...
The Controller undertakes and guarantees vis-à-vis the Service Provider that:
a) the processing by, the engagement of and instructions to the Service Provider are in compliance with the Swiss DPA and, where applicable, the GDPR and any other applicable data protection legislation and otherwise remain lawful during the term of the Addendum;
b) the technical and organizational measures in accordance with Annex B (Technical and Organizational Measures) are appropriate for processing and the associated risks and will remain appropriate during the term of the Addendum;
c) it has made or obtained all notifications, registrations, regulatory approvals, and consents from Data Subjects that are necessary for the lawful Processing of Personal Data by the Service Provider as a Processor according to the Swiss DPA and, where applicable, the GDPR and other applicable data protection law; and
d) it shall respond in a lawful and appropriate manner to all requests from Data Subjects exercising their rights under applicable data protection laws, as well as from supervisory authorities and other third parties.
C. Processing of Personal Data by the Service Provider
1. Obligations of the Service Provider
The Service Provider undertakes to the Controller:
a) to Process Personal Data, unless otherwise agreed, only for the purposes of the Controller and in each case only for the purpose of fulfilling the Main Contract and in accordance with the documented instructions of the Controller; the Main Contract, including this Addendum, as well as the services agreed upon by the Parties and the configurations and options chosen by the Controller and the instructions provided for in the Main Contract are the final and binding instructions of the Controller, unless otherwise agreed. If the Controller wishes to adapt these provisions, it shall propose this to the Service Provider; if the Main Contract provides for no special process for contract amendments, the Service Provider shall examine the request for adaptation in good faith; if the Parties cannot agree on an adaptation within thirty (30) days, the Controller may extraordinarily terminate the Processing and the performance of the Main Contract affected thereby, insofar as it shows that the requested contract amendment is necessary under data protection law;
b) not to disclose or transfer any Personal Data abroad, except:
i. to the Controller itself, its Affiliates or to third parties in fulfillment of an instruction of the Controller or as provided in the Main Contract (this does not apply to transfers to Sub-Processors of the Service Provider or other third parties engaged by the Service Provider);
ii. to a recipient in a Country with an Adequate Level of Data Protection, unless a stricter provision is agreed in the Main Contract;
iii. to a recipient not located in a Country with an Adequate Level of Data Protection, provided that the conditions required under the Swiss DPA and, where applicable, the GDPR for a lawful disclosure or transfer of Personal Data have been met, unless a stricter provision is agreed in the Main Contract; or
iv. if this is agreed with the Controller in the Main Contract or otherwise;
c) to implement and maintain the technical and organizational measures provided in Annex B (Technical and Organizational Measures) to ensure the confidentiality, integrity, and availability of Personal Data at all times and to protect Personal Data against unauthorized Processing, unauthorized access or unauthorized disclosure, as well as against accidental or unlawful falsification, destruction or loss; the Service Provider may adapt these measures if necessary, provided that the overall level of protection is substantially maintained; in such cases, it shall adapt Annex B (Technical and Organizational Measures) and notify the Controller in an appropriate manner;
d) to entrust the Processing of Personal Data only to employees and other auxiliary persons (including all third parties working on the instructions of the Service Provider and falling under Article 29 GDPR) who are contractually or legally bound to confidentiality when Processing Personal Data;
e) to delegate the Processing of Personal Data to third parties (other than employees and other auxiliary persons who meet the requirements of Section II.C.1.d) above) only with the prior written consent of the Controller and only to a Sub-Processor that has undertaken to Process the Personal Data in accordance with the requirements of the Swiss DPA and, where applicable, in accordance with Article 28(3) of the GDPR. Consent shall be deemed to have been granted in general for all Sub-Processors on the list of Sub-Processors in Annex C or in the Main Contract; if the Service Provider wishes to extend or adjust the list to include further Sub-Processors, it shall notify the Controller in text form in an appropriate manner at least sixty (60) days in advance (e.g. by means of an e-mail or notification function in case of adjustments to the list, insofar as it is made available on the Internet). The Controller may object in writing within fifteen (15) days to an extension or adjustment of the list; it shall do so only for justified reasons under data protection law; if the Parties cannot reach agreement within fifteen (15) days, the Controller may extraordinarily terminate the Processing and the service of the Main Contract affected thereby, provided it shows that the objection is necessary under data protection law; stricter provisions regarding the involvement of Sub-Processors for the benefit of the Controller in the Main Contract remain reserved;
f) to notify the Controller promptly at the email address provided by the Controller of any data breach (as defined in the GDPR), with the information pursuant to Article 33(3) GDPR and the corresponding provisions of the Swiss DPA as is reasonably available to the Service Provider;
g) to assist the Controller, upon its request, in complying with the GDPR, the Swiss DPA and other applicable data protection laws, taking into account the nature of the Processing and the information available to the Service Provider, in particular in complying with its obligations (i) towards Data Subjects exercising their rights under applicable data protection laws (including Chapter III of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws), and (ii) pursuant to Articles 32 to 36 of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws;
h) to inform the Controller promptly if, in its opinion, an instruction from the Controller violates applicable data protection laws or other applicable laws;
i) to provide the Controller with all information necessary to demonstrate the Service Provider's compliance with this Section II.C.1. and to permit and assist in audits and inspections by the Controller or by audit firms commissioned by the Controller for this purpose; the Controller agrees that it shall exercise this audit right, to the extent possible, only by relying on the review of any certifications and audit reports of independent audit firms provided by the Service Provider; and
j) to return all or certain Personal Data to the Controller, at the Controller's choice, subject to any applicable legal retention obligations, or to delete such Personal Data without retaining a copy upon termination of the Main Contract or upon request of the Controller.
2. Special expenses, indemnification
Unless otherwise agreed in the individual case, the Controller shall reimburse the Service Provider for the costs and expenses incurred by the Service Provider in providing the Controller with support services pursuant to Section II.C.1. or in otherwise assisting the Controller in complying with the Swiss DPA, the GDPR, if applicable, and other applicable data protection laws, in each case to the extent that the Controller cannot prove that these expenses were caused by the Service Provider itself or are not to be borne by the Controller pursuant to an express provision in the Main Contract.
The Controller shall indemnify and hold the Service Provider harmless from and against any and all claims of third parties based on a breach of this Addendum or applicable data protection laws. Such indemnification shall apply in particular to any damages, costs, administrative sanctions, claims or expenses incurred by the Service Provider as a result of such violations. It, as well as any potential claims for damages by the Service Provider and its Affiliates, shall not be subject to any limitation or exclusion of liability agreed in the Main Contract, unless expressly agreed otherwise with respect to this Section.
III. OTHER PROVISIONS
Furthermore, the Parties agree as follows:
a) Each Party shall bear its own costs for implementing this Addendum, unless expressly agreed otherwise in connection with or in this Addendum.
b) Each Party shall fulfill its obligations in accordance with the data protection provisions applicable to it, in particular the provisions of the Swiss DPA and, to the extent applicable, the GDPR. This shall apply in particular if the Service Provider Processes Personal Data received from the Controller or otherwise obtained in connection with the Main Contract as the controller. In this respect, the Controller allows the Service Provider to Process Personal Data and other data for (i) the purposes of the Main Contract and the rights and obligations arising therefrom (e.g. for the provision of the services and invoicing), (ii) the improvement of the Service Provider's products and services, (iii) non-personal purposes (e.g. statistical evaluations), provided that no personal data is published or disclosed to third parties who are not obliged to maintain confidentiality, and (iv) compliance with statutory and self-regulatory obligations. Upon request, the Controller shall inform the Data Subjects of the Service Provider's privacy notice, insofar as the Service Provider does not do so itself. Insofar as the Controller provides the Service Provider with Personal Data for Processing as the controller (e.g. information on service recipients), the Controller warrants that it may do so and that the Service Provider may Process this Personal Data in accordance with the Parties' agreements.
c) The Service Provider may unilaterally modify or amend these Addendum at any time. The Service Provider shall notify the Controller in text form in an appropriate manner at least sixty (60) days before taking effect (e.g. by means of an e-mail). The Controller may object in writing within fifteen (15) days; it shall do so only for justified reasons under data protection law; if the Parties cannot reach agreement within fifteen (15) days, the Controller may extraordinarily terminate the Processing and the service of the Main Contract affected thereby.
d) All prior agreements between the Parties regarding Processing of Personal Data are deemed superseded by this Addendum as of the date of this Addendum.
e) In the event of a conflict between the provisions of this Addendum and the provisions of the Main Contract, the provisions of this Addendum shall prevail if and to the extent that they relate to the Processing of Personal Data by the Service Provider under the Main Contract.
f) The provisions of this Addendum shall survive the termination of the Main Contract and shall remain in effect as long as the Service Provider is in possession of or has access to the Personal Data covered by this Addendum.
g) The provisions of this Addendum shall be governed by and construed in accordance with the substantive laws of Switzerland. All disputes arising out of or in connection with this Addendum shall be submitted to the jurisdiction of Zürich.
28 July 2023
Annex AAnnex A: Description of the Processing
Subject matter/purpose of the Processing: | Processing any Personal Data, entered by Controller and/or his End Users for the use of the SaaS-Services. |
Categories of data subjects: |
|
Categories of personal data: | Any data that Controller or its End Users enter into the SaaS-Services (may contain special categories of personal data). |
Nature of the Processing: | Hosting, transmitting and backup of personal data. |
Duration of the Processing: | Processing of personal data as long as the controller uses the SaaS-services. Deletion of personal data upon request. |
Annex B: TECHNICAL AND ORGANIZATIONAL MEASURES
Physical security and access control | |||
☒ ☒ | Access controls (key, badge | ||
) Keys/badges are assigned to individuals | |||
User and access control (identity and access management) | |||
☒ | All access require authentication | ☒ | Rules for password complexity and renewal |
☒ | Role-based identity and access management | ☒ | Tools are locked when not in use |
☒ | Multi-factor authentication for external access | ☒ | Least privilege principle |
☒ | Privileged Access Management (PAM); | ☒ | Access logging |
☒ | Use of admin accounts only when necessary | ☒ | Authorization concept (need-to-know principle) |
Confidentiality, integrity, availability and traceability | |||
☒ | |||
Verschlüsselung von Daten "at rest"
Encryption of data "at rest" | ☒ |
Backup concept | |
☒ |
Encryption of end devices | ☒ | BCM concept, emergency plan | |
☒ | Encryption of data "in transit" | ☒ | Regular review of the backup |
☒ | State-of-the-art encryption | ☒ | Inventory of hardware and software |
☒ | Penetration tests, external security audits | ☒ | Hardware and software continuously checked/updated |
☒ | Staff signs non-disclosure agreement (clause in the employment contract) | ☒ | Technical redundancy (e.g. RAID, two systems) |
☒ | Logged changes of data/systems | ||
☒ | Others: Logische Trennung der als Auftragsbearbeiter bearbeiteten Daten von anderen Daten Logical separation of the data processed as an processor from other data | ||
Massnahmen zur Einhaltung der Datenschutzgrundsätze und Betroffenenrechte
Measures to comply with data protection principles and data subject rights | |||
☒ | Privacy Policy for all applications | ☒ | |
Responsibility for data subject rights established | |
☒ |
Separation of productive data/test data | ☒ |
List of processing activities | |
☒ |
Responsibility for edits defined | |||
Organisation, | |||
monitoring and certifications | |||
☒ | TOMS | ||
are regularly checked/adjusted | ☒ |
Internal or external data protection representative | |||
Instructions and training | |||
☒ | |||
Information security training | ☒ |
Schulung zum Datenschutz
Training on data protection | |
☒ | Awareness measures data protection |
Annex C: Approved Sub-Processors
The Parties agree to the commissioning of the following Sub-Processors:
Company | Service |
Provided | Corporate Location | Address | Contact Point | Further Details (including own Sub-Processors) | |
Atlassian. Pty Ltd | Hosting (Forge Apps) | Australia | Level 6, 341 George Street Sydney NSW 2000 | eudatarep@atlassian.com | The provider is using further sub-processors as per the following list: https://www.atlassian.com/legal/sub-processors Technical and organizational measures can be found here: https://developer.atlassian.com/platform/forge/resources/Forge-Data-Processing-Addendum.pdf |
SFDC Ireland Limited | Hosting (Heroku) | Ireland | Salesforce Tower Dublin Dublin 1 | + 353 14403500 legal@salesforce.com | The provider is using further sub-processors as per the following list: https://www.salesforce.com/company/legal/trust-and-compliance-documentation/ Technical and organizational measures can be found here: https://www.salesforce.com/company/legal/trust-and-compliance-documentation/ |
Alpine Shark, LLC | Static IP Service (used for opt-in feature for Include Bitbucket for Confluence Cloud) | USA | 2831 St. Rose Pkwy. Unit 221 Henderson NV 89052 |