DATA PROCESSING AGREEMENT (DPA)  

Version 01 November 2023 

“Customer” or “Controller”:  

“Contractor” or “Processor”:  

Pelt8 AG, Butzenstrasse 1, 8038 Zurich  

each a “Party”, together the “Parties”  

Contents

  1. Preamble and scope

  1. Subject, term, type and purpose of the Agreement 

  1. Scope and right to issue instructions 

  1. Data security 

  1. Confidentiality

  1. Contact persons

  1. Rights of the data subjects

  1. Data protection breaches

  1. Publication and erasure of personal data 

  1. Involvement of sub-processors and cloud-services 

  1. Documentation, processing inventory 

  1. Data protection impact assessmen

  1. Verification obligations and audit rights 

  1. Data processing

  1. Liability

  1. Final provisions

  1. PREAMBLE AND SCOPE  

The Parties have concluded one or more agreements (“Contract” or “Contracts”; see Annex 1) in which the Contractor acts as service provider to the Customer or its customers.  
The provision of the services pursuant to the Contract by the Contractor may qualify as processing of personal data within the meaning of data protection law. Insofar as the Contractor processes personal data of the Customer or its customers ("Personal Data") within the scope of the collaboration as Processor or sub-processor in compliance with the respective Applicable Data Protection Law, this data processing agreement (“DPA” or “Agreement”) shall supplement the Contract and specifies the obligations of the Parties regarding data protection. The Applicable Data Protection Law is the Swiss Data Protection Act and the European General Data Protection Regulation (GDPR), if and to the extent applicable (“Applicable Data Protection Law”).  
The Customer commits to ensuring that its collection and processing of Customer Data through the Software (the “Software”) adhere to applicable data protection laws and are conducted lawfully. In cases where another Licensed Company acts as a data controller for Customer Data, the Customer will be considered a data processor, with Contractor acting as a Subprocessor. In such instances, the Customer shall ensure that the provisions of this Annex 3 are consistent with its agreement with said Licensed Company. 

  1. SUBJECT, TERM, TYPE AND PURPOSE OF THE AGREEMENT 

The subject of the Agreement as well as the type and purpose of the processing derives from the Contract which is referenced in Annex 1. This Agreement shall come into force upon mutual signature of the Parties.  

The term of this Agreement shall conform with the term of the Contract (or with the last active Contract in the case of several Contracts) between the Customer and the Contractor under which the Contractor shall process Personal Data for the Customer provided that no obligations beyond this arise from the provisions of this Agreement. In addition, the DPA shall automatically end when the Contractor no longer processes any Personal Data for the Customer pursuant to the Contract or upon termination of the (last active) Contract.  

The possibility of termination for good cause with immediate effect shall remain reserved. Good cause shall include, in particular, a repeated or serious breach by one Party of the provisions of the Contract, this DPA or of Applicable Data Protection Law. The extraordinary right of termination pursuant to Section 10 shall also entitle to termination without notice. Termination of this Agreement with immediate effect shall also entitle the Customer to terminate the Contract without notice.  

If the type of processed Personal Data, the type and the purpose of the Personal Data processing as well as the categories of data subjects affected by the processing are not already derived from the respective Contract, they shall be listed in one or more annexes to this Agreement.  

  1. SCOPE AND RIGHT TO ISSUE INSTRUCTIONS 

The Contractor shall process Personal Data exclusively for the intended purpose in accordance with the respective Contract or the documented instructions of the Customer.  

As a rule, instructions shall be given in text form (i.e., in writing, by e-mail or in a documented electronic format). Verbal instructions shall be confirmed immediately in writing or in a documented electronic format. The Customer shall be responsible for providing evidence of the complete documentation.  

The Contractor shall inform the Customer without delay if it is of the opinion that an instruction violates applicable data protection law. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.  

Notifications to the authorities or to data subjects regarding data protection violations and infringements may only be carried out by the Contractor itself after prior instruction by the Customer. Any deviating obligations of applicable law (e.g. binding decrees of competent authorities) shall remain reserved; the Customer must be informed of these in a timely manner, provided this is legally permissible.  

  1. DATA SECURITY

The Contractor shall take suitable technical and organizational measures (TOM) in accordance with Annex 2 to shape, check and adjust the in-house organization on an on-going basis in its area of responsibility so that it can provide an appropriate level of data protection in accordance with Applicable Data Protection Law, including if applicable Art. 32 GDPR to protect Personal Data from accidental or unlawful destruction, loss, amendment, forwarding, etc.  

In the process, the Contractor shall take account of the state of the art, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the severity of the risk for the rights and freedoms of the data subjects.  

The measures are subject to technical progress and further development. Alternative or additional measures may be implemented if the level of protection provided by the specified measures is not undercut.  

  1. CONFIDENTIALITY 

The Contractor undertakes to treat Personal Data obtained under the Contract or this DPA as confidential and to make it available only to persons who need access to the Personal Data in order to perform their duties towards the Contractor.  

The Contractor shall ensure that the persons authorized to process the Personal Data are obliged to maintain confidentiality/secrecy to the extent that they are not subject to a statutory duty of confidentiality. Employees and other persons working for the Contractor who deal with relevant Personal Data shall be forbidden to process such Personal Data outside this Contract and this DPA.  

The confidentiality/secrecy obligation shall continue for a period of five years after termination of this DPA.  

  1. CONTACT PERSONS 

The Parties shall each disclose in Annex 1 a contact person for all data protection matters; a data protection officer shall also be identified in cases where this is mandatory.  

  1. RIGHTS OF THE DATA SUBJECTS 

If a data subject contacts the Contractor directly with requests for correction, deletion, information, or other claims concerning Personal Data, the Contractor shall immediately inform the data subject, if assignment to the Customer is possible based on the information provided by the data subject.  

The Contractor shall support the Customer, while taking account of the type of processing with suitable technical and organizational measures, to meet its obligation to answer enquiries from data subjects regarding their rights in accordance with Applicable Data Protection Law.  

The Contractor's support obligations towards the Customer pursuant to this Section 7 shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services.  

  1. DATA PROTECTION BREACHES  

The Contractor shall immediately inform the Customer if:  

(i)

The Contractor or a sub-processor determines or suspects that a data protection breach has occurred. Such information must be delivered in accordance Applicable Data Protection Law (including type, scope, extent of the breach) so that the Customer is able to fulfil any possible reporting obligation to the competent data protection authority and/or the data subjects in accordance with Applicable Data Protection Law.  

(ii)

The Personal Data must be passed on to a competent authority.  

(iii)

An enquiry, subpoena or application to view or check the processing is received by a competent authority, unless the law prohibits the Customer from being notified. If a data protection breach occurs on the Contractor's or on a sub-processor's premises, the Contractor shall take reasonable measures at its own cost to identify the cause of the data protection breach as well as to ensure that the Personal Data is protected and reduce the likelihood of any possible negative consequences for the data subjects. The Contractor's support obligations towards the Customer pursuant to this Section 8 shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services. 

  1. PUBLICATION AND ERASURE OF PERSONAL DATA 

The Contractor shall return all data, data carriers and other materials to the Customer immediately upon the Customer's first instruction. The Contractor may not retain Personal Data for longer than is necessary for the fulfillment of its obligations under the Contract, provided that no legal obligation to retain Personal Data exists to the contrary.  

Upon termination of the Contract, the Personal Data received under the Contract or these DPA shall either be surrendered to the Customer or deleted in accordance with the contractual provisions; if such a provision is missing, the Personal Data shall either be surrendered to the Customer and existing copies deleted, or they shall be deleted, at the Customer's discretion, unless the Contractor is required by law to retain or store Personal Data. Until deletion or surrender, the Contractor shall continue to ensure compliance with these DPA.  

The Contractor is entitled to use anonymized and aggregated data, where individual data subjects cannot be identified, even after the termination of this Agreement, exclusively for the purpose of improving the Software, enhancing its features, and optimizing its performance, in strict compliance with the Data Processing Agreement (DPA), the General Data Protection Regulation (GDPR), and all relevant data protection regulations. The Contractor shall ensure, in accordance with the DPA and applicable data protection laws, that the data provided by the Client is anonymized at the source and in a manner that completely prevents the identification of data origin by any party, including the Contractor itself. 

  1. INVOLVEMENT OF SUB-PROCESSORS AND CLOUD-SERVICES 

The Contractor shall hereby receive prior general written permission to involve sub-processors and Cloud Services for processing of Personal Data. Insofar as the permissible subcontractors do not already result from the contract, they shall be listed in Annex 1. The list of sub-processors and Cloud Services shall be kept up to date on an ongoing basis.  

The Contractor may add or replace sub-processors and Cloud Services at its discretion. The Customer shall be informed in advance of any planned amendment to the list of sub-processors and Cloud Services with a reasonable notice period. If the Customer has an objectively compelling reason in accordance with Applicable Data Protection Law, it shall be entitled, within twenty days of being notified by the Contractor, to contest the processing of Personal Data by a new sub-processor or Cloud Service. If there is no objection within this period, the new sub-processor or Cloud Service shall be deemed to have been accepted by the Customer. If there is an objectively compelling reason under Applicable Data Protection Law, and provided that a mutually agreeable solution cannot be found between the Parties, the Contractor shall be granted a special right of termination (right to terminate without notice).  

The Contractor shall be obliged to conclude the necessary agreements with the sub-processor or Cloud Service in order to ensure that the sub-processor is subject to the same obligations as those incumbent on the Contractor on the basis of the present DPA and the respective Contract.  

The Contractor shall be obligated to provide the Customer, upon the Customers request, with information about the essential content of the agreement and the implementation of the obligations relevant to data protection by the sub-processor or Cloud Service. If the sub-processor does not meet its data protection obligations, the Contractor shall be liable only for the proper selection, instruction and supervision of the third party.  

Upon request, Contractor shall provide the Customer with a copy of its agreement(s) with Sub-processors (including the appropriate safeguards, if any) to the extent necessary to enable the Customer to verify Contractor’s compliance with this Agreement. 

  1. DOCUMENTATION, PROCESSING INVENTORY 

Each Party shall be responsible for observing its documentation obligations, in particular the record of processing activities, insofar as this is required by Applicable Data Protection Law.  

Each Party shall support the other in a reasonable manner while fulfilling its documentation obligations, including the provision of information which the other Party requires from it in an appropriate format (e.g. through the use of an electronic system) so that the other Party can meet its obligations in connection with the record of processing activities.  

  1. DATA PROTECTION IMPACT ASSESSMENT 

If the Customer is obligated to perform a data protection impact assessment or to consult a supervisory authority in advance under Applicable Data Protection Law, the Contractor shall, at the Customers request, provide free of charge those documents that are generally available for the services of the respective Contract. Any additional support shall be mutually agreed between the Contractual Parties.  

  1. VERIFICATION OBLIGATIONS AND AUDIT RIGHTS 

The Contractor shall verify its observance of the obligations specified in this DPA to the Customer by suitable means. The Customer shall be entitled to check the compliance of the statutory or contractual obligations relating to the processing of Personal Data by means of inspections or audits, either itself or through auditors appointed by it, who shall be under strict confidentiality for the protection of the Contractor and shall not be in a direct competitive relationship with the Contractor, if  

(i)

the Contractor does not provide sufficient verification of its observance of the technical and organizational measures for the protection of the systems and processing processes used;  

(ii)

there has been a breach of the protection of Personal Data;  

(iii)

a check is officially requested by a supervisory authority of the Customer; or  

(iv)

the Customer has a direct audit right in accordance with mandatory, Applicable Data Protection Law.  

The Contractor shall be obliged to cooperate appropriately in an audit. The Parties shall agree in advance on the time, duration, and subject of the audits and on applicable security and confidentiality provisions, unless an audit without prior notice appears necessary because otherwise the purpose of the audit would be jeopardized. The audit shall be conducted in such a way that no operational processes of the Contractor are unduly disturbed. Audits and inspections by the Customer shall generally be limited to a maximum of three working days per year.  

Each party shall bear any costs and expenses which it incurs in connection with the audit or the inspection itself. If the work takes longer than three working days, the Contractor may request remuneration from the Customer for support while carrying out an inspection or audit authorized by the Customer.  

If significant breaches of this DPA or shortcomings are detected while the Contractor is fulfilling its obligations within the scope of an audit or after presenting proof or reports, the Contractor shall immediately take suitable corrective measures at no extra cost.  

Information provided by the Contractor within the context of an audit shall be deemed as Pelt8 Confidential Information. 

  1. DATA PROCESSING 

The processing of the Personal Data shall take place in Switzerland, in a member state of the European Union (EU), in another state party to the Agreement on the European Economic Area (EEA), in a country which has an adequate level of protection according to the adequacy decision of the European Commission or the Swiss Federal Data Protection Commissioner, or in third countries. If data is processed in third countries, the Contractor shall implement additional appropriate legal, technical or organizational measures.  

  1. LIABILITY

The Contractor shall be liable to the Customer for culpable violations of this DPA. The liability of the Parties under this DPA shall be governed by the liability provisions in the GENERAL TERMS AND CONDITIONS (GTC)  

  1. FINAL PROVISIONS

16.1. Entire Agreement and contradictions 

The Contractor shall be obliged to cooperate appropriately in an audit. The Parties shall agree in advance on the time, duration, and subject of the audits and on applicable security and confidentiality provisions, unless an audit without prior notice appears necessary because otherwise the purpose of the audit would be jeopardized. The audit shall be conducted in such a way that no operational processes of the Contractor are unduly disturbed. Audits and inspections by the Customer shall generally be limited to a maximum of three working days per year.  

Each party shall bear any costs and expenses which it incurs in connection with the audit or the inspection itself. If the work takes longer than three working days, the Contractor may request remuneration from the Customer for support while carrying out an inspection or audit authorized by the Customer.  

If significant breaches of this DPA or shortcomings are detected while the Contractor is fulfilling its obligations within the scope of an audit or after presenting proof or reports, the Contractor shall immediately take suitable corrective measures at no extra cost.  

Information provided by the Contractor within the context of an audit shall be deemed as Pelt8 Confidential Information. 

16.2. Amendments 

Should one of the Parties come to the conclusion that this DPA no longer meets the requirements of the Applicable Data Protection Law, the Parties shall amend this DPA in good faith by mutual agreement.  

16.3. Written form 

This Agreement, its annexes and any amendments and supplements as well as all declarations of intent relevant to the Agreement and declarations on the exercise of rights, in particular notices of termination, reminders or setting of deadlines, must be made in writing. Signatures in electronic form (e.g. Skribble, DocuSign or AdobeSign or with an electronic scan of the signature), which are delivered by post, courier or e-mail, are equivalent to the written form. The counterpart so executed and delivered shall be deemed to have been duly executed and validly delivered and shall be valid and effective for all purposes.  

16.4. Notifications

Unless explicitly regulated otherwise, any notices required to exercise rights and obligations under this Agreement shall be issued in writing, transmitted by letter or email with subsequent confirmation letter or e-mail, to the address of the contracting Party specified on the front page of the Agreement or in the annex.  

16.5. Severability 

If individual provisions or parts of this Agreement, including its annexes, prove to be void or ineffective, the validity of the remaining parts of the Agreement shall not be affected. In such a case, the Parties shall amend the Agreement in such way that the purpose of the void or ineffective part is achieved to the fullest extent as possible.  

16.6. Assignment and Transfer

This Agreement may only be assigned or transferred to third parties upon prior written consent of the other Party; however, the consent may only be refused for good cause.  

16.7. Copies of the Agreement

This Agreement and all its annexes shall be executed in two copies and each Party shall receive one copy.  

16.8. Dispute resolution 

Both Parties shall attempt in good faith to reach an amicable solution to any disputes relating to this Agreement.  

16.9. Applicable law and place of jurisdiction  

If the Parties fail to resolve differences amicably despite respective efforts, legal proceedings shall be undertaken in accordance with the provisions in the respective Contract (applicable law and place of jurisdiction).  

  1. SIGNATURES 

Customer

Signature 

Name, function/title 

Date

Signature 

Name, function/title 

Date

Contractor

Signature 

Julian Osborne, CEO

Name, function/title 

Date

ANNEX 1 TO THE DATA PROCESSING AGREEMENT (DPA)  

Version 01 November 2023 

  1. CONTRACTUAL BASIS FOR THE PROCESSING DATA PROCESSING AGREEMENT (DPA) 

In accordance with Section 1 of the DPA, the Parties have concluded one or more Contracts in which the Contractor acts as service provider vis-a-vis the Customer or its customers in the following Contract: This is the STANDARD SUBSCRIPTION FORM for accessing the Pelt8 Software. 

  1. SCOPE, TYPE AND PURPOSE OF THE AGREEMENT IN ACCORDANCE WITH SECTION 2 OF THE DPA 

2.1. Subject, Nature and Purpose of Processing 

The subject, nature and purpose of data processing include:  

  • All data provided by the Customer to create sustainability reporting. 

  • Additionally, data related to Customer employees that is relevant for the maintenance of user accounts and their associated credentials. 

  • Information necessary for the creation and management of contractual relationships. 

2.2. Categories of Data 

The processing may involve the following categories of data subjects: All data provided by the Customer to create sustainability reporting. 

  • Employees 

  • Suppliers 

  • Customers 

  • Users 

2.3. Categories of Data Subjects 

The categories of data subjects may include:  Employees 

  • All data, including environmental, social, and governance data, as well as any documentation required to ensure data accuracy. 

  • For users, this may include contact information such as name, email, position, and phone number, as well as organizational roles. 

  1. CONTACT PERSONS IN ACCORDANCE WITH SECTION 6 OF THE DPA

3.1. Contact person at the Customer / Reporting of data protection-related incidents

Data protection-related incidents must be reported by the contractor to the Customer immediately after their discovery and without culpable delay. For this purpose, the contractor must inform the Customer’s contact persons as indicated from the STANDARD SUBSCRIPTION FORM within normal business hours. 

3.2. Contact person at the contractor  

Julian Osborne, CEO & Founder,

Butzenstrasse 1, 8038 Zurich,

Switzerland

Tel: : +41 79 373 92 24;

E-Mail: info@pelt8.com  

  1. LIST OF SUB-PROCESSORS IN ACCORDANCE WITH SECTION 10 OF THE DPA 

4.1. Infrastructure-necessary sub-processors 

The Customer shall agree to involve the companies below as infrastructure-necessary sub-processors/Cloud Services providers:  

Company:

Microsoft Ireland Operations Limited., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland 

Service:

Azure SQL-Database, Azure Active Directory

Processing location: 

EU-Data Centre 

Data protection: 

Follow GDPR (Link)

4.2. Feature specific Sub-Processors  

Some of the sub-processors/Cloud Services are only required for certain functionalities of the Software. The Customer shall agree to involve the companies below as feature specific Sub-Processors /Cloud Services providers:  

Company:

Brevo SENDINBLUE — 106 boulevard Haussmann, 75008 Paris, France 

Service:

Email notification

Processing location: 

EU-Data Centre 

Data protection: 

Follow GDPR (Link)

4.3. Affiliate Sub-Processors   

To help deliver the Service, Contractor engages with Affiliates as Sub-Processors to assist with the software development activities and setting up user accounts. 

Company:

Pelt8 UK Ltd, C/o the accountancy partnership Suite 5, 5th floor, city reach 5 Greenwich view place, London, E14 9NN 

Service:

Software development & setting up of Software users

Processing location: 

European Economic Area (EEA) 

Data protection: 

Follow GDPR

ANNEX 2 TO THE DATA PROCESSING AGREEMENT (DPA)  

Version 01 November 2023 

The following technical and organizational measures (TOM) are described in accordance with clause 4 of the DPA, which the contractor takes in connection with the processing of personal data and the fulfillment of its obligations under the existing contract, Article 7 DSG (Article 8 revDSG in conjunction with Article 2 ff. DSV) and, as far as applicable, Article 32 GDPR:  

  1. TECHNICAL MEASURES

Cybersecurity 

The Controller is responsible for implementing cybersecurity measures to safeguard personal data against cyberattacks.  

These measures may include, but are not limited to: All data provided by the Customer to create sustainability reporting. 

  • Our development environments on azure and github require two-factor authentication to access and update. 

  • All work computers have a company wide bitdefender installed. 

  • Pushes to main branches on github require code owner approval 

  • Software updates as required.

Encryption and Pseudonymisation 

The Controller is responsible for implementing encryption and pseudonymisation as recommended by the General Data Protection Regulation (GDPR) to protect personal data during processing.  

These measures may include, but are not limited to: 

  • Data is stored in a non-publicly accessible sql server database that requires Microsoft entra authentication to access. 

  • Our backend is secured via JavaScript web tokens using Microsoft entra that requires two factor authentication. 

  • Database is encrypted at rest. 

  • Personal data is anonymised in our database, however organisation and organisational units are not anonymised. 

Physical Security 

The Controller is responsible for establishing and maintaining robust physical security measures to protect access to offices and buildings.

Appropriate Disposal 

The Controller is responsible for ensuring that the disposal of physical and digital data containing personal information is conducted securely, making data retrieval by unauthorized persons, intentional or unintentional, impossible.  

Authentication 

The Controller is responsible for adhering to an Information Security strategy, including two-factor authentication (2FA) and certificate-based procedures, encryption via HTTPS as well as additional authentication. 

The requirements according to password regulations are technically enforced in the system. 

Access Rights 

Access to databases containing personal data shall be granted on a need-to-know basis. Blanket access to all employees is prohibited. 

  1. ORGANISATIONAL MEASURES 

Information Security Policies 

The Controller is responsible for establishing information security policies tailored to their size and the nature of processing activities. These policies shall guide data security practices. 

Business Continuity Plan 

The Controller is responsible for maintaining a business continuity plan to ensure the backup and recovery of business data, including personal data, in case of incidents. 

Risk Assessments 

The Controller is responsible for conducting risk assessments, to identify and mitigate potential security risks associated with personal data processing. 

Other Policies and Procedures 

The Controller is responsible for implementing and maintain robust policies and procedures that cover various aspects, such as clean desk policies, bring your own device policies, remote work policies, data breach response, and data subject rights (DSR) procedures. 

Awareness & Training 

The Controller is responsible for fostering a culture of security and data protection awareness among their employees. Regular training and awareness activities shall be conducted to ensure compliance with legal requirements. 

Reviews & Audits 

The Controller is responsible for establishing controls and audit mechanisms to assess the effectiveness of their data security measures. Any deficiencies identified shall be corrected promptly. 

Due Diligence 

The Controller is responsible for exercising due diligence in selecting data processors to ensure that appropriate TOMs are in place. Regular compliance checks with data processors shall also be conducted to ensure continued adherence to obligations. 

  1. MODIFICATION AND CHANGES  

The contractor is entitled to make changes to the security measures taken, provided that the contractually agreed level of protection is not reduced.