Data Processing Agreement (DPA)

1. Subject, duration, type and purpose of data processing

The subject, duration, type and purpose of the processing are generally set out in the Agreement. The categories of data subjects, the categories of Personal Data processed, the technical and organizational measures to be taken ("TOM") and other related topics are set out either in the Agreement or in the Annexes to this DPA.

2. Scope of application and responsibility

Aion Tech processes the Personal Data exclusively for the purpose of contract fulfilment or for the purposes specified in the Agreement and this DPA. The Customer is responsible for the lawfulness of the data processing as such, including the permissibility of the processing/sub-processing by Aion Tech.

The Customer’s instructions are documented in the Agreement and this DPA. The Customer has the right to issue Aion Tech with further instructions in writing at any time with regard to the processing of Personal Data. Aion Tech shall comply with these instructions if and to the extent that they can be implemented by Aion Tech within the scope of the contractually agreed services and are objectively reasonable. If such instructions lead to additional costs on the part of Aion Tech or a changed scope of services, such additional costs and contractual amendments shall be agreed in writing.

Aion Tech will inform the Customer immediately if it is of the opinion that an instruction violates the FADP or, if applicable, the EU GDPR. In this case, Aion Tech may suspend the implementation of the relevant instruction until it has been confirmed or amended by the Customer. The foregoing shall not apply to instructions issued by the Customer in connection with the granting of access authorizations or the disclosure of Personal Data to the Customer itself, and Aion Tech may assume at all times that such instructions are in compliance with the law. However, Aion Tech shall be entitled to demand corresponding written confirmations from the Customer.

3. Obligations of Aion Tech

Aion Tech shall process the Personal Data exclusively in accordance with the provisions of the Agreement and this DPA. The fulfilment of legal, regulatory or official obligations by Aion Tech remains reserved.

Annex 1 to this DPA includes a description of the processing activities at the time of conclusion of this DPA. Aion Tech shall make the current version available to the Customer upon request. In addition, Aion Tech shall, if legally obliged to do so, keep a register of processing activities in accordance with Art. 12 para. 1 FADP or, if applicable, Art. 30 para. 2 EU GDPR.

Aion Tech shall implement the TOM for the protection of Personal Data defined in Annex 2 to this DPA. Aion Tech may adapt the agreed TOM at any time provided that the agreed level of protection is not reduced.

Aion Tech shall ensure that the employees and other auxiliary persons of Aion Tech involved in the processing of the Personal Data are prohibited from processing the Personal Data for purposes other than those specified in the Agreement and this DPA or in a way which deviates herefrom. Furthermore, Aion Tech shall ensure that the persons authorized to process the Personal Data have undertaken to maintain confidentiality (in particular by means of a corresponding provision in the employment contract) and/or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality shall continue to apply after termination of the Agreement.

Aion Tech shall inform the Customer immediately if it becomes aware of any breaches of the protection of the Personal Data at Aion Tech or one of its sub-processors (data breach). In addition, Aion Tech shall inform the Customer in an appropriate manner about the nature and extent of the breach and possible remedial measures. The aforementioned information shall be provided in text form (e-mail sufficient). In such a case, the Parties shall take the necessary measures to ensure the protection of the Personal Data and to minimize possible adverse consequences for the data subjects concerned and the Parties and shall consult with each other immediately.

Aion Tech’s contact persons for data protection-related topics arising under the Agreement, the data protection advisor and the data protection officer in cases where this is required under Art. 37 EU GDPR, if applicable, is listed in Annex 1 to this DPA.

Aion Tech undertakes to support the Customer within the scope of its possibilities in the fulfilment of the rights of data subjects vis-à-vis the Customer in accordance with Chapter 4 of the FADP or, if applicable, Chapter III of the EU GDPR. In addition, Aion Tech may offer the Customer further support upon request and against separate remuneration agreed in advance (e.g. in connection with a data protection impact assessment, consultation with the supervisory authority, etc.).

Personal Data must be handed over to the Customer or deleted/anonymized after the end of the Agreement in accordance with the contractual provisions. Aion Tech shall use industry-standard procedures for the deletion/anonymization of Personal Data.

4. Obligations and duties of the Customer

The Customer shall independently implement appropriate technical and organizational measures to protect Personal Data in its area of responsibility (e.g. on its own systems, applications/environments under its operational responsibility).

The Customer must inform Aion Tech immediately if it discovers violations of data protection obligations in the provision of services by Aion Tech.

The Customer shall name to Aion Tech the contact person for data protection-related topics arising under the Agreement and, in cases where this is required under Art. 37 EU GDPR, the data protection officer.

5. Requests from data subjects

If a data subject contacts Aion Tech directly with a request for information, a request for rectification or deletion or other requests/claims relating to Personal Data, Aion Tech shall refer the data subject to the Customer, provided that an assignment to the Customer is possible according to the information provided by the data subject. The support of the Customer by Aion Tech in the event of requests from data subjects is governed by Section 3.

6. Verification options, reports and audits

Aion Tech is obliged to provide the Customer with appropriate information upon request in order to document compliance with the obligations under this DPA.

The Parties agree that Aion Tech may in principle prove compliance with this obligation by submitting corresponding certifications (in particular ISO 27001) or Aion Tech may provide the Customer with test or audit reports prepared by independent third parties for certain areas or confirmations of any certifications, etc. specifically mentioned in the Agreement. Mandatory statutory inspection rights (audits) of the Customer or its supervisory authorities remain reserved. In any case, the principle of reasonableness must be observed in the context of such audits and the interests of Aion Tech worthy of protection (in particular the confidentiality of data of other customers) must be adequately taken into account. Unless otherwise agreed, the Customer shall bear all costs of such audits (including proven reasonable internal costs incurred by Aion Tech in connection with the audit).

If, following the submission of evidence or reports or in the course of an audit, violations of this DPA or deficiencies in the implementation of Aion Tech’s obligations are identified, Aion Tech shall implement suitable corrective measures immediately and free of charge.

7. Engagement of sub-processors

Aion Tech is authorized to engage sub-processors. The current list of sub-processors engaged at the time of conclusion of this DPA can be found in Annex 3 to this DPA. Aion Tech shall inform the Customer in advance in text form (e-mail sufficient) if it engages new sub-processors or replaces existing sub-processors after this DPA comes into force. The Customer may object in writing to the appointment of a new sub-processor or the replacement of an existing sub-processor for important data protection reasons within a period of 30 days. If an important data protection reason is given and if it is not possible for the Parties to reach an amicable solution, the Customer has an extraordinary termination right in relation to the service affected by this.

Aion Tech shall enter into agreements with its sub-processors to the extent necessary to fulfil its obligations under this DPA.

8. Transfer abroad

Any disclosure of Personal Data by Aion Tech to a third country or to an international organization is only permitted if Aion Tech complies with the provisions of Art. 16 et seq. FADP or, if applicable, Chapter V of the EU GDPR. However, if such disclosure of Personal Data is requested by the Customer or is carried out on its behalf, compliance with the relevant provisions is the sole responsibility of the Customer.

9. Further provisions

This DPA enters into force together with the conclusion of the Agreement and is concluded for the duration of the Agreement, unless the provisions of this DPA result in longer-lasting obligations.

Notwithstanding any written form requirements in the Agreement, this DPA may also be amended in electronic form (e.g. an electronic file which contains a scan of the signature(s) or a signature with DocuSign, Skribble or any other provider of electronic signatures).

The obligations arising from this DPA apply in addition to the obligations set out in the Agreement and do not restrict the latter. In all other respects, the provisions of the Agreement shall continue to apply unchanged.

Annex 1 – Description of processing activities

Date: 10 April 2026

This Annex 1 describes the data processing performed by Aion Tech under the Data Processing Agreement (DPA) within the scope of the Agreement.

1. Details of Aion Tech

1.1 Contact details of Aion Tech (responsible recipient of instructions):

Aion Technology AG, Alpenstrasse 16, 6300 Zug, Switzerland

E-mail: info@aion-tech.ai

1.2 Contact details of Aion Tech’s contact person for data protection-related topics (at the same time the data protection advisor or data protection officer, respectively):

Aion Technology AG, Mr. Léon Noirclerc, Alpenstrasse 16, 6300 Zug, Switzerland

E-mail: l.noirclerc@aion-tech.ai

2. Data processing

2.1 General

Within the scope of the Agreement, the Customer will, at its own discretion and on its own behalf, provide Aion Tech with personal data and/or confidential data for processing.

2.2 Purpose of the processing

The personal data entrusted to Aion Tech by the Customer and the personal data arising therefrom shall be processed exclusively for the purpose of fulfilling the Agreement and related activities (including customer relationship management, invoicing, archiving, marketing).

2.3 Duration of the processing

At the end of the Agreement, the personal data will be deleted/anonymized within 6 months.

The deletion/anonymisation takes place provided that there are no longer statutory retention obligations or legitimate interests in relation to certain personal data.

2.4 Categories of data subjects

Aion Tech processes personal data related to:

☑ Internal or external employees/auxiliary persons of the Customer

☑ End customers of the Customer

☑ Internal or external employees/auxiliary persons of the Customer’s business customers

☑ End customers of the Customer’s business customers

☑ Internal or external employees/auxiliary persons of the Customer’s suppliers/partners

2.5 Categories of personal data

Aion Tech processes the following categories of personal data:

General personal data

Employee data

☑ Title, gender

☑ Surname

☑ First name

☐ Home address

☐ Town

☐ Country / Place of residence

☑ E-mail address

☑ Telephone number

☐ Date of birth

☐ Place of birth

☐ Age

☑ Nationality

☑ Language

☐ Marital status

☐ Profession

☐ Education

☑ IP address

☐ MAC address

☐ National Insurance (AHV) number

☐ Employee number

☐ Badge number

☐ Title/role

☐ Employee category

☐ Other contract-related data

☐ Working time arrangements

☐ Information regarding affiliation

☐ Information about relationships

☐ Information on qualifications

☐ Information on salary/holiday

☐ Staff deployment planning

☐ Performance profiles

Sensitive data / special categories

Customer data (clients)

☐ Social welfare measures

☐ Administrative or criminal proceedings

☐ Tax returns

☐ Income

☐ Contact history

☐ Contract details

☐ Payment details

☐ Claims data

2.6 Special statutory secrecy obligations

Aion Tech processes personal data as an auxiliary person of the Customer, which is additionally subject to a special statutory secrecy obligation:

☐ Official secrecy

☑ Bank client secrecy

☑ Professional secrecy (e.g. fiduciaries, tax experts, attorneys)

3. Place of data processing

3.1 Place of processing of personal data

The personal data is primarily processed in Switzerland and in the EU/EEA. All countries, including those outside the EU/EEA (if any), are listed in Annex 3 (Sub-processors).

3.2 Guarantees in the case of data processing outside the EU/EEA

Aion Tech shall ensure adequate protection of the personal data when processing them outside the EU/EEA by concluding data processing agreements with the relevant sub-processors, in which these sub-processors are obliged to take sufficient technical and organizational measures to protect the personal data processed and to ensure data security appropriate to the risk and which data processing agreements contain the EU standard contractual clauses (SCC).

3.3 Disclosure of personal data to sub-processors

The third parties listed in Annex 3 have access to and process personal data as sub-processors or personal data is disclosed to these third parties.

4. Notification of data protection breaches

Aion Tech shall notify the Customer immediately if Aion Tech becomes aware of a breach of the protection of personal data that leads or threatens to lead in particular to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to personal data. The notification shall be made in text form (e-mail sufficient) and, if necessary, additionally by telephone to the Customer’s known contact persons.

Annex 2 – Technical and organisational measures (TOM)

Date: 10 April 2026

This Annex 2 describes the technical and organisational measures which are implemented by Aion Tech under the Data Processing Agreement (DPA) within the scope of the Agreement to protect the personal data processed and to ensure data security appropriate to the risk (Art. 8 FADP and Art. 3 Data Protection Ordinance/DPO as well as Art. 32 (1) EU-GDPR).

The technical and organisational measures are subject to technical progress and constant further development. Alternative or additional measures may be implemented, provided that the agreed level of protection is not reduced.

This Annex 2 includes the description of the technical and organisational measures that Aion Tech itself has taken as well as some of the measures implemented by its sub-processors (see Annex 3). Aion Tech has contractually obligated its sub-processors to take appropriate technical and organisational measures on their side. Thus, additional technical and organisational measures implemented by Aion Tech’s sub-processors may apply. The description of these additional technical and organisational measures can be found in the corresponding documentation of the sub-processors. Upon request, Aion Tech will provide the Customer with corresponding information.

1. Entry control (Zutrittskontrolle)

Measures suitable for preventing unauthorised persons from entering facilities in which personal data are processed (processing facilities).

Note: Aion Tech operates a purely cloud-based infrastructure with no proprietary physical premises, server rooms, or data centres. Physical entry controls are implemented by Aion Tech’s infrastructure sub-processors (see Annex 3). Aion Tech has contractually obligated these sub-processors to maintain appropriate physical security measures. Details of the sub-processors’ physical security measures can be provided upon request.

2. Access control (Zugangskontrolle)

Measures suitable for preventing the use of data processing systems (e.g. computers) by unauthorised persons.

Aion Tech shall ensure this through the following measures:

Technical measures

Organisational measures

☑ Login with credentials (e.g. user name and password)

☑ Manage user permissions

☑ Anti-Virus Software Server

☑ Central password assignment

☑ Anti-Virus Software Clients

☑ Password policy ("secure password")

☑ Anti-virus software mobile devices

☑ General guideline "Data protection and security"

☑ Firewall

☑ Mobile Device Policy

☑ Intrusion detection systems

☑ Creating user profiles

☑ Mobile Device Management

☐ 

☑ Use VPN for remote access

☐ 

☑ Encryption of data carriers

☐ 

☑ Encryption of smartphones

☐ 

☑ Housing lock

☐ 

☑ BIOS protection (separate password)

☐ 

☑ Locking external interfaces (USB)

☐ 

☑ Automatic locking mechanisms (e.g. desktop lock)

☐ 

☑ Encryption of notebooks / tablets

☐ 

☑ Two-factor authentication

☐ 

3. Access control (Zugriffskontrolle)

Measures suitable for limiting the access of persons authorised to use a data processing system exclusively to the personal data subject to their access authorisation and for preventing the reading, copying, modification or removal of personal data by unauthorised persons.

Aion Tech shall ensure this through the following measures:

Technical measures

Organisational measures

☑ Physical deletion of data carriers

☑ Authorisation concept

☑ Access logging

☑ Minimum number of administrators

☑ Standard authorisation profiles on a "need to know" basis

☑ Safe for data storage

☑ Data protection-compliant disposal of data media

☑ Management of user rights through administrators

☑ Secure storage of storage media

☑ Periodic check of the assigned authorisations

☑ Data protection compliant reuse of storage media

☑ Standard process for authorisation allocation

4. Transfer and transmission control

Measures suitable for preventing the unauthorised reading, copying, modification or removal of personal data during electronic transmission or during its transport.

Aion Tech shall ensure this through the following measures:

Technical measures

☑ Logging of accesses and retrievals

☑ Safe transport containers

☑ Provision via encrypted connections such as sftp, https

☑ Use of electronic signature procedures

☑ File encryption

☑ Encryption of data carriers

5. Input control (Eingabekontrolle)

Measures suitable to enable the verification and determination of whether, by whom and when which personal data have been entered, modified or removed in data processing systems.

Aion Tech shall ensure this through the following measures:

Technical measures

Organisational measures

☑ Technical logging of the entry, modification and deletion / anonymisation of data

☑ Overview of which programmes can be used to enter, modify or delete which data

☑ Manual or automated control of the logs

☑ Traceability of entry, modification and deletion / anonymisation of data through individual user names (not user groups)

☑ Document management

☑ Allocation of rights to enter, modify and delete data on the basis of an authorisation concept

☐ 

☑ Retention of forms from which data have been transferred to automated processing operations

☐ 

☑ Clear responsibilities for deletions / anonymisations

☐ 

☑ Deletion / anonymisation concept

6. Order control

Measures suitable to ensure that the processing of personal data by third parties (sub-processors) only takes place in accordance with the Customer’s instructions.

Aion Tech shall ensure this through the following measures:

Organisational measures

☑ Prior review of the security measures taken by the sub-processor and their documentation (e.g. ISO certification, ISMS)

☑ Careful selection of the sub-processor (with regard to data protection and data security) and assignment of the relevant responsibilities

☑ Conclusion of the necessary data processing agreement with the sub-processor (incl. in the form of the EU standard contractual clauses, if required)

☑ Obligation of the sub-processor's employees to data protection (incl. data secrecy)

☑ Obligation to appoint a data protection officer by the sub-processor if the corresponding duty exists

☑ Regulation on the involvement of further sub-processors

☑ Ensuring the destruction or return of data after completion of the contractual relationship

☑ In case of longer cooperation: Ongoing review of the sub-processor and its level of protection

7. Availability control (Verfügbarkeitskontrolle)

Measures suitable to protect the personal data against accidental or deliberate destruction or loss.

Aion Tech shall ensure this through the following measures:

Technical measures

Organisational measures

☑ Fire and smoke detection systems

☑ Backup & recovery concept (online/offline, on-site/off-site)

☑ Fire extinguisher server room

☑ Checking the backup process

☑ Server room monitoring temperature and humidity

☑ Regular data recovery tests and logging of results

☑ Server room air conditioned

☑ Storing the backup media in a safe place outside the server room

☑ Uninterruptible power supply (UPS)

☑ No sanitary connections in or above the server room

☑ Protective socket strips server room

☑ Reporting channels and emergency plan

☑ Data protection safe

☑ Multi-level backup concept with encrypted outsourcing of backups

☑ RAID system / hard disk mirroring

☑ Security checks at infrastructure and application level

☑ Video surveillance server room

☑ Standard processes in the event of employee change / leaving

☑ Alarm message in case of unauthorised access

☐ 

☑ Virus protection (incl. regular updating)

☐ 

☑ Firewall (incl. regular updating)

☐ 

☑ Separate partitions for operating systems and data

☐ 

8. Separability (Trennbarkeit)

Measures suitable to ensure the separate processing of personal data collected for different purposes.

Aion Tech shall ensure this through the following measures:

Technical measures

Organisational measures

☑ Separation of productive and test environment

☑ Control via authorisation concept

☑ Physical separation (systems / databases / data carriers)

☑ Setting database rights

☑ Multi-client capability of relevant applications

☑ Providing records with purpose attributes / data fields

9. Review, assessment and evaluation

Establishment of procedures to regularly review, assess and evaluate the effectiveness of technical and organisational measures to ensure the security of processing.

Data protection management:

Technical measures

Organisational measures

☑ Use of software solutions for data protection management

☑ Internal / external Data Protection Officer (DPO) and external data protection representative (EU)

☑ Central documentation of all procedures and regulations on data protection

☑ Employee training in the area of data protection and security

☑ Security certification according to ISO 27001, BSI IT-Grundschutz or ISIS12

☑ Regular sensitisation of employees (at least once a year)

☑ Documented security concept

☑ Internal / external Information Security Officer (ISO)

☑ Regularly checking the effectiveness of the technical protective measures

☑ Carrying out a data protection impact assessment (DPIA) if required

☐ 

☑ Compliance with the information requirements pursuant to Art. 13 and 14 EU-GDPR

☐ 

☑ Formalised process for handling requests from data subjects

☐ 

☑ Commitment of employees to confidentiality and data protection

Incident response management:

Technical measures

Organisational measures

☑ Firewall (incl. regular updating)

☑ Documented process for detection and reporting of security incidents / data breaches

☑ Spam filter (incl. regular updating)

☑ Documented procedure for handling security incidents

☑ Virus protection (incl. regular updating)

☑ Integration of the DPO and the data protection representative (EU) in security incidents

☑ Intrusion Detection System (IDS)

☑ Documentation of security incidents and data breaches

☑ Intrusion Prevention System (IPS)

☑ Process and responsibilities for follow-up on security incidents and data breaches

Data protection-friendly default settings (Privacy by Design / Privacy by Default):

Technical measures

Organisational measures

☑ No collection of more personal data than necessary for the respective purpose

☑ Definition of the role for Privacy/Security by Design and Privacy/Security by Default in projects

☑ Simple possibility to exercise the right of withdrawal by data subjects by means of technical measures

☑ Sensitization of the relevant employees on Privacy/Security by Design and Privacy/Security by Default

Annex 3 – Sub-processors

Date: 10 April 2026

This Annex 3 lists the sub-processors engaged by Aion Tech. The engagement of new sub-processors and the replacement of existing sub-processors shall be governed by the provisions of the Data Processing Agreement (DPA).

Infrastructure & Hosting

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Amazon Web Services (AWS)

Cloud hosting, storage, backups

Account data, application data, logs

EU

Data processing agreement; EU adequacy decision / Swiss adequacy decision (EDOB)

Google Cloud Platform

Infrastructure & storage

Application data, logs

EU

Data processing agreement; EU adequacy decision / Swiss adequacy decision (EDOB)

Microsoft Azure

Cloud infrastructure

Application data, logs

EU

Data processing agreement; EU adequacy decision / Swiss adequacy decision (EDOB)

Cloudflare

CDN, DNS, DDoS protection, security

IP address, traffic data, security logs

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Authentication & Backend

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Supabase

User authentication & database services

User credentials, account data, tokens

EU

Data processing agreement; EU adequacy decision / Swiss adequacy decision (EDOB)

Communications

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Brevo

Transactional & marketing emails

Email address, communication content, engagement data

EU

Data processing agreement; EU adequacy decision / Swiss adequacy decision (EDOB)

Analytics & Product Improvement

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Google Analytics

Website & product analytics

Usage data, device data, IP address

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Google Tag Manager

Tag management

Tracking & usage data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Mixpanel

Product analytics

User identifiers, event data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Amplitude

Product analytics

Usage data, event tracking

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Hotjar

Heatmaps & session insights

Usage data, session recordings (excluding sensitive fields)

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Advertising & Retargeting

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Meta (Facebook & Instagram Ads)

Advertising & retargeting

Cookie data, device data, hashed identifiers

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Google Ads

Advertising & remarketing

Cookie data, usage data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

LinkedIn Ads

B2B advertising

Device data, tracking data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

TikTok Ads

Advertising

Device data, tracking data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Customer Support & CRM

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Intercom

Customer messaging & support

Contact data, communications, usage data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Zendesk

Support ticketing

Contact information, support communications

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

HubSpot

CRM & marketing automation

Contact data, communication history

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Freshdesk

Customer support

Support communications, contact data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Tawk.to

Website chat widget

Chat communications, IP address

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Monitoring & Security

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Sentry

Error monitoring

Log data, limited user identifiers

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Datadog

Infrastructure monitoring

Log data, performance metrics

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

New Relic

Application performance monitoring

Telemetry & performance data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

LogRocket

Session replay & debugging

Usage data, session recordings (excluding sensitive inputs)

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

CrowdStrike

Security monitoring

Security event data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

AI & Machine Learning Providers

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

OpenAI

AI model processing

User inputs and outputs

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Anthropic

AI model processing

User inputs and outputs

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Azure OpenAI

AI model hosting & processing

User inputs and outputs

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Google Vertex AI

AI services

User inputs and outputs

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Hugging Face

ML model inference

User inputs for inference

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment

Marketing Website

Sub-processor

Purpose

Personal data processed

Place of processing

Guarantees under FADP and EU-GDPR

Framer

Website hosting & publishing

Visitor analytics, contact form data

Global

Data processing agreement; EU standard contractual clauses (SCC); Swiss adequacy assessment