Data Processing Agreement (DPA) between the client as controller (“Controller”) and Digital Storm GmbH, Sägestrasse 50, 5600 Lenzburg as processor (“Processor”)
1. scope of application
a) Insofar as the Controller processes personal data, the following provisions shall apply in relation to the Processor.
2. preamble
a) This Data Processing Agreement (DPA) governs the data protection obligations between the parties in connection with the processing of personal data.
b) The Processor shall not process any personal data of the Controller for any purpose other than to fulfill existing contractual obligations between the Parties.
c) The controller shall remain the exclusive controller of the personal data concerned.
3 Data processing
3.1 Subject matter and purpose
a) The Processor is an IT service provider and in this capacity operates a software-as-a-service solution. In order to fulfill these tasks, the processor also processes personal data of the controller. Including, but not limited to, cloud services, data hosting and management, maintenance and support services.
b) The processing of personal data by the processor is only permitted within the framework of a written order from the controller. Such an order may be issued in the form of a service contract, a one-off instruction or in a similar form.
3.2 Duration
a) This agreement shall apply for as long as the processor processes personal data of the controller.
3.3 Data categories and persons concerned
a) The following types and categories of personal data may be processed as part of the provision of the Services:
Customer information: Name, address, telephone number, e-mail address and other contact details.
User data: Registration data, usage data, communication data between user and service.
Customer data and company information: Management of customer and company databases, including contact information and interaction data.
Contract management: Setup and management of recurring business processes and automated invoicing.
Support and ticketing data: Recording and processing of customer inquiries and support tickets.
Time recording and project management: Recording of working hours and management of project data.
Financial reporting: Automated creation of invoices and reports, including via Excel for import into other systems.
Client portal data: Information provided in the customer portal, such as ticket overviews and project progress.
Documentation and content management: Creation and management of documentation and customer-specific content.
Transaction data: Payment information, purchase history and billing information
Communication data: Email traffic, chat logs, feedback and ratings.
Technical data: IP addresses, cookies, system and device information.
The categories of data subjects include:
1. system users and their employees (controller)
2. customers and users of the IT service providers who use the controller’s software
3. employees and representatives of customers who interact with the software in the course of their professional activities
4. potential customers who are interested in the controller’s services or request information material.
b) Other categories of data subjects are listed in the appendix to the individual contract.
c) If no annex to the individual contract is created, no further personal data will be processed by the processor within the scope of the orders.
4 Rights and obligations
4.1 Compliance with data protection laws and regulations
a) The Processor is obliged to comply with the data protection laws and regulations applicable to the Processor and the Controller. The Processor must ensure that actions or omissions on its part do not lead to a situation in which the Controller violates any data protection laws and regulations.
4.2 Obligation to follow instructions
a) The processor shall process and transmit the personal data only in accordance with the documented instructions of the controller. In the absence of instructions from the controller, the processor shall process personal data exclusively in accordance with this DPA and the detailed security concept with the technical and organizational measures used.
b) The controller alone decides on the erasure and rectification of personal data and on the provision of information to data subjects.
c) If personal data is processed on the basis of statutory provisions and contrary to the instructions of the controller, the processor is obliged to inform the controller in advance of the processing in question and the lawfulness of the processing, unless this is contrary to an important public interest.
4.3 Confidential information and security
a) The Processor shall ensure that the persons authorized to process personal data (e.g. employees, subcontractors, etc.) have contractually undertaken to maintain confidentiality and security or are subject to an appropriate statutory confidentiality and security obligation. In the case of standard products from third-party manufacturers, the specific data protection provisions of the third-party manufacturer apply to the customer directly between the customer and the third-party manufacturer.
b) Personal data is stored and treated as confidential information. However, as part of the procurement and management of standard products or other products from third-party manufacturers, personal data of the customer or its employees must be passed on to third-party manufacturers. Processing by third-party manufacturers is governed by their data protection provisions. The customer or its employees expressly authorize the processor to issue declarations of consent to data protection declarations from third-party manufacturers on behalf of the customer or its employees.
4.4 Technical and organizational measures
a) The Processor shall take the technical and organizational measures (TOM) required by law to ensure the security of the personal data and its processing.
b) The technical and organizational measures must ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
c) The measures to be taken shall include, inter alia, the following:
§ Pseudonymization and encryption of personal data
§ the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services relating to the processing
§ the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident
§ a process for regularly reviewing, assessing and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing
d) Upon request, the processor shall provide the controller with the detailed security concept with the technical and organizational measures used and shall ensure compliance with this agreement with these measures.
4.5 Sub-processors (subcontractors)
a) The Controller hereby grants the Processor a general authorization to commission sub-processors with the processing. The Processor shall ensure that it has concluded a contract with the Sub-Processor that guarantees compliance with this Agreement and the rights and obligations mentioned therein.
b) In the case of a sub-processor from a third country, the processor shall also ensure that an adequate level of data protection exists in relation to Switzerland or the EU by concluding EU standard clauses or obtaining Swiss-U.S. Privacy Shield certification.
c) If the sub-processor fails to comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that sub-processor.
4.6 Duty to report and provide support in the event of data protection breaches
a) In the event of the occurrence or suspicion of breaches of data protection and in particular in the event of data loss or other irregularities in the processing of personal data, the processor must inform the controller immediately.
b) The notification of a data breach shall contain the following information as appropriate
§ Description of the nature of the data breach
§ Categories and approximate number of data subjects affected
§ Categories and approximate number of personal data records affected
§ Contact details of a person at the processor from whom further information can be obtained
§ Description of the likely impact of the data breach
§ Description of the measures already taken or to be taken
c) The processor shall support the controller in handling data breaches and provide the controller with all necessary information.
4.7 Duty to provide support for data subject rights
a) The controller is responsible for implementing the rights of data subjects. The processor shall immediately forward any requests to the controller.
b) The processor shall support the controller in exercising the rights of data subjects free of charge.
c) In particular, the Processor shall implement appropriate technical and organizational measures to enable the Controller to obtain the necessary information easily, quickly, as independently as possible and in a commonly used format, and to modify and delete personal data.
d) The Processor shall always comply with the Controller’s instructions regarding the rectification, erasure and/or updating of personal data.
4.8 Further support obligations
a) Taking into account the nature of the processing and the information available to it, the Processor shall support the Controller on request in complying with its obligations under data protection law, in particular in implementing the technical and organizational measures, the reporting obligations and any data protection impact assessment.
4.9 Return and deletion after completion
a) After completion of the provision of the processing services, the processor must either irrevocably delete or return all personal data, including all copies, at the controller’s discretion, provided that this does not conflict with any legal obligations.
4.10 Tolerance of inspections by the controller
a) The Processor is obliged to provide the Controller with all information necessary to demonstrate compliance with the obligations set out in this Agreement and to enable and contribute to the performance of audits – including inspections – by the Controller or another auditor commissioned by the Controller. The internal and external costs of the processor for compiling the information and an inspection shall be borne by the customer.
4.11 Further notification obligations
a) The Processor shall inform the Controller immediately if it is of the opinion that an instruction violates applicable data protection regulations.
5 Amendments to this Agreement
a) This DPA shall apply together with the individual contract (if any) and the GTC of Digital Storm GmbH in the version published online.
b) Digital Storm is entitled to amend this DPA and services at any time, insofar as Digital Storm deems this appropriate for technical reasons or due to market developments or supplier conditions or due to regulatory framework conditions and the interests of the customer – in particular the appropriateness of performance and consideration – do not become disproportionate as a result.
6. final provisions
a) Should any provision of this agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be replaced by a valid provision that comes as close as possible to the invalid provision. The same shall also apply to any contractual loopholes.
b) The definitions of the terms used shall be interpreted in accordance with this agreement. If there are any ambiguities regarding a definition, the definitions of the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG) shall apply mutatis mutandis, depending on the scope of application.
c) The undersigned person confirms that he/she is duly authorized to represent the contracting party.
d) This Agreement shall be interpreted in accordance with Swiss substantive law, taking into account the case law of the GDPR.
e) The place of jurisdiction for disputes is the headquarters of Digital Storm
V 1.0 (24.03.24)