...
It is possible that by using SaaS-Services, the Controller processes Personal Data and that therefore, the Service Provider processes that Personal Data on behalf of the Controller. In this case, this Data Processing Addendum applies, complementary to the Main Contract.
I. DEFINITIONS
In this Addendum, the following defined terms are used: Additionally, the terms "Personal Data", "Processing","Processor", "Sub-Processor", "Controller"and"Data Subjects"shall have the meanings ascribed to them in the Swiss DPA and, where applicable, the GPDR. In this Addendum not otherwise defined terms shall have the meanings assigned to them in the Main Contract.
...
"Swiss DPA" means the Swiss Federal Act on Data Protection, as amended from time to time, including its ordinances.
II. PROCESSING
A. Scope and Characteristics of the Processing
This Addendum governs the Processing of Personal Data by the Service Provider as a Processor or Sub-Processor of the Controller acting as a Controller or Processor in the performance of the Main Contract.
...
The subject matter, duration, nature and purpose of the Processing, as well as the types of Personal Data Processed and the categories Data Subjects, are specified in Annex A of this Addendum.
B. Obligations of the Controller
The Controller undertakes and guarantees vis-à-vis the Service Provider that:
...
Subject matter/purpose of the Processing: | Processing any Personal Data, entered by Controller and/or his End Users for the use of the SaaS-Services. |
Categories of data subjects: | People who use the SaaS-Services (End Users). People whose Personal Data is processed using the SaaS-Services by Controller and/or his End Users. People whose data is transmitted via the SaaS-Services by Controller and/or his End Users. Other possible data subject categories whose Personal Data is processed using the SaaS-Services. |
Categories of personal data: | Any data that Controller or its End Users enter into the SaaS-Services (may contain special categories of personal data). |
Nature of the Processing: | Hosting, transmitting and backup of Personal Datapersonal data. |
Duration of the Processing: | As Processing of personal data as long as the controller uses the SaaS-Services and does not delete the Personal Dataservices. Deletion of personal data upon request. |
Annex B: TECHNICAL AND ORGANIZATIONAL MEASURES
Physical security and access control | ||||||||
☒ ☒ | Access controls (key, badge, guard) Keys/badges are assigned to individuals | |||||||
User and access control (identity and access management) | ||||||||
☒ | All access require authentication | ☒ | Rules for password complexity and renewal | |||||
☒ | Role-based identity and access management | ☒ | Tools are locked when not in use | |||||
☒ | Multi-factor authentication for external access | ☒ | Least privilege principle | |||||
☒ | Privileged Access Management (PAM); | ☒ | Access logging | |||||
☒ | Use of admin accounts only when necessary | ☒ | Authorization concept (need-to-know principle) | |||||
Confidentiality, integrity, availability and traceability | ||||||||
☒ | Verschlüsselung von Daten "at rest" Encryption of data "at rest" | ☒ | Backup-Konzept Backup concept | |||||
☒ | Verschlüsselung von Endgeräten Encryption of end devices | ☒ | BCM -Konzeptconcept, Notfallplanemergency plan | |||||
☒ | Verschlüsselung von Daten Encryption of data "in transit" | ☒Regelmässige Überprüfung des Backups | Regular review of the backup | |||||
☒Verschlüsselungen nach Stand der Technik | State-of-the-art encryption | ☒Hard- und Software inventarisiert | Inventory of hardware and software | |||||
☒ | Penetration Tests, externe Security Auditstests, external security audits | ☒ | Hard- und Software laufend geprüft/aktualisiert | |||||
☒ | Personal unterzeichnet Geheimhaltungserklärung | ☒ | Technische Redundanz (z.B. RAID, zwei Systeme) | |||||
☒ | Änderungen von Daten/Systemen protokolliert | ☒ | Andere: Hardware and software continuously checked/updated | |||||
☒ | Staff signs non-disclosure agreement (clause in the employment contract) | ☒ | Technical redundancy (e.g. RAID, two systems) | |||||
☒ | Logged changes of data/systems | |||||||
☒ | Others: Logische Trennung der als Auftragsbearbeiter bearbeiteten Daten von anderen Daten Verschlüsselung von Daten "at rest" Encryption of data "at rest"Logical separation of the data processed as an processor from other data | |||||||
Massnahmen zur Einhaltung der Datenschutzgrundsätze und Betroffenenrechte | ☒ | Measures to comply with data protection principles and data subject rights | ||||||
☒ | Privacy Policy for all applications | ☒ | Zuständigkeit für Betroffenenrechte festgelegtfestgelegt Responsibility for data subject rights established | |||||
☒ | Trennung von produktiven Daten/Testdaten Separation of productive data/test data | ☒ | Verzeichnis der Bearbeitungstätigkeiten List of processing activities | |||||
☒ | Verantwortlichkeit für Bearbeitungen definiert Responsibility for edits defined | |||||||
Organisation, Überwachung und Zertifizierungen Organisation, monitoring and certifications | ||||||||
☒ | TOMS werden regelmässig geprüft/angepasst TOMS are regularly checked/adjusted | ☒ | Interne oder externe Datenschutzstelle | Weisungen und SchulungenInternal or external data protection representative | ||||
Instructions and training | ||||||||
☒ | Schulung zum Informationssicherheit Information security training | ☒ | Schulung zum Datenschutz Training on data protection | |||||
☒ | Awareness -Massnahmen Datenschutzmeasures data protection/InfoSec | |||||||
Annex C: Approved Sub-Processors
...