Data Processing Agreement (DPA)

Version of November 23, 2023

Concluded by and between [Customer] (hereinafter "Controller") and Peerdom Ltd., a company incorporated under the laws of Switzerland, with its registered offices in Köniz, Switzerland and address c/o Nothing AG, Kirchstrasse 175, CH-3084 Wabern, with company number CH-036.3.088.383-6 (hereinafter "Processor") (Controller and Processor together hereinafter "Parties" and each hereinafter "Party") on the processing of personal data on behalf of Controller by Processor in accordance with Article 9 of the Swiss Federal Act on Data Protection Act (hereinafter "FADP"), Article 28 (3) of the EU General Data Protection Regulation (hereinafter "GDPR") and Article 28 (3) of the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), as applicable.

Preamble

This Data Processing Agreement, available online via https://about.peerdom.org/dpa, (hereinafter “DPA”) details the Parties’ obligations on the protection of personal data, associated with the processing of personal data on behalf of the Controller by the Processor described in the subscription terms of the Processor accepted/ subscribed by the Controller (hereinafter "Subscription / Subscription Terms".

This DPA is supplemental to, and forms an integral part of, the Subscription / Subscription Terms or any other agreement concluded with the Processor and is effective upon Controller’s acceptance of the Subscription / Subscription Terms or conclusion of other agreement with Processor.

References to “Data Protection Laws” throughout this DPA shall refer to, as applicable, the FADP, the GDPR and the UK GDPR, and all other subsequent data protection legislation and regulation as shall apply within the jurisdiction in which the Processor is established in and/or carries out processing.

1. Scope and specification of the processing of personal data

  • 1.1. The purpose of the processing activity of the Processor is to provide the Controller with the subscribed access to and use of Processor’s organizational chart software either through a web browser or programmatically through its public API (hereinafter “Services”).

  • 1.2. Within the scope of this DPA, the following categories of personal data will be processed: Company or organization name, first name(s), middle name(s) and last name(s) (as applicable), past and current position(s) represented by role(s) which employee holds, e-mail addresses, IP addresses (anonymized), cookies for authentication, cookies for tracking user behaviour (global opt-out, anonymized) to identify product usability issues only, operating system version, browser version, usernames, passwords (encrypted), access logs, geolocation indicators, photographic and illustrative imagery (each employee shares optional profile image), credit card details (in case of a subscription purchase using a credit card), bank details/ account number/ work address (in case of a subscription purchase via invoice). Furthermore, any content copy/ pasted or uploaded by the data subjects defined in clause 1.3 below.

  • 1.3. Within the scope of this DPA, the following categories of data subjects of Controller may be subjected to processing, depending on the content of the uploaded documents: Customers, employees, suppliers, business partners of Controller and other individuals whose personal data is contained in the documents uploaded by the Controller.

2. Duration of DPA and obligations of Processor after termination

  • 2.1 The duration of this DPA is governed according to the Subscription / Subscription Terms

  • 2.2. After reaching the end of the product’s subscription period, the Processor undertakes to delete or destroy all personal data of the Controller in its possession in accordance with data protection requirements and/or return to the Controller all personal data and data carriers provided to him within the scope of the Subscription / Subscription Terms. The deletion or destruction shall take place unless there is a legal reason to the contrary. It should be noted that the order processor may be legally obliged to retain certain personal data for a set period of time. After expiry of this period, however, the personal data concerned will also be deleted or destroyed in accordance with Data Protection Laws.

3. Controller’s obligations and rights; instructions and responsibilities

  • 3.1. The Processor processes personal data on behalf of the Controller in accordance with Controller’s instructions. The instructions included in this DPA, Subscription / Subscription Terms and the instructions given by Controller when using the parametrization possibilities within the Services shall be deemed the respective instructions for the purposes of this DPA. Additional instructions may only be issued where mutually agreed between the Parties in writing or in a documented electronic form (e.g., via e-mail).

  • 3.2. Changes of the subject-matter of the processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.

  • 3.3. The Controller shall be solely responsible for the lawfulness of disclosing personal data to the Processor and the lawfulness of having personal data processed on behalf of the Controller. The Controller is the »controller« in accordance with Article 5 lit. j FADP and Article 4 no. 7 GDPR and UK GDPR.

  • 3.4. Subject to clause 4.5 of this DPA, it is within the sole responsibility of Controller to handle data subjects’ rights requests. Where a data subject assert claims for rectification, erasure or access against the Processor, the Processor shall forward the data subject’s claim to the Controller without undue delay and support the Controller, where possible.

4. Processor’s obligations and rights

  • 4.1. Processor processes (procure, store, retain, use, modify, disclose, archive, delete or destroy, etc.). personal data solely within the scope of this DPA, the Subscription / Subscription Terms and on instructions of the Controller.

  • 4.2. The Processor is not entitled to delete or otherwise destroy personal data processed on its own authority. Any deletion or destruction of the data may only be carried out based on a written instruction from the client, unless there is a legal obligation to delete such data.

  • 4.3. The Processor undertakes to treat all personal data of which it becomes aware under this DPA as confidential. This obligation shall remain in force even after termination of this DPA. The processor shall ensure that all persons who have access to the personal data or who are commissioned to process it are informed of the confidentiality obligation and are contractually bound accordingly. In addition, the Processor shall implement appropriate internal organizational measures to ensure that only authorized employees have access to personal data. This includes, among other things, the training of employees in Data Protection Laws and the implementation of access restrictions.

  • 4.4. At the request of the Controller, the Processor is obliged to correct data if it is incorrect or incomplete. If a data subject asserts his or her rights, in particular his or her right to information, surrender or transfer of the data, his or her right to object, or his or her right to correction, deletion or destruction of the data, directly against the processor, the Processor shall not act independently, but shall immediately refer the data subject to the Controller and await the Controller's instructions.

  • 4.5. Processor shall use reasonable efforts to support Controller in fulfilling the rights of the data subjects according to the applicable law by Controller and in ensuring compliance with the obligations pursuant to the applicable law taking into account the nature of processing and the information available to the Processor. Where Processor must assist Controller to meet Controller’s legal obligations as stated in section 3.4, Controller shall reimburse Processor for any reasonable additional costs associated with the provision of such assistance.

  • 4.6. Processor shall be entitled to use Controller’s personal data for the purposes of pattern recognition, trend analysis, organization recommendations for and predictive analysis, under the stipulation that the data is fully anonymised and incapable of being reversed to identify Data Subjects.

  • 4.7. Processor shall be entitled to use Controller's company name on Peerdom’s website and in other marketing communications that refer to Peerdom customers. Controller can, at any time, opt-out of being referred to in such marketing communications by sending an e-mail to Peerdom's support staff (hello@peerdom.org or support@peerdom.org).

  • 4.8. Processor shall be entitled to use Controller's company name, Peerdom URL, and country of residence in Peerdom's global organization directory in order to enable other customers to discover and connect with them. Via the product's settings, Controller can, at any time, opt-out of being listed in the global organization directory.

5. Information and audit rights

  • 5.1. On request of the Controller, Processor shall provide the Controller with information necessary to demonstrate compliance with Processor’s obligations, including of the implementation of technical and organizational measures.

  • 5.2. The Processor shall provide Controller with appropriate means of information, such as carrying out a self-audit and providing the Controller with respective information, or providing attestations, certifications, reports or extracts thereof from independent bodies (e.g. external auditors) or other suitable certifications.

  • 5.3. If Controller has reasonable doubts regarding the documents provided by Processor under 5.2 and provides Processor with an explanation of such doubts, Controller or an independent renowned third-party auditor instructed by Controller can verify compliance of the Processor under 5.1. Processor is entitled to make such inspection condition to the conclusion of a market-standard non-disclosure agreement.

  • 5.4. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.

  • 5.5. Controller shall remunerate any additional costs incurred by Processor due to such audit under 5.3 to 5.5 unless it results from this inspection/examination that the Processor's data processing was carried out in breach of this DPA or the applicable Data Protection Laws.

6. Processor’s notification obligations

  • 6.1. Processor shall immediately inform Controller if, in its opinion, there has been an infringement of or if any instructions provided by Controller infringe any Data Protection Laws.

7. Sub-processor

  • 7.1. The Controller hereby consents to Processor’s use of sub-processors for fulfilling its contractual obligations under the Subscription / Subscription Terms.

  • 7.2. Current sub-processors are listed in Annex 2 of this DPA.

  • 7.3. Prior to the use of a new or replacement of a sub-processor, the Processor shall inform the Controller thereof and give the Controller the opportunity to object to such changes based on reasons related to Data Protection Laws within 14 days of the notification by the Processor. Where the Controller fails to contradict such change within such period of time, the Controller shall be deemed to have consented to such change. Where the Controller objects to the use of a new or replacement sub-processor, the new or replacement sub-processer will not be granted with access to Controller’s personal data.

  • 7.4. The Processor shall ensure by entering into agreement with sub-processor to impose at least substantially equivalent obligations on sub-processor which Processor has assumed under this DPA.

  • 7.5. Processor shall remain liable to Controller for its sub-processors’ obligations.

8. Location of processing

  • 8.1. The processing of personal data takes place exclusively in Switzerland, the European Union, the United Kingdom and by some of our sub-processors in a third country. If the provision of services by the Processor is also desired during the Processor's holiday absences or at a temporary remote work location of its employee(s), the Processor himself/herself is exceptionally permitted by the Controller to process the data from his/her respective location abroad via remote access by means of secure password protection, encrypted connection and use of his/her own device, which is protected from access by any third parties.

  • 8.2. With the sub-processors located in a third country, Processor ensures adequate data protection by concluding standard data protection clauses, which the competent data protection offices have approved, issued or recognised in advance.

9. Technical and organizational measures

  • 9.1. The Processor takes appropriate technical and organizational measures according to Articles 7 and 8 FADP, or Article 32 GDPR and UK GDPR, to protect personal data from unauthorized access, loss or destruction. This includes the use of firewalls, encryption technologies, access controls and other appropriate security measures, as listed in Annex 1.

  • 9.2. The technical and organizational measures are regularly reviewed and updated as necessary to comply with current technological standards and applicable data protection regulations.

10. Warranties

The Processor warrants:

  • to comply with the Data Protection Laws when performing the Services and processing any personal data;

  • to comply with any applicable Data Protection Laws regarding data impact assessments and directives of competent supervisory authorities or regulators; and

  • to notify Controller of all data protection breaches in writing without undue delay and in any event, within 72 hours of the breach occurring.

11. Liability

The Controller shall be responsible to the data subject for compensation for damages or other claims arising in connection with the processing of personal data which arises as a direct result of the Controller's breach of Data Protection Laws or this DPA. Direct recourse to the Processor is only permitted if the Processor has violated the provisions of this DPA or the applicable Data Protection Laws.

12. Final provisions

  • 12.1. If this DPA contradicts the Subscription / Subscription Terms or other agreements concluded between the Parties, the provisions of this DPA shall take precedence.

  • 12.2. Amendments or additions to this DPA must be made mutually agreed to by both Parties in writing, and signed by a representative of each Party, subject to Section 12.3 below.

  • 12.3. Annex 1 and Annex 2 form integral parts of this DPA. However, the Processor may amend Annex 2 (using new or replacement of sub-processors) subject to Section 7.3 of this DPA. The technical and organisational measures set out in Annex 1 may be replaced at any time with measures that are of either equal or better standing that those set out in Annex 1 by Processor unilaterally. Processor will notify the Controller of any amendments with a 30 days prior notice.

  • 12.4. This DPA is subject to the substantive laws of Switzerland to the exclusion of the conflict of laws rules and international treaties. Place of jurisdiction shall be with the state courts at the registered seat of the Processor.

13. Annexes

  • Annex 1: Technical and organizational measures
  • Annex 2: List of current sub-processors

Annex 1: Technical and organizational measures

Processor has implemented the following technical und organizational measures, which may be adapted from time to time based on technological progress.

Controller's personal data is only accessed with Controller's explicit consent to perform support by the Processor for the use of the Peerdom application.

Explicit consent is given by Controller to the Processor to access Controller's personal data in case Controller's support staff is contacted via e-mail (typically, via support@peerdom.org, hello@peerdom.org or any e-mail address of a Controller's employees) to act upon his behalf.

Confidentiality

Physical access control

  • The data centers we use (Google Cloud Platform, see sub-processor in Annex 2) are secured through physical barrier controls at relevant access points, electronic access control validation or validation by human security personnel, ID badge requirements, need-based access privilege limitations and electronic intrusion detection systems. Appropriate video surveillance is in place and all relevant access points are maintained in a secure (locked) state. All physical access to the data centers is logged.

Electronic access control

  • The data centers we use are protected through access controls and policies for the network, including firewalls (or equivalent) and authentication controls. User access to the data centers is logged.

  • For access to our IT systems, personal user accounts with usernames and (encrypted) passwords are set up for authorized personnel. We have a password policy with minimum standard requirements for password length and composition.

  • We have a two-factor authentication policy for critical services and key users.

  • Access to our IT systems is granted following a need to know & least privilege approach.

  • We have a company policy that allows using only laptops with encrypted disk storage.

  • Unauthorized external access to our critical systems is prevented by an encrypted connection and two-factor authentication.

  • Access to our critical systems is logged.

  • We use different environments for staging and production.

Integrity

  • Access to our data centers is logged, managed and protected entirely by our sub-processor(s) (see Annex 2).

  • Our staging environment is accessible only using an encrypted connection.

  • Every employee that needs to connect via an encrypted connection has their own credentials to use the encrypted connection.

  • All our environments (both staging and productions) use HTTPS to secure transport data.

  • Internally, we document who receives or changes critical data through log files.

  • We encrypt data in transit.

  • We conduct annual penetration tests (pen tests), conducted by an independent party. Test results (management summary) available on request only.

Availability and resilience, including ability to restore the availability

  • We use the data center infrastructure(s) entirely managed by our sub-processor(s) (see Annex 2). For the data, we create regular backups to restore data in case of emergency.

  • We use firewalls (or similar technologies) and anti-virus protection (the latter internded for desktop computers of employees of Processor, and only for operating systems which are considered unsafe without anti-virus, e.g. Microsoft Windows, all versions).

  • We conduct security & data protection training for our employees.

  • We have an emergency recovery plan.

Process for regularly testing, assessing and evaluation the effectiveness of the technical and organizational measures

Privacy management

  • We have a standard Data Processing Agreement.
  • We have privacy policies for the affected data subjects.
  • We have a process to fulfill data subject rights’ requests.
  • We conduct data protection impact assessments, to the extent necessary.
  • We have a FDAP / GDPR / UK GDPR training concept.
  • We have a data protection officer (contact: privacy@peerdom.org).
  • We have a GDPR representative in the UK (Swiss GRC UK Limited, The Nova Centre, 1 Purser Road, Northampton, NN1 4PG England, peerdom.dataprivacy@swissinfosec.de) and EU (VGS Datenschutzpartner GmbH, Am Kaiserkai 69, 20457 Hamburg, Germany, info@datenschutzpartner.eu).

Incident response management

  • We have a well-defined, internal process to handle security incidents.
  • Data protection by design and by default:
    • We delete user files in line with user choices and our data retention scheme (see above, under Integrity).
    • We have a process to fulfil data subject rights’ requests.
    • We limit data access for our personnel following a need to know & least privilege approach.
    • We communicate significant incidents through https://x.com/peerdomorg.

Order control: No sub-processing without advance information of Controller (pre-evaluation and selection of providers, order management)

  • We sign Data Processing Agreements with each sub-processor who has access to personal data.
  • We have a process to choose suitable sub-processors in line with privacy requirements.
  • We document contract conclusion.
  • We regularly audit the compliance of our sub-processors with access to personal data.

Annex 2: List of current sub-processors

Name, location of Sub-ProcessorDescription of affected parts of performance
Google GmbH
Zürich, Switzerland
Data processing activity: Hosting provider (backend application, database and storing uploaded files in Zürich, Switzerland, SSO for both Controller and Processor)
Data protection level: https://cloud.google.com/security/infrastructure
GDPR compliance: https://cloud.google.com/privacy/gdpr
Exoscale AG
Lausanne, Switzerland
Data processing activity: Hosting provider (DNS, source code (self-hosted Gitlab), support tickets (self-hosted Gitlab), internal chat system (self-hosted Mattermost), metrics (self-hosted Matomo), production database backups)
Data protection level: https://www.exoscale.com/security/
GDPR compliance: https://www.exoscale.com/compliance/gdpr/
Cyon GmbH
Basel, Switzerland
Data processing activity: Hosting provider (frontend application)
Data protection level: https://www.cyon.ch/ueber-cyon/infrastruktur
GDPR compliance: https://www.cyon.ch/legal/datenschutzerklaerung
Libracore AG
Saland, Switzerland
Data processing activity: Hosting provider of ERPNext (open-source ERP) (storing invoicing data)
Data protection level: https://libracore.com/impressum
GDPR compliance: https://libracore.com/impressum
Stripe, Inc.
San Francisco, USA
Data processing activity: Invoice subscriptions using credit cards
Data protection level: https://stripe.com/docs/security/stripe
GDPR compliance: https://stripe.com/dpa/legal
Mailgun, Inc.
USA
Data processing activity: Send mandatory, transactional e-mails (e.g., reminders, onboarding, login prompts etc.)
Data protection level: https://www.mailgun.com/enterprise/security/
GDPR compliance: https://www.mailgun.com/gdpr/
The Rocket Science Group, LLC
Atlanta, USA
Data processing activity: Send optional marketing e-mails, in the form of a newsletter focussed on product news, using Mailchimp
Data protection level: https://mailchimp.com/about/security/
GDPR compliance: https://mailchimp.com/gdpr/
Microsoft Corporation
Seattle, USA
Data processing activity: Receiving, storing, sending internal e-mails, internal documents (contracts, support information) using Microsoft 365, SSO for either Controller (optional, provided as part of the subscription) or Processor (typicially as part of Azure Active Directory use)
Data protection level: https://learn.microsoft.com/en-us/microsoft-365/security/?view=o365-worldwide
GDPR compliance: https://learn.microsoft.com/en-us/compliance/regulatory/gdpr