Data Processing Agreement

This Data Processing Agreement (“Agreement”) sets out the terms, requirements and conditions by which Safe Swiss Cloud AG (“SSC”) will process Personal Data when providing services to you as a Customer who subscribes to our services.

This Agreement is an annex to the Customer’s agreement with Safe Swiss Cloud AG (hereinafter SSC) for the provision of Cloud Computing, IT and related Services and forms an integral part of it.

1. DEFINITIONS

For the purposes of this Agreement:

1.1 “Applicable Data Protection Law” means privacy laws applicable to SSC as the Processor of the Personal Data, or Client as Data Controller of Personal data, including but not limited to the Federal Act on Data Protection of 1992 (FADP) and its revised version coming into force on September 1, 2023, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, ‘GDPR’) and any further implementation, amendment, replacements or renewals thereof (collectively called the “EU Legislation”), as well as all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time.

1.2 “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3 The words “Data Controller“, “Data Subject“, “Personal Data“, “Data Processor” and “Sub-Processor“, “Processing” or “Process” shall be construed in accordance with the definition of “Processing“.

2. PROCESSING OF PERSONAL DATA

SSC shall:

2.1 process the Client’s Personal Data exclusively in accordance with the provisions of this Agreement and only pursuant to the Client’s written instructions, and use the Personal Data for the sole purpose of the performance of this Agreement and no other use (e.g., for commercial purposes), as set out in Appendix 1;

2.2 ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

2.3 take appropriate technical and organizational measures to ensure a level of protection which meets the requirement for confidentiality, integrity, availability and resilience of the systems and services related to the Processing of Personal Data;

2.4 adopt the security measures required under Applicable Data Protection Law as detailed by SSC from time to time, including the following: (i) resiliency of systems and services related to the processing activities; (ii) ability to timely re-store the availability and the access to Personal Data, where a physical or technical incident occurs; (iii) procedures in order to test, verify and assess regularly the effectiveness of the technical and organizational measures aimed at ensuring the security of Personal Data Processing activities;

2.5 inform the Client of any new Sub-Processor, other than the approved Sub-Processors listed in Appendix 1. The Client is entitled to object to such appointment; provided, however, that, in this case, its sole right shall be to terminate its Agreement with SSC. Each Sub-Processor shall be bound by the same obligations detailed in clause 2.2;

2.6 assist the Client in responding to requests to exercise the rights of Data Subjects and, in the event of a data protection breach, in complying with the Client’s obligations in relation to the security of Personal Data or in connection with the Client’s information duties towards public authorities;

2.7 notify the Client immediately (and in any event within a period not exceeding 48 hours) after becoming aware of any actual or suspected breach of Personal Data or any security breach leading to, in an accidental or unlawful manner, the deletion, loss, alteration, unauthorized disclosure of the Personal Data transmitted, stored or processed in any other manner, or the unauthorized access to such Personal Data, as well as if, in its opinion, the Client’s instruction should infringe the Data Protection Laws;

2.8 upon termination of this Agreement for whatever reason, cease Processing any Personal Data on behalf of the Client and if so instructed by the Client, securely delete or destroy, the Personal Data within thirty (30) calendar days of being requested to do so by the Client.

3. TERMINATION

This Agreement shall terminate when Customer’s agreement with Safe Swiss Cloud AG for the provision of Cloud Computing, IT and any related Services is terminated.

APPENDIX 1: DESCRIPTION OF PROCESSING

Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing of the Client Personal Data are set out in the Agreement.

The subject matter of the data processing is the collection, processing and use of Personal Data for the Client to the extent this is required for carrying out the Agreement and is limited to the term of the Agreement.

The nature and purpose of the Processing of Client Personal Data

Creating systems and administration users for the Customer to manage their cloud infrastructure systems, for access to ticketing and monitoring systems Responding to customer requests, sending notifications and reminders about activity in SSC, sending transactional emails such as password recovery, maintenance notices, new products and price changes. Client billing address and related contact user information for sending invoices and handling related issues.

The types of Client Personal Data to be Processed

Users first name, last name, email address and optionally: job title, phone number, location and organization name.

The categories of Data Subject to whom the Client Personal Data relates

Employees of the Client and other specific invited users such as business partners or customers.

Service Data

“Service Data” is Personal Data or other information that Users input directly into the Platform; create within the Platform; send to the Platform; or provide to SSC through authorized methods as part of other Services.

APPENDIX 2: APPROVED SUBPROCESSORS

Contractors

SSC uses certain subcontractors to assist in the operations necessary to provide the SSC Services. The SSC production infrastructure used for hosting Service Data for the Services are located in Data Centres in Switzerland, belonging to a group company of SSC. The following is a list of the names and locations of material third-party subcontractors.

Nr.	Subprocessor	Scope	Location	Compliance	Data subjects
1	Everyware AG	Data center operator	Switzerland	Swiss Federal Data Protection Act (effective 1 September 2023) European Union GDPR ISO 27001	Service Data

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-marketing	1 year	This cookie is set by the GDPR Cookie Consent plugin to store the user consent for the cookies in the category "Marketing".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
JSESSIONID	session	Used for Cross Site Request Forgery (CSRF) protection
sdsc	session	Signed data service context cookie used for database routing to ensure consistency across all databases when a change is made. Used to ensure that user-inputted content is immediately available to the submitting user upon submission
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_D83559EP8M	2 years	This cookie is installed by Google Analytics.
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.
split	1 month	This cookie is used to evaluate the changes to the website by checking which multivariate test the user takes part in.

Cookie	Duration	Description
bcookie	1 year	Browser Identifier cookie to uniquely indentify devices accessing LinkedIn to detect abust on the platform and diagnostic purposes
bscookie	1 year	Used for remembering that a logged in user is verified by two factor authentication
lang	session	Used to remember a user's language setting to ensure LinkedIn.com displays in the language selected by the user in their settings
li_gc	6 months	Used to store consent of guests regarding the use of cookies for non-essential purposes
li_mc	6 months	Used as a temporary cache to avoid database lookups for a member's consent for use of non-essential cookies and used for having consent information on the client side to enforce consent on the client side
lidc	24 hours	To facilitate data center selection