Data Processing Agreement (“DPA”)

1.1 Scope. This Data Processing Agreement (the “DPA”) governs the processing by dss⁺ as a data processor for Client, of personal data which is forwarded to dss⁺ in connection with the provision of dss⁺ Services, by Client or by third parties on behalf of Client (including any end user of the Services) (“Client Personal Data”) under the Service Agreement. This DPA is valid for the duration of the Service Agreement.

1.2 Definitions. Capitalized terms not defined herein have the meaning given to them in the Agreement. In addition, as used herein, the following terms have the following meaning:

• “applicable data protection law” means any data protection legislation applicable to the processing of Client Personal Data, including (depending on the circumstances, and all as may be amended from time to time): (i) the Swiss Federal Data Protection Act and its implementing ordinances (the “Swiss data protection legislation”); (ii) the EU General Data Protection Regulation (“GDPR”) and its equivalent in the United Kingdom (the "UK GDPR"); and/or (iii) other applicable data protection legislation.
• “controller” means the entity that determines alone or jointly with others the purposes and means of the processing of Personal Data.
• “data subject” means the identified or identifiable person to whom personal data relates.
• “personal data” means any information relating to a data subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• “processor” means the entity that processes personal data on behalf of the controller.
• “process” or “processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.3 Data Protection Legislations. Unless otherwise stated, this DPA shall apply regardless of the legislation applicable to the processing of Client Personal Data. If data protection laws other than the Swiss data protection legislation and the GDPR apply to the processing of the Client Personal Data, Client undertakes to dss⁺ to comply with the obligations applicable to it with regard to the processing of the Client Personal Data and to inform dss⁺ in writing of any provisions contained in such legislation that could have an impact on the processing of the Client Personal Data by dss⁺ as a processor for Client.

2.1 Roles and compliance. The Parties acknowledge and agree that: (i) the subject matter and details of the processing are specified in Appendix 1 hereto ; (ii) each Party shall comply with its obligations under the applicable data protection laws with regard to the processing of Client Personal Data; (iii) Client is a controller, or a processor for a third party, as the case may be, of the Client Personal Data; and (iv) dss⁺ is a processor of the Client Personal Data, except where it processes such personal data for dss⁺’s legitimate business operations incident to the provision of the Services, as further detailed in dss⁺ Privacy Policy.

2.2 Scope of processing. dss⁺ shall process the Client Personal Data in accordance with this DPA. When dss⁺ acts as the processor or subprocessor of Client Personal Data, dss⁺ undertakes to process Personal Data only on documented instructions from Customer unless a legislation applicable to dss⁺ requires other processing of Client Personal Data by dss⁺. By entering into the Service Agreement , Client instructs dss⁺ to process the Client Personal Data as a processor only in strict compliance with any Applicable Data Protection Legislation and furthermore only to provide and improve the Services, as documented in the Agreement, including this DPA. Client agrees that those are Client's complete documented instructions to dss⁺ for the processing of Client Personal Data and that any additional or alternate instructions must be agreed in writing.

2.3 Obligations of Client. Client is responsible, namely, for the quality, lawfulness and relevance of the Client Personal Data processed in the context of the Services and shall be liable to third parties affected by the processing and to the competent data protection authorities. In particular, Client undertakes to: (i) have, and maintain at all times, valid grounds for the processing of such personal data, including by obtaining consent if and as required; and (ii) provide sufficient information to the data subjects about the collection and processing of their personal data.

2.4 Deletion of Data. dss⁺ shall delete from or permanently anonymize all Client Personal Data (including any existing copies) in dss⁺'s systems at the expiry or termination of the Service Agreement, in accordance with the applicable data protection laws. dss⁺ shall comply with this instruction as soon as possible, unless dss⁺ is required to retain all or part of Client Personal Data for technical or legal reasons. Client acknowledges and accepts that it is Client’s sole responsibility to transfer and/or safeguard Client Personal Data that it wishes to keep.

2.5 dss⁺ Assistance. dss⁺ shall, if so requested by Client, and always subject to the payment of its fees and costs relating thereto, provide to Client the assistance reasonably necessary for Client to meet its obligations under the relevant data protection laws and, if applicable the GDPR or Swiss data protection legislation, including in connection with data subject requests and impact assessment and prior consultation obligations pursuant to Articles 35 and 36 GDPR, to the extent compatible with the functionality of the Services. When dss⁺ acts as processor, dss⁺ shall forward any data subject request it receive regarding Client Personal Data to Client, which shall be responsible for responding to such requests.

3.1 Security measures. dss⁺ shall implement and maintain appropriate technical and organizational measures to protect Client Personal Data against the occurrence of security breach resulting in the accidental or unlawful destruction, loss, alteration, or access to Client Personal Data (“Security Incidents”). dss⁺ shall take appropriate measures to ensure compliance with the above-mentioned security measures by its employees and subcontractors, in particular by ensuring that all persons authorized to handle Client Personal Data are committed to process Client Personal Data are contractually bound to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality.

3.1.1 Appropriateness of security measures. Client warrants that it has verified, and undertakes to continuously verify, that the technical and organizational measures specified in this Section 3 are sufficient to adequately protect the Client Personal Data in accordance with the requirements set forth in any applicable data protection law.

3.2 Security Incidents. If required by applicable data protection laws, if dss⁺ becomes aware of a Security Incident, dss⁺ undertakes to inform Client as soon as possible by any useful means (in particular via the contact person designated by Client). The actions of dss⁺ in connection with this Section 3.2 shall not constitute, and shall not be construed as, an admission by dss⁺ of any fault or liability. Client shall be responsible for carrying out any analysis of Client Personal Data and for complying with the legal provisions applicable to it (such as notification obligations). In this context, dss⁺ shall provide Client, at Client's costs, with any assistance reasonably required by Client in order to comply with its obligations.

3.3 Information on and audits of the security measures. Information. If required by applicable data protection laws, dss⁺ shall make available to Client all documents and information reasonably necessary to demonstrate dss⁺'s compliance with its obligations hereunder and allow Client or an independent auditor appointed by Client (and reasonably acceptable to dss⁺) to audit dss⁺'s compliance with its obligations under this DPA. Any information or audit request must be communicated to dss⁺ in writing and indicate the specific documents to be reviewed, respectively the specific obligations of dss⁺ to be audited. dss⁺ shall inform Client of the dates during which it may consult the documents at dss⁺'s offices, or on which the audit may take place, and of the modalities thereto. Client's costs (including for any independent auditor appointed by it) shall be borne entirely by Client. dss⁺ may invoice Client for its own costs incurred in connection with this Section. Upon conclusion of the audit, Client shall forward the complete audit report to dss⁺, free of charge. Client expressly undertakes to use the information collected only to ensure that dss⁺ is in compliance with its obligations with regard to the Client Personal Data and in particular that the information collected will not be used in connection with any legal or administrative proceedings against dss⁺. The provisions contained in this Section 3.3 shall not be interpreted as requiring dss⁺ to provide Client with (i) any information relating to trade secrets of dss⁺ or any information of a confidential nature or (ii) any information concerning customers of dss⁺ (except Client). dss⁺ may make the review of documents or the conduct of an audit subject to the conclusion of a specific confidentiality agreement.

4.1 Sub-Delegation. Client specifically authorizes dss⁺ to use sub-processors. dss⁺ undertakes to ensure in writing that: (i) the sub-processor will only access and process Client Personal Data to the extent necessary to perform its obligations; (ii) the sub-processor has contractual obligations to dss⁺ that are at least equivalent to those of dss⁺ to Client arising from this DPA and the Service Agreement; and (iii) if the GDPR applies, the obligations set forth in Article 28(3) of the GDPR have been imposed on the sub-processor. If the GDPR applies, dss⁺ undertakes to inform Client in advance and in writing of any planned changes with respect to the addition or replacement of other sub-processors; Client shall then have 14 days after being informed to submit its objections. If dss⁺ confirms the appointment of the sub-processor notwithstanding Client's objections, Client shall be entitled to terminate the applicable Services, insofar as it concerns the impacted Services, with immediate effect by written notice sent within 14 days of receipt of dss⁺'s abovementioned confirmation. This termination right shall be Client's sole and exclusive remedy in the event of an objection to a new sub-processor. Client's failure to object and/or terminate within the deadlines specified in this Section 4.1 shall be deemed an acceptance of the new sub-processor.

4.2 Data Transfers. Customer Personal Data that dss⁺ processes on Client’s behalf may not be transferred to, or stored and processed outside of Client's geographic location except in accordance with the DPA and the safeguards provided in this section. Client agrees that dss⁺ may process or transfer Client Personal Data in Switzerland, the European Union, or in any other country provided that such country has been recognized by the European Commission and Switzerland as ensuring an adequate level of personal data protection or that the transfer is subject to appropriate safeguards, such as by relying on Standard Contractual Clauses of the European Commission, or another lawful mechanism.

5.1 Data Protection Contact Person. All communications to be made to dss⁺ relating to this DPA and/or data protection shall be addressed to privacy@consultdss.com.Client must provide dss⁺ the contact details of its DPO, or in case appointment of a DPO is not legally required, of a contact person in charge of data protection matters.

5.2 Register of Processing Activities. Client acknowledges that dss⁺ may be required, in particular by the GDPR, to: (i) collect and store certain information, including the name and contact details of each processor and/or controller with whom dss⁺ acts and, where applicable, the local representative of the controller and/or the data protection officer, as well as the categories of processing carried out; and (ii) make such information available to any competent authority. Client undertakes to provide dss⁺ with all information reasonably necessary for dss⁺ to meet its obligations.

5.3 Hierarchy. In the event of a conflict or contradiction between the terms of this DPA and the terms of any applicable Service Agreement, the terms of this DPA shall take precedence. The terms of the Service Agreement shall apply to all aspects which are not covered by this DPA.

5.4 Severability. If any provision of this DPA is held to be invalid or unenforceable for any reason, the Parties shall replace it by a substitute provision that achieves to the fullest extent possible the same legal and economic purposes as those of the invalid or unenforceable provision. In any event, the remainder of this DPA shall remain in full force and effect between the Parties. Without limiting the foregoing, if the provisions of the Agreement on governing law may not apply in relation to all or part of this DPA due to a mandatory provision of an applicable data protection law, the Parties agree to apply the law of the State imposing such restriction (and where the law of several countries may apply, those with which dss⁺ has the closest connection).