Data Processing Agreement

biG-DPA- Last modified 2024-01-08

This Data Processing Agreement (“DPA”) is entered into between:

(1) (“Controller” or “Company”), entering into the present DPA on its own behalf and on behalf its other Affiliates

and

biGENIUS AG
(2) (”Processor”).

Controller and Processor are referred to individually as “Party” and collectively as “Parties”.

1.   Scope of application

1.1.    The present Data Processing Agreement (the “DPA”) reflects the Parties’ agreement with respect to the Processing of Personal Data between them, in connection with the contractual relationship(s) the Parties entered into (the “Agreement”). The present DPA forms an integral part of the Agreement.

1.2.    Within the scope of the Agreement, Processor will, or may, have access to personal data and/or process personal data for which Controller is the data controller. This means that Processor is a data processor in accordance with the applicable data protection legislation (“Data Protection Legislation”).

1.3.    The objective of the DPA is to comply with the requirements of the Data Protection Legislation.

2.   Definitions

2.1.    The words used in the DPA shall have the following meaning:

a) “personal data” means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) "data subject" means any identified or identifiable natural person whose personal data are processed by the Controller.

c) “processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) "restriction of processing" means the marking of stored personal data with the aim of limiting their future processing.

e) “data controller” means the natural or legal person, which, alone or jointly with others, determines the purposes and means of the processing of personal data;

f) “data processor” means a natural or legal person, which processes personal data on behalf of the data controller;

g) “sub-processor” means a subcontractor that is engaged by the data processor, who has or will have access to, and/or process personal data belonging to the data controller;

h) “Data Protection Legislation” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation; the “GDPR”); the Swiss Federal act of 25 September 2020 on Data Protection (FADP) and the Ordinance related to the Federal Act on Data Protection (OFADP).

2.   Undertakings and instructions

3.1.    The Processor undertakes:

a) to treat personal data as confidential information, and to process them solely in accordance with the Data Protection Legislation, the Agreement and any other documented instructions from the Controller. Processing activities are indicated in Annex I to the present DPA.

b) to ensure that access to personal data is strictly limited to its personnel who need to know it for the performance of the Agreement.

c) to ensure that the members of its personnel authorized to process the personal data are informed of the confidential nature of the personal data, and have committed themselves to confidentiality (or are under appropriate statutory obligations of confidentiality).

d) to assist Controller, taking into account the nature of the processing, by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests from data subjects exercising the rights laid down in the Data Protection legislation; Processor shall promptly notify the Controller if it receives a request from a data subject in respect of Controller’s personal data.

e) to notify without undue delay the Controller, upon becoming aware of a Personal Data Breach affecting Controller’s Personal Data, and to provide the necessary information allowing the Controller to fulfill its obligations under the Data Protection Legislation, as further described in Art. 5

f) to automatically return to the Controller, or erase, depending on Controller’s choice and to the extent allowed by applicable law, any Personal Data received from the Controller, within a maximum period of 30 days after the termination of the Agreement. This rule does not limit the Controller's right to request the deletion of personal data at any time during the Agreement, unless this is not permitted by applicable law.

g) to assist Controller in ensuring compliance, if needed, with the others obligations pursuant to Article 32 to 36 of the GDPR (implement security measures, conduct data privacy impact assessments,), taking into account the nature of the processing and the information available to Processor.

4.    Transfer of personal data 

Any processing or transfer of Controller’s Personal Data to countries outside the European Economic Area (EEA) (and/or countries that didn’t obtained the adequacy decision of the Swiss Federal Data Protection and Information Commissioner) is possible only if the Processor complies with the relevant provisions of Chapter V of the GDPR (or Section 3 of the FADP).

5.    Information security

5.1.    The Processor implements:

a) all necessary technical and organizational measures needed to ensure an appropriate level of security, as required pursuant to the Data Protection Legislation (notably Article 32 of the GDPR and Article 8 of the FADP), and

b) other measures necessary in order for Processor to comply with the security requirements set out in the Agreement.


5.2.    if Processor makes changes, it recognizes that such changes shall not materially decrease the overall security level related to the protection of personal data.


5.3.    In the event of data breaches or any violation of information security, Processor shall notify Controller without delay after becoming aware of it. As part of the notification, Processor must inform Controller in writing, and give all the necessary information about the event and the related measures, especially:

a) the description of the nature of the violation, including the information about the categories and number of data subjects affected, along with the information required by Data Protection Legislation.

b) the necessary information about measures taken to mitigate the violation.

c) the necessary information required for the notifications to be done to affected data subjects.

6.    Audit

6.1.     Processor shall give to the Controller all necessary information in order to verify that the obligations set out in the DPA are complied with. If the provided information is not sufficient and if needed, Processor shall allow audits carried out by Controller or by a third party authorized by the Controller. The modalities of these audits shall be agreed in advance and shall take place only during business hours.

6.2.     If Controller uses a third party to carry out the audit, that third party shall not be a competitor of the Processor and shall respect the confidentiality in relation to Processor's information.

6.3.     Processor shall immediately inform the Controller in the event that a supervisory authority initiates or takes any action in relation to Processor with regard to the processing of personal data under the Agreement or the DPA.

7.    Sub-Processors

7.1.     Data processor:

a) The data processor has the data controller’s general authorization for the engagement of sub-processors. The list of sub-processors of the data processor can be found in Annex I

b) shall impose on all its existing and future Sub-Processors data protection written commitments that provide at least the same level of protection for Controller’s personal data as those set out in the DPA and in the Applicable Legislation; and

c) shall be liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the services of its sub-processors directly.

7.2.     The data processor shall not subcontract any of its processing activities performed on behalf of the data controller under this DPA to a new sub-processor without the data controller’s authorization.

7.3.     The data processor shall submit the request for authorization at least 30 days prior to the engagement of the sub-processor, together with the information necessary to enable the data controller to decide. In the event data controller objects to a new sub-processor, the Parties shall discuss data controller’s reasons in good faith, in order to find a reasonable solution.

8.    Governing law

The Parties agree that the present DPA shall be subject to the biGENIUS Customer Terms of Service, date 2023-08-24, and governed by the laws of Switzerland, without giving any effect to its conflict of law principles.

9.    Jurisdiction

Any dispute arising out of, or in connection with, the present DPA, shall be exclusively settled by the competent Court of the Canton of Basel-Landschaft, Switzerland. 



Annex I

DESCRIPTION OF PROCESSING ACTIVITIES:

In biGENIUS-X no customer data except of Name, E-Mail, Last Login, Auth0 ID are stored in biGENIUS-X database. Other personal data is stored at customer side as well as metadata in customers git repository.

Duration of processing

Only as long as necessary for the license period

Place of storage & processing

Data in biGENIUS-X are stored in the Azure Cloud (Region Western Europe, Nordics) and its approved sub-processors as indicated in this Data Processing Agreement

Sub-processors

Auth0 by Okta

TECHNICAL SECURITY MEASURES

1. Access control and authentication

a) An authentication system applicable to all users accessing biGENIUS-X is implemented by sub-processor Auth0.

b) Access control is done by biGENIUS-X. Where a user can be assigned to specific roles and access rights. When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the Processor’s processing purposes.

c) The authentication credentials (such as user ID and password) as well as any kind of data will never be transmitted unprotected over the network.


2. Security of data at rest
a) Server/Database security:
Database and API servers are configured to run using a separate account and in a private network. Database and API servers only process the personal data that are actually needed to process in order to achieve its processing purposes.

b) Workstation security:
The system has session time-outs when the user has not been active for a certain time period.

c) Network/Communication security:

Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols and the traffic to and from the IT system is  monitored.

 
3. Application lifecycle security

During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards are followed.