate, and that it is authorized to provide such information to LEA. The Client acknowledges that the registration process for RCS Agents depends on the Service Providers and their acceptance criteria, as defined by their specific registration procedures (which vary by Service Provider), and LEA is in no way responsible if a Service Provider rejects the Client’s registration of an RCS Agent.

4. Third Party Terms

Customer acknowledges and agrees that the provision and use of the RCS Services are conditioned upon Customer’s acceptance of, and strict compliance with, all of the Service Provider’s requirements, including the third-party terms set forth below (as amended or replaced from time to time, including any policies or guidelines incorporated therein):

(a) ( Google ) terms of service governing the use of RCS for Business as currently set forth at the following URLs:

this is http://developers.google.com/business-communications/rcs-business-messaging/carriers/tos

ii) https://developers.google.com/business-communications/rcs-business-messaging/support/tos ;

The Customer acknowledges having read and understood these terms and that he/she must periodically check and comply with them in order to be fully aware of and fully comply with the conditions, rights and obligations.

5. Reliance on service providers

Customer acknowledges and agrees that the RCS Services are dependent on certain Service Providers and the ability of telephone equipment to achieve the technical integration and interoperability with LEA systems necessary to facilitate the RCS Services and, therefore, Customer acknowledges that this is beyond LEA’s control and that LEA is in no way responsible for such technical integration limitations or interoperability failures.

6. Sender ID and account

The Customer also acknowledges and accepts that in order to use the LEA RCS Service he is required to:

(a) sign the Contract with LEA; and

(b) identify the RCS agent, as the sender of the company messaging service (ref. Agcom resolution 42/13/CIR), by a so-called “alias” identifier consisting of a string of alphanumeric characters no longer than 11 characters, not composed of numbers only, which meets the following requirements:
– must “clearly” identify the person commissioning the shipment
– must comply with trademark legislation
– must not consist of a common word (e.g. promo, hello, etc.)
– must not identify a public body or entity (e.g. ministry, police, etc.); and

(c) authorize LEA to register the alias used by the Customer in the AGcom alias registry or in the list of companies authorized to provide corporate messaging services with Alias ​​to companies, with the E.164 number associated with the alias.

7. Calculation of RCS sending costs

Rates for messages sent as RCS will be determined by LEA with reference to relevant regional requirements and service provider requirements, based on the number and type of RCS sent by the customer, typically calculated in accordance with the following framework:

(a) Basic RCS: Rate for a plain text message up to 160 UTF-8 characters;

(b) Single Multi-Use RCS: Rate for a single message containing advanced content (e.g. a message containing an advanced card or a carousel);

(c) Conversational RCS: rate for a conversation consisting of multiple A2P and P2A messages within a given period of time.

If an RCS is sent to multiple end users, each of them is counted separately.

8. Customer Guarantees

(a) Customer agrees that LEA may recover from Customer any charges, fines, penalties or penalties that a network operator or service provider imposes on LEA as a result of an alleged violation of the requirements of these “RCS for Business Terms and Conditions” or the RCS for Business Service use policy available at the link: https://www.secfull.com/rcs-for-business-acceptable-use-policy/ ;

(b) Customer represents and warrants that it will comply with all applicable laws and regulations in relation to the transmission of Content and, in particular, but without limitation, will comply with all applicable Data Protection Laws;

(c) Customer agrees to provide any government agency or LEA with any information or material relating to the RCS for Business Service reasonably requested in order to conduct any investigation into alleged violations;

(d) In no event shall LEA be liable for any damages arising out of these “RCS Business Messaging Terms and Conditions”, including, without limitation, any lost revenues, lost profits, or indirect, incidental, consequential, special, punitive or exemplary damages.

THE RCS SERVICES ARE PROVIDED “AS IS.” LEA MAKES NO OTHER REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, SATISFACTORY QUALITY, OR ACCURACY WITH RESPECT TO THE RCS SERVICES.

9. Process

The Customer acknowledges that the RCS Services may be provided on a trial basis and may be subject to change without notice. LEA will endeavor to provide reasonable advance notice where possible.

10. Property

Customer retains all rights and ownership of the content of its RCS, and LEA claims no ownership rights in such content. Except for the rights expressly granted by Customer, LEA does not grant any implied licenses and reserves all rights not granted. Customer acknowledges that LEA retains exclusive ownership of all rights, title, and interest in the RCS Services and our Confidential Information, including all intellectual property rights, and Customer will not dispute or challenge our exclusive ownership rights therein at any time. If Customer provides feedback regarding the RCS Services, LEA will own it and may use and modify it without restriction or payment to Customer.

11. General terms

Customer acknowledges and agrees that the availability and use of the RCS Services are conditioned on Customer’s compliance with and acceptance of all terms and policies set forth herein and those of Google LLC and its affiliates, including Jibe Mobile Inc. (collectively, “Google”). Customer acknowledges that Google’s terms and policies may be modified, adapted, and/or updated at any time at Google’s discretion. Therefore, Customer will periodically review the terms and policies to ensure full awareness of and compliance with their conditions, rights, and obligations.

  1. terms of service that govern your use of RCS for Business as set forth at the following URL: http://developers.google.com/business-communications/rcs-business-messaging/carriers/tos (as such terms and URL may be updated by Google from time to time);
  2. RCS for Business Terms of Service available at the following URL: https://developers.google.com/business-communications/rcs-business-messaging/support/tos (this URL may be updated by Google from time to time);
  3. all policies, restrictions, terms and conditions set forth by Jibe Mobile Inc. at https://jibe.google.com/intl/en_ZZ/policies/terms/ as may be updated from time to time; and
  4. All policies, terms and conditions of the relevant mobile network operator apply.

12. Disclaimer

In addition to any disclaimers in the Master Agreement or the Existing Agreement, Customer acknowledges that the RCS Services are not specifically designed to meet the individual needs of Customer and/or its customers or end users and are provided on an “as is” and “where currently available” basis.

RCR for Business Acceptable Use Policy

The definitions in the “RCS for Business Terms and Conditions” apply, available at: https://www.secfull.com/terms-of-rcs-for-business-service/ .

This Acceptable Use Policy (hereinafter the “Policy”) has been developed to help the Customer better understand what is and is not acceptable when using the RCS Service offered by LEX ET ARS ® (hereinafter “LEA”). The obligation to comply with this Policy is an integral part of the Customer’s Contract, and the Customer must therefore ensure they have read it and understand its impact on their use of the RCS Service.

1. Correct use

LEA provides the RCS Service for the benefit of businesses for sending communications. All communications sent via the trial version or the full service are subject to this Policy, so that LEA users as a whole are not negatively impacted by the actions of a few. The Customer must not use the RCS Service to:

  • purposes not connected to the Client’s legitimate commercial or entrepreneurial activities;
  • send or permit the sending of, or assist in the sending of, spam, junk messages, or violate any applicable spam laws;
  • use mobile phone numbers or number ranges associated with, or suspected of being associated with, fraudulent or illegal activity;
  • operate or attempt to operate or communicate through scams or similar schemes;
  • damage or interfere with services provided to other customers or service providers;
  • violate any applicable usage policies or codes of conduct or practices, including those of mobile network operators;
  • attempt to circumvent or breach any security mechanism on any of the RCS Service or use the RCS Service in any other way that poses a security risk to any user or to LEA;
  • test or reverse engineer the RCS Service for limitations, vulnerabilities, or to circumvent filtering capabilities;
  • submit, publish, reproduce, host, advertise, communicate or facilitate any Restricted Content;
  • submit content that:
    • is offensive, inappropriate for minors, abusive, obscene or indecent;
    • promotes, incites or instructs in criminal matters;
    • describes, incites, or promotes illegal sexual activity;
    • promotes or incites discrimination, violence or hatred against any person or group, or incites racial hatred;
    • causes unnecessary alarm, distress, anxiety, annoyance, inconvenience or panic or is threatening in nature;
    • contains a computer worm, Trojan horse, or virus or other harmful or malicious code or data designed to interrupt, damage, destroy, or limit the functionality of any computer software, hardware, or communications equipment or the Services;
    • violates any law;
    • it is defamatory;
    • it’s pornographic;
    • violates any privacy law or regulation;
    • violates or infringes upon any person’s rights of privacy, copyright or other intellectual property rights or any other proprietary interest of any person;
    • is false, misleading or deceptive, or likely to deceive or mislead;
    • is fraudulent or promotes fraudulent activity;
    • provides financial advice to any person;
    • it is obsolete, taking into account generally available information subsequently published, disseminated or made available;
    • is unlawful or is likely to cause damage to property or injury to any person;
    • is intended to provide a warning or notification about a serious risk to the safety of people or property (e.g., emergency services); or
    • that may discredit LEA or any of our suppliers.

2. Compliance with laws and regulations

All Customers and End Users are required to read and comply with all applicable laws, carrier regulations, and industry guidelines (as amended and updated from time to time), including, but not limited to, those listed below.

3. What actions will LEA take?

Compliance with this Policy is a mandatory requirement under the Agreement. If Customer or an End User violates this Policy, Customer’s access to the Services may be blocked or suspended and the Customer’s Agreement may be terminated. LEA may work with other Internet service providers to identify users who may be violating this Policy. Any offensive material may be removed by LEA without notice or explanation. If LEA discovers that Customer has engaged in behavior or acted in violation of this Policy, LEA may notify Customer that Customer’s behavior is unacceptable. If LEA becomes aware that Customer is using the RCS Service for illegal purposes, LEA may involve law enforcement, the judiciary, or national security agencies. LEA may also be required by law or otherwise required to disclose Customer’s identity if Customer has used the RCS Service in violation of this Policy.

4. Account recovery/unlock

A suspended or blocked user may be reinstated at LEA’s sole discretion, which may include requiring a written commitment from the offender not to commit future violations of this Policy. However, LEA evaluates all cases based on individual circumstances.

5. Claims for Violation of this AUP

If the Customer or End User wishes to inform LEA of a violation of this Policy, please contact a member of the Support Team.

This Acceptable Use Policy was last updated in June 2025.

Il decaduto utilizzo della “sonda” fornita dall’autorità per le intercettazioni telematiche passive

di Renzo Di Pietra

Obiettivo di questo articolo è fornire una panoramica normativa inerente alle intercettazioni telematiche “passive” e la dimostrazione come non sia più possibile ricorre alla vecchia pratica di utilizzare la Sonda fornita dall’autorità giudiziaria, qualora l’operatore non abbia ottemperato all’allestimento di una architettura interna preposta per farlo.

 

1. Le fonti normative oggi vigenti

L’intercettazione telematica consiste nell’intercettare quello che viene scambiato tramite internet e sistemi informatici e può essere effettuata mediante l’acquisizione di pacchetti di dati in transito su una rete, trasmessi o ricevuti da un utente o da gruppi di utenti.

Le tecniche di base consentono di acquisire i pacchetti di dati mentre questi sono in transito dal dispositivo emittente a quello ricevente (c.d. telematica passiva), oppure mediante dei spy software installati in maniera occulta sui device (c.d. telematica attiva). I dati d’interesse vengono successivamente trasmessi al punto di ricezione presso la Procura della Repubblica ed in uso alla Polizia Giudiziaria.

Le principali fonti normative inerenti all’intercettazione telematica possono essere individuare nell’art. 266 bis c.p.p. e nel Decreto Ministeriale del 28 dicembre 2017 (c.d. Listino Ministeriale delle Prestazioni Obbligatorie).

a. Articolo 266 bis Codice di procedura penale (Intercettazioni di comunicazioni informatiche o telematiche)

Nei procedimenti relativi ai reati indicati nell’articolo 266, nonché a quelli commessi mediante l’impiego di tecnologie informatiche o telematiche, è consentita l’intercettazione del flusso di comunicazioni relativo a sistemi informatici o telematici ovvero intercorrente tra più sistemi.

b. Il DM del 28 dicembre 2017 “Disposizione di riordino delle spese per le prestazioni obbligatorie di cui all’art. 96 del d.lgs. n. 259 del 2003” Pubblicato su G.U. n. 33 del 09/02/2018.

Il DM del 2017 ha previsto, nell’Allegato (c.d. listino delle Prestazioni Obbligatorie), la prestazione di “Intercettazioni di tipo informatico o telematico”. Questa obbligatorietà non era contemplata nel precedente listino ministeriale del 2001, nonostante fosse già disciplinata dal citato art. 266 bis c.p.p. introdotto nel 1993. Di rilievo anche l’art. 4 comma 1 lett. b, del DM, nella parte che stabilisce che le intercettazioni devono essere svolte “… in conformità ai modelli ed ai protocolli definiti dall’ETSI”.

c. Il DM del 6 ottobre 2022, recante “disposizioni per l’individuazione delle prestazioni funzionali alle operazioni di intercettazione e per la determinazione delle relative tariffe, ai sensi dell’articolo 1, commi 89 e 90, della legge 23 giugno 2017, n. 103.”, pubblicato nel Bollettino ufficiale del Ministero della giustizia n. 23 del 15 dicembre 2022.

Per “prestazioni funzionali” si intende il complesso degli impianti, sistemi, operazioni e servizi tecnici inservienti alla fruizione dei contenuti e dei dati associati, captati e veicolati dagli operatori di comunicazioni elettroniche e/o dagli Internet Service Provider in esecuzione delle prestazioni obbligatorie di cui al Decreto Ministeriale 28 dicembre 2017, contenente disposizioni di riordino delle spese per le prestazioni di cui all’articolo 96 del decreto legislativo n. 259 del 2003, in particolare:

  • per la ricezione, registrazione, conservazione e trascrizione delle operazioni di intercettazione di conversazioni, di comunicazioni o di flussi informatici ed elaborazione della documentazione storica del traffico e dei dati associati,
  • per la ricezione, visualizzazione, registrazione, conservazione e fruizione dei contenuti, dei dati, dei servizi e applicazioni web veicolati dagli Internet Service Provider,
  • per la vigilanza e manutenzione finalizzate al corretto funzionamento degli impianti e sistemi installati;

All’interno del suddetto DM viene definito anche il “punto di registrazione” o “punto di ascolto” (come comunemente chiamato): punto di rete allocato presso la sala CIT della Procura della Repubblica, dove perviene il patrimonio informativo e probatorio acquisito (fonie, immagini, dati) per essere registrato, archiviato e fruito dai soggetti legittimati, anche con modalità di riascolto.

 

2. Le intercettazioni telematiche passive prima dei listini ministeriali

In passato l’Operatore di Telecomunicazioni che non era predisposto con propri mezzi all’intercettazione telematica, a seguito di richiesta da parte dell’autorità giudiziaria, sviluppava generalmente uno studio di fattibilità, finalizzato ad individuare le modalità di erogazione del servizio, che successivamente era sottoposto all’approvazione dell’autorità richiedente. L’Operatore informava, inoltre, l’autorità che la stessa avrebbe dovuto assumersi l’onere della fornitura e dei relativi costi, principalmente connessi alla “sonda” utilizzata nell’intercettazione telematica passiva.

Una volta approvato l’iter amministrativo, veniva collocata una sonda ad una porta (Mirror) che riceveva in copia tutto il traffico scambiato (in entrambe le direzioni) dall’apparato di accesso che gestiva la connessione finale dell’utente. Il flusso di dati era poi trasferito, tramite linea dedicata, al punto di registrazione, dove veniva memorizzato e decodificato. Qui l’intercettazione dati veniva visualizzata in formato intellegibile, laddove possibile, dando così la possibilità alla Polizia Giudiziaria delegata di leggere in chiaro, ad esempio, i messaggi di posta elettronica inviati e ricevuti, le pagine web visitate, mail, le chat, etc.

 

3. Gli effetti derivanti dall’introduzione dei listini ministeriali

Nel nuovo Listino Ministeriale delle Prestazioni Obbligatorie del 2017, è stata introdotta la prestazione relativa alle “Intercettazioni di tipo informatico o telematico”, attribuendo all’Operatore di Telecomunicazioni la responsabilità dell’intero ciclo esecutivo della prestazione.

Infatti l’art. 4 (Modalità esecutive delle prestazioni obbligatorie) del Decreto Ministeriale del 2017, prevede

  • al punto 1 lett. a) “… l’immediata attivazione delle operazioni di intercettazione … (n.d.r. intercettazione richiamata in senso generico e quindi si intende anche la telematica) … indipendentemente dalla tecnologia di rete impiegata o dal tipo di rete di accesso…”
  • al punto b) “la tempestiva trasmissione e consegna, … dei contenuti intercettati e dei dati correlati alle operazioni di intercettazione …, senza l’impiego di sistemi informatici interposti di trattazione degli stessi (n.d.r. dati)…”
  • al punto c) “la tempestiva trasmissione e consegna ai punti di registrazione di ogni altro dato o evento riferibile all’identità di rete monitorata… in conformità ai modelli ed ai protocolli definiti dall’ETSI”.

Nel nuovo listino ministeriale delle Prestazioni funzionali, all’art. 2 “Individuazione delle prestazioni funzionali e determinazione delle tariffe”, viene riportato che le prestazioni funzionali alle operazioni di intercettazione sono specificamente individuate e descritte, unitamente alle relative tariffe, nel listino allegato al DM (c.d. listino delle Prestazioni Funzionali”, nel quale non è più presente il servizio di noleggio della sonda da installare presso i locali dell’operatore Tlc.

Dal combinato disposto dei due listini ministeriali, così come anche richiamato all’art. 57 del Codice delle Comunicazioni Elettroniche, emerge che l’intercettazione telematica passiva debba essere attivata a completa cura e responsabilità dell’Operatore di TLC.

Oltre a costituire oggi un obbligo di legge, la soluzione centralizzata e conforme agli standard ETSI (come SecFull® Target) offre la possibilità di essere adeguatamente scalabile, permettendo di espandersi, in termini di hardware, in base all’aumento del volume di traffico intercettato. Tale approccio migliora anche l’efficienza del processo. Inoltre, contribuisce a mantenere i costi del servizio di intercettazione su valori minimi.

Oltre a questo è importante rilevare che l’uso di piattaforme centralizzate costituisce per l’operatore una riduzione dei rischi associati a soluzioni estemporanee e non debitamente collaudate oltre che la garanzia di una immediata risposta alle richieste di intercettazione, garantendo al contempo maggiore affidabilità del servizio.

In conclusione, con l’introduzione dei listini ministeriali del 2017 e del 2020, l’utilizzo di sonde, fornite dall’autorità per l’attivazione dell’intercettazione telematica passiva, risulterebbe non più fattibile operativamente perché non è più un servizio previsto per le società terze fornitrici dell’autorità, oltre che in contrasto con le disposizioni dei listini stessi. Qualora l’Operatore non disponesse di un sistema centralizzato si configurerebbe anche la violazione dell’art. 57 del Codice delle Comunicazioni Elettroniche, con conseguente applicazione delle previsioni dell’art. 30 comma 16 del Codice stesso, ovvero una sanzione amministrativa pecuniaria che può essere compresa tra 170 mila euro e 2 milioni e mezzo di euro. Se la violazione degli obblighi è di particolare gravità o reiterata per più di due volte in un quinquennio, il Ministero può disporre in aggiunta la sospensione dell’attività per un periodo non superiore a due mesi o la revoca dell’autorizzazione generale.

Essential Characteristics of a Robust Lawful Interception System

The communication spans various digital platforms so the development and implementation of effective lawful interception systems are paramount. Law enforcement agencies and security organizations rely on these systems to monitor and intercept communications legally. This article explores the key characteristics that a lawful interception system must possess to ensure efficiency, compliance with regulations, and the protection of individual rights.

1. Legal Compliance
Adherence to local and international laws is the foundation of any lawful interception system. The system must operate within the boundaries defined by legal frameworks, ensuring that interception activities are authorized, justified, and meet the criteria stipulated by relevant statutes.

2. Transparency and Accountability
A transparent and accountable system is crucial for maintaining public trust. There should be clear processes and procedures governing the use of the interception system, with strict oversight mechanisms in place to prevent abuse. Accountability ensures that those authorized to use the system do so responsibly and in accordance with the law.

3. Data Integrity and Security
Safeguarding intercepted data is of utmost importance. A lawful interception system must employ robust encryption and security measures to protect the integrity of the collected information. Unauthorized access to intercepted data poses not only a privacy risk but also a threat to the overall effectiveness of the system.

4. Interoperability
The ability to seamlessly integrate with various telecommunication networks and technologies is a key characteristic of an effective interception system. Interoperability ensures that the system can adapt to the ever-evolving landscape of communication technologies, enabling law enforcement to stay ahead of potential threats.

5. Timeliness and Real-Time Capabilities
The nature of certain crimes requires swift action. A lawful interception system should possess real-time capabilities to allow authorities to respond promptly to emerging threats. Timely access to relevant information is critical for preventing and investigating criminal activities.

6. Court-Admissible Evidence
The information gathered through lawful interception may be used as evidence in legal proceedings. Therefore, the system must be designed to collect data in a manner that ensures its admissibility in court. This includes maintaining a detailed chain of custody, ensuring the authenticity of the intercepted data, and adhering to legal standards for evidence.

7. Training and Compliance Monitoring
Personnel responsible for operating the lawful interception system should undergo thorough training to understand legal and ethical considerations. Regular compliance monitoring ensures that the system is used in accordance with established protocols and legal requirements.

The characteristics outlined above are essential for a lawful interception system to fulfill its intended purpose while respecting the rule of law and protecting individual privacy. As technology advances and communication methods evolve, continuous refinement of these characteristics is necessary to ensure that lawful interception systems remain effective, accountable, and in harmony with the principles of justice and civil liberties.

All these Essential Characteristics are in SECFULL TARGET.

Exploring the World of Lawful Interception in Telecommunications

In an era dominated by technological advancements and rapid communication, the lawful interception of telecommunications plays a crucial role in maintaining public safety and national security. As societies become increasingly connected, the need for effective measures to monitor and intercept communication within legal boundaries becomes imperative. This article delves into the concept of lawful interception in telecommunications, examining its significance, methods, and the delicate balance it strikes between individual privacy and collective security.

Understanding Lawful Interception

Lawful interception refers to the legally authorized monitoring and interception of telecommunications, including telephone calls, emails, and other forms of digital communication. Governments, law enforcement agencies, and intelligence organizations utilize lawful interception as a tool to combat various forms of criminal activities, ranging from terrorism to organized crime. The primary objective is to gather information that can aid in preventing or investigating illegal activities while adhering to established legal frameworks.

Legal Frameworks and Oversight

One of the critical aspects of lawful interception is the existence of well-defined legal frameworks that govern the process. Different countries have distinct laws and regulations outlining the circumstances under which interception is permitted, the types of information that can be collected, and the oversight mechanisms in place to prevent abuse. Striking the right balance between protecting individual privacy rights and ensuring national security remains a constant challenge for lawmakers.

Methods of Lawful Interception

Additionally lawful interception employs various methods to monitor and collect communication data. Traditional telephone wiretapping has evolved into sophisticated technologies capable of intercepting digital communications, such as VoIP (Voice over Internet Protocol) calls and instant messaging. Telecommunication service providers play a crucial role in facilitating lawful interception, and they are often required to implement the necessary infrastructure to enable authorized agencies to access relevant data.

Challenges and Concerns

While lawful interception is essential for maintaining public safety, it also raises significant concerns related to privacy and civil liberties. Striking the right balance between the need for surveillance and protecting individual rights requires careful consideration. Governments and organizations must implement robust oversight mechanisms, transparent legal frameworks, and stringent accountability measures to mitigate the risk of misuse.

Global Cooperation and Standards

Given the global nature of modern telecommunications, there is an increasing need for international cooperation and standardized practices in lawful interception. Interoperability between different countries’ systems and adherence to common standards can enhance the effectiveness of lawful interception efforts while ensuring that human rights and privacy are respected on a global scale.

Conclusion

Lawful interception of telecommunications is a complex and multifaceted practice that seeks to reconcile the need for security with respect for individual privacy. As technology continues to advance, the legal and ethical considerations surrounding lawful interception will evolve. Striking the right balance between safeguarding society and protecting individual rights remains a dynamic challenge that requires ongoing dialogue, collaboration, and a commitment to upholding the principles of justice and accountability.

 

I 5 punti di forza di Secfull Target che la rendono unica

A grande richiesta pubblichiamo i 5 punti di forza di Secfull Target che la rendono unica:

1) Modulare
SecFull Target è una soluzione modulare che può adattarsi alle diverse esigenze dell’Operatore di telecomunicazioni, prevedendo la fornitura di tutti i suoi singoli moduli funzionali e/o fisici fino alla fornitura anche del solo Work Flow Management delle richieste delle Autorità che automatizza il più possibile tutte le previste attività operative ed archivia a norma di legge le richieste.

2) Economica
SecFull Target riesce a garantire i costi più bassi del mercato grazie a precise e consapevoli scelte lavorative che assicurano i medesimi livelli qualitativi e di assistenza che il mercato del settore richiede.

3) Consulenza strategica, normativa e di processo
Nel costo di SecFull Target è compresa forse la caratteristica più apprezzata dai Clienti ovvero un supporto costante e continuativo per analizzare tutte le specifiche esigenze interne ed esterne del Cliente, analizzare gli impatti della nuova norma, indirizzare sulla migliore soluzione, facilitare il rapporto con le Autorità. SecFull Target nasce dall’esperienza ultraventennale a supporto di Operatori di telecomunicazioni italiani ed esteri. Quando l’attività di consulenza doveva essere poi realizzata nella maggior parte delle volte si arrivava ad un compromesso tra requisito ed offerta disponibile in quel momento sul mercato, con l’effetto di una maggiorazione dei costi ed una implementazione non propriamente corrispondente.

4) Adeguamenti gratuiti ed automatici se imposti dall’evoluzione della norma
Un’altra caratteristica molto apprezzata dai nostri Clienti è rappresentata dal fatto che, qualora la norma cambi, SecFull Target sarà adeguata “automaticamente” cioè senza che il Cliente debba intercettare questa esigenza tramite i propri Uffici legali, la declini tecnicamente ed inviti il proprio fornitore a farlo nel rispetto dei tempi imposta dalla legge. Tutto questo con SecFull Target è ormai preistoria e le attività di adeguamento sono ricomprese nel costo, in funzione del tipo di contratto, limitatamente al perimetro di competenza dell’applicazione.

5) Condivisione gratuita delle modifiche richieste da altri Clienti
SecFull Target va oltre la diffusa attività di condivisione delle patch dell’applicazione tra i Clienti che la usano. SecFull Target può essere modificato per specifiche esigenze di un operatore; nel caso questa accada la nuova funzionalità può essere offerta gratuitamente agli altri Clienti limitatamente al perimetro di competenza dell’applicazione.

 

Rimane a parte l’ultima caratteristica rappresentata dal fatto che SecFull Target appartiene ad una società interamente italiana, non controllata o posseduta da altre aziende non italiane, con il team di sviluppo e di consulenza tutto italiano, non fornitrici di analoghi apparati verso le Procure. I nostri Clienti confermano che questa caratteristica dovrebbe essere implicitamente soddisfatta per evitare evidenti conflitti di interesse e per la garanzia del rispetto dei principi che appartengono al concetto di sicurezza nazionale.

Secfull®

NEWS – Mapping CALEA to ETSI information

SECFULL TARGET

SecFull Target ha completato il mapping tra le informazioni previste da CALEA per lo standard americano di lawful interception ed il rispettivo standard ETSI valido in europa.

L’attività ha permesso ad una primaria azienda operante in Italia e all’estero di sfruttare quanto già realizzato negli USA in termini di lawful interception, facendo risparmiare così tempo e denaro.

L’attività è stata condotta in sinergia tra gli esperti tecnici e quelli mormativi-giuridici di LEX ET ARS, che mostra come SECFULL sia il prodotto più completo presente in termini di supporto al Cliente.

1 2