Auftragsverarbeitungsvertrag (englischer Entwurf)

This Data Processing Agreement (“DPA”) forms part of the agreement (the “Principal Agreement”) between Agenticsis and the Client under which Agenticsis processes personal data on the Client’s behalf. It is concluded under Article 28 of Regulation (EU) 2016/679 (“GDPR”) and Article 9 of the revised Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”). Where the Principal Agreement and this DPA conflict on data-protection matters, this DPA prevails.

By engaging Agenticsis for services that involve processing of personal data on the Client’s behalf, the Client accepts this DPA. A bilateral signed version is available on request and prevails over this published version when signed.

1. Definitions

Terms in this DPA have the meanings given in GDPR Art. 4 and FADP Art. 5, unless defined here.

• Controller: the Client.
• Processor: Agenticsis, Sihlquai 131, 8005 Zürich, Switzerland.
• Personal Data: personal data the Processor processes on behalf of the Controller under the Principal Agreement.
• Sub-processor: any third party engaged by the Processor to process Personal Data on the Controller’s behalf.
• Standard Contractual Clauses or SCCs: the European Commission Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914, as supplemented for Switzerland by the FDPIC where the Controller is established in Switzerland.
• Data Privacy Framework or DPF: the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.

2. Subject matter, duration, nature, and purpose

The Processor processes Personal Data to provide the services described in the Principal Agreement. The detail of the processing is set out in Annex I.

This DPA applies for the duration of the Principal Agreement, and survives termination for as long as the Processor holds Personal Data.

3. Categories of data subjects and personal data

The categories of data subjects and personal data processed under this DPA are set out in Annex I.

The Controller will not provide special categories of personal data (GDPR Art. 9), data relating to criminal convictions and offences (GDPR Art. 10), or sensitive personal data (FADP Art. 5(c)) unless expressly agreed in the Principal Agreement or in Annex I, together with the additional safeguards required.

4. Obligations of the Controller

The Controller warrants and undertakes that:

• It is and remains the controller of the Personal Data within the meaning of GDPR Art. 4 or FADP Art. 5.
• Its instructions to the Processor and its disclosure of Personal Data to the Processor are lawful, including with respect to legal basis, transparency, and any consents required.
• It has provided data subjects with the information required by GDPR Art. 13 or 14 and FADP Art. 19.
• It will respond to requests from data subjects and from supervisory authorities, with the Processor’s assistance as set out in this DPA.

5. Obligations of the Processor

The Processor undertakes to:

• Process on instructions. Process Personal Data only on the documented instructions of the Controller, including with respect to international transfers, unless required otherwise by Union, Member State, or Swiss law; in that case the Processor informs the Controller of the legal requirement before processing, unless prohibited on important grounds of public interest.
• Confidentiality. Ensure that persons authorised to process Personal Data are bound by a duty of confidentiality, contractual or statutory.
• Security. Implement the technical and organisational measures set out in Annex II.
• Sub-processors. Engage sub-processors only under the conditions in section 8.
• Data subject rights. Assist the Controller in responding to requests by data subjects under Chapter III of the GDPR or the equivalent FADP provisions.
• Compliance assistance. Assist the Controller in ensuring compliance with GDPR Art. 32 to 36 and the equivalent FADP provisions.
• Return or deletion. Return or delete Personal Data at the end of the services in line with section 14.
• Records. Make available all information necessary to demonstrate compliance, and allow for and contribute to audits in line with section 12.
• Notice of unlawful instructions. Inform the Controller immediately if an instruction infringes data protection law.

6. Instructions

The Controller’s instructions are set out in (i) the Principal Agreement, (ii) this DPA, and (iii) any further written instructions the Controller gives during the term. The Controller is responsible for the lawfulness of its instructions.

Where the Processor reasonably needs to charge for additional or unusual instructions, the parties will agree fees in writing before the Processor performs the work.

7. Confidentiality of personnel

The Processor ensures that all personnel who process Personal Data on its behalf:

• Are informed of the confidential nature of the data.
• Are bound by appropriate confidentiality obligations, contractual or statutory.
• Are trained in data protection and security obligations relevant to their role.
• Have access on a need-to-know basis only.

8. Sub-processors

The Controller authorises the engagement of the sub-processors listed at /sub-processors (the “Sub-processor List”) to process Personal Data on the Controller’s behalf in line with this DPA.

The Processor will:

• Maintain the Sub-processor List with the name, purpose, location, and transfer safeguard of each sub-processor.
• Give the Controller at least 30 days’ written notice before adding or replacing a sub-processor.
• Impose contractual data-protection obligations on each sub-processor that are no less protective than those in this DPA.

The Controller may object on reasonable data-protection grounds within 30 days of notice. If the objection cannot be resolved within 30 days, the Controller may terminate the affected services without penalty, with a pro-rata refund of pre-paid fees. The Processor remains fully liable for the acts and omissions of its sub-processors that affect Personal Data.

9. Data subject rights assistance

The Processor will, taking into account the nature of the processing and the information available to it, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller’s obligation to respond to requests by data subjects exercising their rights under GDPR Arts. 15 to 22 or the equivalent FADP rights.

If a data subject submits a request directly to the Processor that relates to Personal Data processed for the Controller, the Processor will not respond on the merits, will refer the data subject to the Controller where appropriate, and will notify the Controller within 5 working days.

10. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any event within 24 hours, of becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification will include, to the extent known at the time:

• The nature of the breach, including where possible the categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and to mitigate effects.
• Contact details for further information.

The Processor will provide updates as further information becomes available, and will reasonably assist the Controller in meeting its own notification obligations under GDPR Arts. 33 and 34, FADP Art. 24, and any other applicable law.

11. Data Protection Impact Assessment and prior consultation

The Processor will assist the Controller in carrying out data protection impact assessments under GDPR Art. 35 and in conducting any prior consultation with a supervisory authority under GDPR Art. 36, where the processing under the Principal Agreement is likely to result in a high risk to the rights and freedoms of natural persons.

12. Audits

The Processor will make available to the Controller, on reasonable written notice, the information necessary to demonstrate compliance with this DPA, including:

• Up-to-date Annex II (technical and organisational measures).
• Most recent independent security assessments or certifications, where available.
• Sub-processor List and DPAs with sub-processors (in redacted form for commercial sensitivity).

Where the foregoing is insufficient and the Controller (or its mandated auditor that is not a competitor of the Processor and is subject to confidentiality) reasonably requests an on-site audit, the parties will agree on the scope, timing, and method in good faith. Audits are conducted no more than once per year (except after a breach or on regulator demand) and the cost of the auditor is borne by the Controller, with the Processor bearing its own internal cost.

13. International transfers

Where the Processor or a sub-processor processes Personal Data outside Switzerland and the EEA, the parties rely on the following transfer mechanisms, in order of preference:

• Adequacy. An adequacy decision of the European Commission or the Swiss Federal Council covering the receiving country.
• Data Privacy Framework. Where the recipient is established in the United States and certified under the EU-US or Swiss-US Data Privacy Framework.
• Standard Contractual Clauses. The applicable module of Commission Implementing Decision (EU) 2021/914, supplemented for Switzerland by the FDPIC. For transfers from the Processor (as processor) to a sub-processor (as sub-processor), Module 3 applies. The parties hereby enter into the SCCs, with the docking clause permitting accession by sub-processors.
• Supplementary measures. Where necessary, additional technical, organisational, and contractual measures as identified by a transfer impact assessment.

The current safeguard for each sub-processor is shown on the Sub-processor List.

14. Return or deletion at termination

On termination of the Principal Agreement, or on earlier written request from the Controller, the Processor will, at the Controller’s choice:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; and / or
• Delete all Personal Data and existing copies, except to the extent retention is required by Union, Member State, or Swiss law (for example, accounting records under Swiss Code of Obligations Art. 958f).

The Processor will provide written confirmation of return or deletion within 30 days, and will continue to apply the security measures in Annex II to any Personal Data retained for legal reasons until deletion.

15. Liability and governing law

Each party’s liability under this DPA is subject to the limitation of liability in the Principal Agreement. The limit applies to all liability under this DPA and the Principal Agreement together (single cap). Nothing in this DPA limits liability that cannot be limited under applicable law.

This DPA is governed by Swiss law. Disputes are subject to the jurisdiction of the courts of Zürich, Switzerland, unless the Principal Agreement provides otherwise. Where the SCCs apply to international transfers, the governing-law and forum clauses in the SCCs prevail for matters within their scope.

Annex I: Details of processing

Subject matter

The services described in the Principal Agreement, including AI strategy consulting, AI implementation (agents, automations, RAG, integrations), AEO/SEO services, and content services.

Duration

The term of the Principal Agreement, plus any retention period required by law.

Nature of processing

Collection, storage, organisation, structuring, consultation, use, disclosure to sub-processors, alignment, retrieval, transmission, restriction, deletion.

Purpose

Provision of the services to the Controller.

Categories of data subjects (typical)

• Controller’s employees and contractors.
• Controller’s customers and prospects.
• Controller’s website visitors.
• End users of AI systems built or operated for the Controller.

Categories of Personal Data (typical)

• Contact data (name, email, phone, role, employer).
• Account and authentication data.
• Content data (documents, transcripts, prompts, outputs).
• Usage and analytics data.
• Technical data (IP, device, logs).

Special categories

Not processed unless expressly agreed in writing.

Transfers to third countries

Per the Sub-processor List.

Annex II: Technical and organisational measures

The Processor maintains the following measures, reviewed at least annually.

Pseudonymisation and encryption

• TLS 1.2 or higher for all data in transit.
• AES-256 (or equivalent) encryption at rest for data stored in the database and object storage.
• Encryption of laptops and removable media used to access Personal Data.

Confidentiality, integrity, availability, resilience

• Role-based access control and least-privilege provisioning.
• Multi-factor authentication on administrator accounts and all production access.
• Single sign-on for staff accounts where supported.
• Network segmentation between production and development environments.
• Centralised audit logging and tamper-evident retention for security events.
• Automated daily backups with periodic restoration tests.
• Web application firewall and DDoS protection at the edge (Vercel).
• Vulnerability scanning of dependencies and remediation by severity.

Availability and restoration

Documented backup and restore procedures with a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 24 hours for production data, unless the Principal Agreement specifies otherwise.

Testing and evaluation

• Annual review of the security programme.
• Periodic penetration testing or third-party security assessment for production systems.
• Internal review of access rights at least every 6 months.

Personnel security

• Background checks where lawful and proportionate.
• Confidentiality clauses in employment and contractor agreements.
• Annual data protection and security training.

Physical security

Production infrastructure is hosted by sub-processors in certified data centres (ISO 27001 or equivalent), with physical access controls operated by the sub-processor.

Incident management

• Documented personal data breach response procedure.
• Notification of the Controller within 24 hours of becoming aware of a breach (section 10).

Sub-processor management

• Written contracts with sub-processors imposing data-protection obligations no less protective than this DPA.
• Maintenance of the Sub-processor List.

Annex III: Sub-processors

The current Sub-processor List is published at /sub-processors and forms part of this DPA. The list is updated in line with section 8.

Change log