Data Processing Agreement

This Data Processing Agreement is entered into by and between DSwiss and the Customer and made effective as of the effective date ofthe New Business Service Order.

This document is provided in several languages. In the event of discrepancies or contradictions, the English version shall prevail and be legally binding.

‍

Preamble

A. The Parties entered into an Agreement regarding the provision of Services by DSwiss.

B. In the context of the Agreement, the Customer provides DSwiss with personal data.

C. In order to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection in the Processing of Personal Data by DSwiss, the Parties enter into this Data Processing Agreement.

D. In the context of this Data Processing Agreement the Customer is the Controller and DSwiss is the Processor in the sense of Applicable Data Protection Laws.

Therefore, in consideration of the mutual covenants contained below, the Parties agree as follows:

‍

1. General

1.1 Subject Matter: In this Data Processing Agreement, the Parties only regulate the relationship between the Parties concerning Applicable Data Protection Laws. They do not intend to extend or restrict the Services to be provided under the Agreement.

1.2 Precedence: In the event of conflicts between contractual parts of the Agreement, the following order of precedence shall apply: This Data Processing Agreement shall take precedence over its Annexes and the other parts of the Agreement shall take precedence over this Data Processing Agreement.

1.3 Definitions: Any capitalized terms not otherwise defined inthis Data Processing Agreement shall have the meanings set forth in the Agreement. Legal terms such as "Personal Data" and "Processing", shall have the meaning defined in the Applicable Data Protection Laws. Definitions can be found under https://www.dswiss.com/en/legal-definitions.

‍

2. Subject and Duration of Processing

2.1. Subject of Processing: In connection with the Services, DSwiss Processes Personal Data on behalf of the Customer. The subject matter of the Processing, its nature and its purpose are set out in the Agreement. The categories of persons affected by the Processing and the categories of Personal Data affected are described in Annex 1.

2.2. Other Services: Insofar as DSwiss takes on further services for the Customer in the course of the collaboration, this Data Processing Agreement shall also apply to these services.

2.3. Duration: This Data Processing Agreement begins with the Effective Date and ends with the termination of the Agreement.

2.4. Responsibility of the Customer: The Customer is aware that the legal responsibility for the permissibility of the collection and other Processing of the Personal Data and for the fulfilment of the rights of data subjects in connection with the Services to be provided by DSwiss lies with the Customer.

‍

3. Obligations of DSwiss

3.1. Compliance with Instructions:

a) DSwiss is obliged to use the Personal Data exclusively for the Services to be provided under the Agreement and to follow the Customer's instructions (in accordance with the Agreement) when Processing them, subject to deviating obligations under applicable laws and binding orders issued by competent authorities, about which the Customer must be informed to the extent permitted.

b) The Customer's instructions shall be issued in text form.

3.2. Register of Processing Activities: DSwiss undertakes to keep a register of Processing activities in relation to the Personal Data in accordance with the Applicable Data Protection Laws. DSwiss shall grant the Customer access to this register at any time upon request.

3.3. Place of Processing: The Processing and the use of the Personal Data shall take place exclusively in Switzerland and the EU. Any Processing of Personal Data outside Switzerland or the EU (including the granting of access rights to Personal Data) is only permitted with the prior consent of the Customer and in accordance with the applicable legal and contractual provisions.

3.4. Obligation to Return and Delete:

a) After termination of the Agreement, DSwiss must delete the Personal Data. Data deletions must be final and the deletion must be confirmed to the Customer upon request.

b) If DSwiss is legally obliged to store Personal Data due to statutory provisions, it must inform the Customer accordingly at an early stage, and the concerned Personal Data may only be stored on the relevant systems for as long as necessary and appropriately secured.

‍

4. Data Security

4.1. Security Measures: DSwiss shall take appropriate, but in any case, at least the technical and organizational measures described in Annex 2 to protect the Personal Data. During the term of the Agreement, the Processor shall be authorized to adapt the Security Measures, provided that the level of security is not lowered, and shall be obliged to adapt the Security Measures insofar as this is necessary to maintain the level of protection in accordance with the Applicable Data Protection Laws.

4.2. Reporting of Breaches:

a) In the event of specific security breaches that lead to the destruction, loss, alteration or disclosure of Personal Data, DSwiss shall inform the Customer immediately, but at the latest within the deadlines set out in the applicable data protection laws.

b) DSwiss is obliged to provide the Customer with further relevant information on the security breach upon request, insofar as this is possible without violating the contractual or statutory confidentiality obligations of DSwiss.

‍

5. Sub-Processors

5.1. Permissibility:

a) For the provision of the Services, DSwiss shall be authorized to make Personal Data available to Subprocessors at its own discretion, provided that DSwiss complies with this Section 5 and has entered into agreements with the concerned Sub-Processors that contain at least as strict provisions as this Data Processing Agreement.

b) A Sub-Processor within the meaning of this Data Processing Agreement is any service provider whose services relate directly to the Processing of Personal Data. In the case of outsourced ancillary services, DSwiss is also obliged to enter into appropriate and legally compliant contractual agreements to ensure data protection and data security for the Customer, to take control measures and to document these measures to the Customer on request.

5.2. Approval of Sub-Processors:

a) A list of the Sub-Processors with access to Personal Data existing at the Effective Date and hereby authorized by the Customer can be found in Appendix 3. The Customer shall be informed before a Sub-processor is changed. If the Customer does not declare in writing within 20 calendar days of receipt of the corresponding notification that it does not agree with the change, the Subprocessor in question shall be deemed to have been approved by the Customer.

b) In the event of a timely rejection of the Sub-Processor by the Customer in accordance with the foregoing paragraph, the Parties shall try to agree on an alternative commercially reasonable solution. The rejection of the Customer must be based on substantial reasons due to the potential decrease of data privacy, which shall be notified to DSwiss at the time of rejection. If the Parties do not reach an agreement within 30 days of the rejection by the Customer, either Party shall be entitled to terminate the Agreement with immediate effect.

5.3. Sub-Processors outside Switzerland and the EU: If, in connection with the authorized involvement of a Sub-Processor, Personal Data is transferred to or received from a country without an adequate level of data protection, DSwiss is obliged to obtain appropriate guarantees in accordance with the Applicable Data Protection Law (e.g. the applicable EU standard contractual clauses) before the first disclosure of Personal Data to the concerned Sub-Processor.

5.4. Liability: DSwiss shall be liable to the Customer for compliance with the obligations of the Sub-Processors in accordance with the provisions of the Agreement. ‍
‍

‍

6. Inspection Rights

6.1. Inspection Rights: The Customer shall have the right to inspect compliance with the legal and contractual obligations in connection with this Data Processing Agreement by DSwiss and/or its Sub-Processors at any time, but no more than once per calendar year, provided that such inspections have been notified to DSwiss within 21 days. The procedure of the inspection is agreed on beforehand with DSwiss. DSwiss is obliged to co-operate appropriately in each inspection. All inspections must be agreed in advance with DSwiss. When planning and conducting the inspection, the Customer shall take into account the needs and security requirements of DSwiss and shall respect DSwiss' confidentiality obligations.

6.2. Inspection by External Partners: The Customer shall have the right to have the inspection pursuant to Section 6.1 above carried out by an external, competent partner who is bound to confidentiality. The costs of the external partner in accordance with this Section 6.2 shall be borne by the Customer.‍

‍

7. Supporting Obligations

7.1. Data Security: DSwiss shall support the Customer in a reasonable manner in complying with Customer’s legal obligations to ensure adequate data security and to report data breaches, as well as in carrying out data protection impact assessments.

7.2. Rights of Data Subjects: If a Data Subject contacts DSwiss in connection with claims under Applicable Data Protection Laws (e.g. with a request for information or deletion) and these claims are related to the Services, DSwiss shall forward the corresponding request to the Customer without delay. DSwiss shall provide the Customer with appropriate support in Processing such requests.

7.3. Obligation to Inform: Inspections and other measures by data protection supervisory authorities must be reported to the Customer in a timely manner to the extent permitted if they affect the Personal Data or systems used for the Processing of Personal Data.

7.4. Contact Information: For data protection issues, the following person should be contacted in the first instance: Customer: The Customer will specify in writing who DSwiss will contact in the first instance. If Customer specifies no one, the Service Order Signee is assumed to be the first contact. DSwiss: CISO, security@dswiss.com

‍

8. Confidentiality

8.1. Personal Data: DSwiss undertakes to treat Personal Data as strictly confidential and to make it accessible within and outside its organization only to persons who require access to the Personal Data in order to fulfil their duties. Section 5 above is reserved. DSwiss shall ensure that all persons with access to Personal Data are subject to a statutory or contractual duty of confidentiality with regard to the Personal Data.

8.2. Other Information: Both Parties are also subject to the statutory confidentiality obligations applicable to them and any confidentiality obligations agreed between them in the Agreement with regard to Personal Data perceived in the context of this Data Processing Agreement.
‍

‍

9. Miscellaneous

9.1. Liability: The relevant provisions of the Agreement shall apply to liability arising from breaches of this Data Processing Agreement.

9.2. Notifications: Notifications provided for in this Data Processing Agreement must be made expressly and in text form (e.g. by email or mail), unless otherwise agreed in writing.

9.3. Annexes: The annexes to this Data Processing Agreement are integral parts thereof.

9.4. Amendments: Amendments and other changes to this Data Processing Agreement require the signature of both Parties in order to be valid.

9.5. Dispute resolution: The applicable law and the place of jurisdiction in case of disputes shall be determined by the Agreement.

‍

‍Annex 1: Specification ofthe Data Processing Agreement

1. Categories of Data

Data that directly or indirectly allows the identification of natural persons, such as:

• Contact Data (e.g. name, address, email address, phone numbers, user names, etc.)
• Online Identifiers (e.g. IP addresses, cookie data, amount of data transferred, browsers, operating systems, information regarding the website visit, etc.)

‍

2. Categories of concerned Persons

Data of the Customer, End Users or the Customer and partners of the Customer.

• Employees
• Customers
• Customer’s End Users
• Partners of Customer
• Website Visitors/Users
• Job Applicants

‍

Annex 2: Security Measures‍

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)

• Physical access control
  No unauthorized access to data processing systems, e.g.: magnetic or chipcards, keys, electric door openers, plant security or gatekeepers, alarm systems, video systems;
• Electronic access control
  No unauthorized system use, e.g.: (strong) passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers;
• Internal access control
  No unauthorized reading, copying, modification or removal within the system, e.g.: authorization concepts and needs-based access rights, logging of accesses;
• Separation control
  Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;
• Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 (1) GDPR)
  The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.

‍

2. Integrity (Art. 32 para. 1 lit. b GDPR)

• Transfer control
No unauthorized reading, copying, modification or removal during electronic transmission or transport, e.g.: encryption, Virtual Private Networks (VPN), electronic signature;
• Input control
  Determination of whether and by whom personal data has been entered, changed or removed into data processing systems, e.g. logging, document management.

‍

3. Availability and resilience (Art. 32 para. 1 lit. b GDPR)
‍

• Availability check
  Protection against accidental or willful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels and emergency plans;
• Rapid recoverability (Art. 32 para. 1 lit. c GDPR).

‍

4. Procedures for periodic review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 (1) GDPR)

• Data protection management;
• Incident-Response-Management;
• Privacy-friendly default settings (Art. 25 para. 2 GDPR);
• Order control
  No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g.: unambiguous contract design, formalized order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.

‍

Annex 3: Approved Sub-Processors

The following persons are deemed to be approved Sub-Processors within the meaning of this Data Processing Agreement at the Effective Date:

‍