Change date: May 2024
Data Processing Agreement (DPA)
Between the
User of Atlanto (hereinafter the Client)
and
Atlanto Ltd (hereinafter the Contractor)
Dufourstrasse 40
9001 St. Gallen Switzerland
agreement on Data Processing.
1. Data Processing
Withing the scope of its services as platform operator, the Contractor processes personal data (order data) on behalf of the Client in compliance with the applicable data protection laws (applicable data protection legislation) and Atlanto’s own data protection provisions and terms of use. The term “data processing” includes any handling of personal information, such as collecting, recording, organizing, ordering, storing, adapting or modifying, reading out, querying, using, disclosing through transmission, disseminating or other forms of supplying, comparing or linking, restricting, archiving, deleting or destroying such data.
2. Subject Matter and Duration
a) Subject Matter, Type and Purpose:
Details of the Contractor’s services are set down in the contract concluded between the Contractor and the Client (hereinafter the “Contract”). The Contract comprises the Contractor’s conditions of use and data protection provisions. Unless stated otherwise in this Data Processing Agreement, the Contract describes the subject matter and duration of the order and the type and purpose of processing.
b) Types of Personal Data:
See non-exhaustive list in Annex A.
c) Categories of Data Subjects:
See non-exhaustive list in Annex A.
d) Duration:
Processing begins once this Agreement has been signed and continues for the period of the Contract unless more extensive obligations arise from the provisions of this Annex.
f) Termination:
The Client may terminate data processing at any time without notice if the Contractor commits a serious breach of the provisions of this Agreement, is unwilling or unable to carry out the Client’s contractual instructions or the Contractor, in breach of contract, fails to allow the Client to exercise its inspection rights.
g)Responsibility:
Within the scope of the contract processing, the client shall be responsible for compliance with the applicable data protection law, in particular for the lawfulness of the data transfer to the contractor and for the lawfulness of the data processing.
3. Obligations of the Contractor
a) Compliance with Instructions:
(i) The Contractor may use the order data solely for the services provided and must comply with the Client’s instructions for processing such data issued and documented in writing. The foregoing is without prejudice to any applicable legal obligations to the contrary (e.g. binding orders by the competent authorities), which the Client should be notified of as soon as legally permissible. The Client shall name in writing to the Contractor at least one person authorized to issue instructions and receive deliveries. In the event of a change or long-term prevention of the persons named, the successor of representative shall be named to the Contractor in writing without delay. Until the receipt of such notification by the Client, the previously designated persons shall continue to be deemed authorized to receive deliveries.
(ii) The Client’s right to issue instructions is specified by the present Agreement. Any instructions going beyond what is specified in this Agreement are binding for the Contractor only if they are necessary to comply with mandatory data protection requirements.
(iii)The Contractor must inform the Client if they are of the opinion that any instruction is against the data protection provision. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
b) Confidentiality:
The Contractor undertakes to treat order data confidentially and to make such data accessible only to persons who require access to it i to perform their obligations. The Contractor must ensure that all persons with access to order data are bound by a statutory or contractual obligation to maintain confidentiality.
c) Place of Data Processing:
The Contractor processes and uses the order data in the EEA only. Order data may be processed outside said territory only with the Client’s written consent given on any durable medium and only in compliance with the applicable statutory provisions. In the event of authorized data disclosure to a party located in a country without an appropriate level of data protection, the Contractor undertakes to conclude a supplementary agreement with the Client based on the current EU standard contract clauses.
d) Record of Processing:
The Contractor must keep a record of all processing and hand it over to the Client on request. In addition, the Contractor must assist the Client in generating a record of the processing activities in relation to order data.
e) Obligation to Return or Erase Data:
(i) After termination of the main contract or at the Client’s request, the Contractor shall make available to the Client all documents and data provided or, at the Client’s request, delete them completely and irrevocably, unless there is a statutory retention period. This shall also apply to copies of Client Data at the Contractor’s premises, such as data backups, but not to documentation which serves as proof of the proper processing of the Client Data in accordance with the order. Such documentation shall be kept by the contractor in accordance with the retention periods. The provision of the data in a machine-readable format determined by the Client is possible after separate examination by the Contractor, if necessary, against additional remuneration. The provision of this data in a machine-readable format chosen by the Client is possible after separate examination by the Contractor, if necessary, for an additional fee.
(ii)The Contractor shall continue to view the data of which it has become aware in connection with the main contract as confidential after the end of the main contract.
f) Data Protection Impact Assessment:
Where required by law or requested to do so, the Contractor must assist the Client in drawing up a data protection impact assessment to the extent required.
4. Data Security
a) Security Measures
The Contractor must take the technical and organizational measures (security measures) referred to in Annex B to protect the order data against unintended or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access and must maintain such measures to the extent required by the applicable data protection laws. Such security measures include those to encrypt personal information, to ensure the confidentiality, integrity, availability and resilience of the Contractor’s systems and services, timely restoration of order data after an incident, and periodic verification of the effectiveness of such measures.
b) Personnel
The Contractor must take suitable measures to ensure its employees, suppliers and subcontractors comply with the security measures to the extent applicable to their respective services, including ensuring that all persons authorized to process the order data undertake to maintain confidentiality or are bound to confidentiality by law.
c) State of the Art
Technical and organizational measures are subject to technical progress and further development. The contractor shall ensure the current adequate state of the art.
d) Obligation of Notification:
The Contractor must inform the Client without delay whenever:
(i) the Contractor receives a request, summons or application for inspection or auditing from an authority in charge of supervising data processing, unless the Contractor is prohibited by law from disclosing such information;
(ii) the Contractor intends to disclose order data to an appropriate authority; or
(iii) the Contractor recognizes or suspects a breach of security of the order data, that is a security breach leading to the destruction, loss, modification or disclosure of and/or unauthorized access to personal data.
5. Subcontracting of data processing
If the Contractor engages subcontractors or freelancers from the EU/EEA who provide their services in the EU/EEA, prior written notification of the Client is required.
Prior written consent of the Client is required for the commissioning of subcontracted processors or freelancers who have their registered office outside the EU/EEA or who provide their services outside the EU/EEA. The Client may not arbitrarily refuse its consent. Refusal of consent shall constitute grounds for extraordinary termination.
For the subcontracted employees named in Annex C at the time of conclusion of the contract and their areas of responsibility, the Client’s consent shall in any case be deemed to have been given upon conclusion of the contract. The Contractor shall ensure that these sub-processors comply with the technical and organisational requirements in accordance with section 2 of Annex B in the same way as the Contractor itself.
6. Auditing Powers of the Client
a)Auditing Powers
The Client is entitled to audit the Contractor’s compliance with its statutory and contractual obligations in relation to the processing of order data. The Client shall only carry out inspections to the extent necessary and shall show due consideration for the Contractor’s operating procedures. On-site inspections shall not be carried out if the Contractor can prove compliance with the data protection requirements in writing, e.g. by means of certificates or attestations.
b)External Auditor:
The Client may, in accordance with item 6(a) above, commission audits from an external expert auditor who is sworn to secrecy. The Client bears the costs of the external auditor in accordance with item 6(a). If the audit is brought about by a breach of this Agreement by the Contractor or if the audit reveals such a breach, the Contractor must bear the audit costs in full.
7. Support
a) Data Security, Data Security Breaches and Data Protection Impact Assessments:
The Contractor must provide the Client with full support in complying with the statutory obligations to provide adequate security, to report data security breaches and to conduct data protection impact assessments. As soon as the Contractor becomes aware of a breach of data protection in relation to order data or suspects that such a breach has occurred, it must inform the Client thereof without delay, but at the latest within 24 hours (see item 4(d)(iii) above). Moreover, the Contractor must take all necessary measures without delay to mitigate the consequences of the data protection breach. The Contractor must provide the Client with full support in developing and implementing a response plan for such breaches and, if so instructed, in informing the data subjects and/or competent authorities.
b) Rights of Data Subjects
If a data subject addresses a request to the Contractor in relation to data protection laws (e.g. a request for information or the erasure of data), the Contractor must forward the relevant request to the Client without delay. The Contractor must provide the Client with full support in processing such requests, including, if necessary, assistance with compiling the necessary data and information.
c) Obligation to Notify
The Contractor must notify the Client without delay of any audits or other measures taken by data protection supervisory authorities, courts or other authorities whenever such measures concern the order data or systems used for processing the order data. The Contractor must inform all government agencies and courts without delay that the Client is the controller of such data.
d) Data Protection Officer
The Contractor confirms that – insofar as a legal obligation to do so exists – they have appointed a data protection officer. The contact details of the data protection officer are:
Helvetia Versicherungen, Fachstelle Datenschutz
Steinengraben 41, 4052 Basel, Schweiz
8. Final Provisions
a) Applicable Law and Legal Venue
This Agreement shall be governed exclusively by Swiss law, excluding conflict of international rules and treaties, unless otherwise stipulated in the related agreement. Unless stipulated otherwise in the corresponding Set of Agreements, the exclusive place of jurisdiction for disputes is St. Gallen, Switzerland.
b) Severability Clause
In all other respects, the provisions of the Contract apply. Should the provisions of this Annex diverge from those of the Contract, the provisions of this Annex take precedent. Should any individual provisions of this Annex be invalid, that will not impair the validity of the remaining provisions of the Contract or the Annex.
c) Other
Annexes A, B and C form an integral part of this Data Processing Agreement.
Annex A to the Data Processing Agreement
Subject of the Order | Processing of the Client’s personal data in connection with the latter’s utilization of the provider’s software as a service. |
Type and Purpose of the Planned Data Processing: | The personal data processed by the Client is transferred to the Contractor in connection with the utilization of software as a service. The Contractor processes this data solely in accordance with the agreement concluded (e.g. order management, customer relationship management (CRM), accounting, e-banking, payroll accounting, inventory management, project management). |
Type of Personal Data: | The type of data depends on the data transferred by the Client. It includes, in particular (depending on the relevant order): · Order management data · Contact management data · Accounting data · E-Banking data · Payroll data · Warehouse management data · Project management data |
Categories of Data Subjects: | The categories of data subjects depend on the services received and the data transferred by the Client. They include, in particular (depending on order): · the Client’s employees (including applicants and former employees) · the Client’s customers · the Client’s interested parties · the Client’s service providers · details of contact persons |
Erasure, Blocking and Rectification of Data: | Requests for the erasure, blocking or rectification of data must be addressed to the Client; in all other respects the provisions of the Contract apply. |
Annex B: Technical and Organizational Measures (TOMs)
1 General
Depending on the Atlanto information classification, the adequate Technical and Organizational Measures (TOMs) must be used.
- The TOMs described in this document are valid exclusively for Atlanto “public” or “internal” classified information.
- In the case, that Atlanto “confidential” or “secret” classified information must be additionally managed by the external partner, the TOMs for Atlanto “confidential” or “secret” classified information must be taken as the basis for compliance.
2 Technical and Organizational Measures
The external partner must ensure that the following TOMs are established:
- Systems on which Atlanto data is stored are secure.
- Follow industry security best practice for system configuration.
- Detection, prevention, and recovery controls to protect against malware are implemented.
- Network security through limitation and control of network ports, protocols and services is implemented.
- Unauthorized access to data processing systems on which Atlanto data are processed is prevented.
- Protect access to information with physical and logical access control measures.
- Identify and authenticate users before access to Atlanto data is granted.
- Establish procedures to actively manage the life cycle of user, system, and application accounts – their creation, use, dormancy, deletion.
- Ensure that the persons authorized to use the data processing procedures can only access the Atlanto data subject to their access authorization.
- Authorize users on role-based access control by following least-privilege and need-to-know principles.
- Minimize administrative privileges and only use administrative accounts when they are required.
- Atlanto data cannot be read, copied, altered, or removed by unauthorized persons during electronic transmission or during transport or storage on a data carrier:
- Information in transit or transport is protected by encryption.
- Ensure that it is verifiable and ascertainable to which points data is transmitted from Atlanto by means of data transmission equipment.
- Ensure that whether and by whom Atlanto data have been input, modified, or removed in data processing systems is verifiable and ascertainable:
- Log information is stored according to legal requirements
- Atlanto data is protected against accidental destruction or loss:
- Establish a backup plan for information backup
- Establish a restore plan and test it regularly
- Ensure that data collected for different purposes can be processed separately
- Atlanto data is securely disposed when no longer required, using formal procedures
3 Organizational Measures
The external partner must ensure that the following requirements are met:
- Management responsibilities and procedures are established
- to evaluate possible threats, their impact to the business and the protective measures;
- to ensure a quick, effective, and orderly response to information security incidents
- Employees and all other persons involved in the processing of Atlanto data are carefully and appropriately selected, instructed, and monitored.
- Appropriate data protection and confidentiality obligations are implemented, reviewed, and enforced in accordance with instructions.
- Employees and other persons involved in the processing of Atlanto data are regularly trained in data protection.
4 Effectiveness of Technical and Organizational Measures
- The external partner shall ensure regular checks and evaluations of the effectiveness of the technical and organizational measures:
- Establish procedures to verify the effectiveness of vulnerability and patch management.
- Establish management responsibilities and procedures to regularly review the implemented information security measures for improvement.
- The external partner shall document the results of these audits and remedy the deficiencies identified immediately and appropriately.
Annex C: Sub-Processor
Company’s name, address | Description of service |
Institut für Jungunternehmen AG Schützengasse 10 9000 St. Gallen Switzerland | Creation of website and platform content, issue of licences and consulting in relation to the Business Planner. |
Comitas AG Wiesenstrasse 8/5 8952 Schlieren Switzerland | Provision of IT services, including software and platform development, software operation, including maintenance and ongoing development of the platform, responsibility for technical integration, end-customer support for the platform. |
Helvetia Schweizerische Versicherungsgesellschaft AG Dufourstrasse 40 9001 St.Gallen Switzerland | Provision of end-user support services around infrastructure and services.
|
Amazon Web Services EMEA SARL
| Provision of Cloud Services |
Swisscom AG Alten Tiefenaustrasse 6 3050 Bern | Provision of Backup |