This Data Processing Agreement (“Agreement”) sets out the terms, requirements and conditions by which Safe Swiss Cloud AG (“SSC”) will process Personal Data when providing services to you as a Customer who subscribes to our services.

This Agreement is an annex to the Customer’s agreement with Safe Swiss Cloud AG (hereinafter SSC) for the provision of Cloud Computing, IT and related Services and forms an integral part of it.

1. DEFINITIONS

For the purposes of this Agreement:  

1.1 “Applicable Data Protection Law” means privacy laws applicable to SSC as the Processor of the Personal Data, or Client as Data Controller of Personal data, including but not limited to the Federal Act on Data Protection of 1992 (FADP) and its revised version coming into force on September 1, 2023, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, ‘GDPR’) and any further implementation, amendment, replacements or renewals thereof (collectively called the “EU Legislation”), as well as all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time.

1.2 “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 The words “Data Controller“, “Data Subject“, “Personal Data“, “Data Processor” and “Sub-Processor“, “Processing” or “Process” shall be construed in accordance with the definition of “Processing“.

2. PROCESSING OF PERSONAL DATA

SSC shall:

2.1 process the Client’s Personal Data exclusively in accordance with the provisions of this Agreement and only pursuant to the Client’s written instructions, and use the Personal Data for the sole purpose of the performance of this Agreement and no other use (e.g., for commercial purposes), as set out in Appendix 1;

2.2 ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

2.3 take appropriate technical and organizational measures to ensure a level of protection which meets the requirement for confidentiality, integrity, availability and resilience of the systems and services related to the Processing of Personal Data; 

2.4 adopt the security measures required under Applicable Data Protection Law as detailed by SSC from time to time, including the following: (i) resiliency of systems and services related to the processing activities; (ii) ability to timely re-store the availability and the access to Personal Data, where a physical or technical incident occurs; (iii) procedures in order to test, verify and assess regularly the effectiveness of the technical and organizational measures aimed at ensuring the security of Personal Data Processing activities;

2.5 inform the Client of any new Sub-Processor, other than the approved Sub-Processors listed in Appendix 1. The Client is entitled to object to such appointment; provided, however, that, in this case, its sole right shall be to terminate its Agreement with SSC. Each Sub-Processor shall be bound by the same obligations detailed in clause 2.2;

2.6 assist the Client in responding to requests to exercise the rights of Data Subjects and, in the event of a data protection breach, in complying with the Client’s obligations in relation to the security of Personal Data or in connection with the Client’s information duties towards public authorities; 

2.7 notify the Client immediately (and in any event within a period not exceeding 48 hours) after becoming aware of any actual or suspected breach of Personal Data or any security breach leading to, in an accidental or unlawful manner, the deletion, loss, alteration, unauthorized disclosure of the Personal Data transmitted, stored or processed in any other manner, or the unauthorized access to such Personal Data, as well as if, in its opinion, the Client’s instruction should infringe the Data Protection Laws;

2.8 upon termination of this Agreement for whatever reason, cease Processing any Personal Data on behalf of the Client and if so instructed by the Client, securely delete or destroy, the Personal Data within thirty (30) calendar days of being requested to do so by the Client.

3. TERMINATION

This Agreement shall terminate when Customer’s agreement with Safe Swiss Cloud AG for the provision of Cloud Computing, IT and any related Services is terminated.

APPENDIX 1: DESCRIPTION OF PROCESSING

Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing of the Client Personal Data are set out in the Agreement.

The subject matter of the data processing is the collection, processing and use of Personal Data for the Client to the extent this is required for carrying out the Agreement and is limited to the term of the Agreement.

The nature and purpose of the Processing of Client Personal Data

Creating systems and administration users for the Customer to manage their cloud infrastructure systems, for access to ticketing and monitoring systems Responding to customer requests, sending notifications and reminders about activity in SSC, sending transactional emails such as password recovery, maintenance notices, new products and price changes. Client billing address and related contact user information for sending invoices and handling related issues.

The types of Client Personal Data to be Processed

Users first name, last name, email address and optionally: job title, phone number, location and organization name. 

The categories of Data Subject to whom the Client Personal Data relates

Employees of the Client and other specific invited users such as business partners or customers.

Service Data

“Service Data” is Personal Data or other information that Users input directly into the Platform; create within the Platform; send to the Platform; or provide to SSC through authorized methods as part of other Services.

APPENDIX 2: APPROVED SUBPROCESSORS

Contractors

SSC uses certain subcontractors to assist in the operations necessary to provide the SSC Services. The SSC production infrastructure used for hosting Service Data for the Services are located in Data Centres in Switzerland, belonging to a group company of SSC. The following is a list of the names and locations of material third-party subcontractors.

Nr.SubprocessorScopeLocationComplianceData subjects
1Everyware AGData center operatorSwitzerlandSwiss Federal Data Protection Act
(effective 1 September 2023)
European Union GDPR
ISO 27001
Service Data