Data Processing Agreement (DPA)

Version 01 July 2024 

This Data Processing Agreement ("DATA PROCESSING AGREEMENT", "DPA", or “Agreement”) governs the data processing relationship between Pelt8 ("Pelt8", "Provider", or “Contractor”) and its the users, including all users accessing the tool, including test users, paying customers as well Pelt8 Impact Program Partners (hereinafter referred to as the “User”, "Customer", “Controller”, “Impact Partner”) for the use and access of the software or platform (the "Pelt8 Platform", or “Software”) developed by Pelt8.  

All Terms (the “Terms”) in this Agreement, unless specifically expressed otherwise, shall apply to the Pelt8 Platform, unless explicitly mentioned otherwise in the STANDARD SUBSCRIPTION FORM or any additional signed agreement between the parties.  

By signing onto Pelt8 or using the platform, the User unequivocally acknowledges the following provisions without reservation. 

The Provider reserves the right to make subsequent amendments or additions to the Agreement. These amendments or additions become part of the Agreement unless the User objects within 14 days of becoming aware.  

The current version is of the Agreement is published on the Provider's website (https://www.pelt8.com/legal/data-processing-agreement).  

  1. AGREEMENT 

The provision of the services pursuant to the Contract by the Contractor may qualify as processing of personal data within the meaning of data protection law.  
Insofar as the Contractor processes personal data of the Customer or its customers ("Personal Data") within the scope of the collaboration as Processor or sub-processor in compliance with the respective Applicable Data Protection Law, this data processing agreement shall supplement the Contract and specifies the obligations of the Parties regarding data protection.  
The Applicable Data Protection Law is the Swiss Data Protection Act and the European General Data Protection Regulation (GDPR), if and to the extent applicable (“Applicable Data Protection Law”).  
The Customer commits to ensuring that its collection and processing of Customer Data through the Software (the “Software”) adhere to applicable data protection laws and are conducted lawfully.  
In cases where another Licensed Company acts as a data controller for Customer Data, the Customer will be considered a data processor, with the Contractor acting as a “Subprocessor”. In such instances, the Customer shall ensure that the provisions are consistent with its agreement with said Licensed Company. 

  1. SUBJECT, TERM, TYPE AND PURPOSE OF THE AGREEMENT  

The subject of this Agreement and its related services are defined in the GENERAL TERMS AND CONDITIONS (GTC) of the Contractor; the current version is published on the Contractor 's website (https://www.pelt8.com/legal/general-terms-and-conditions). 

By signing onto Pelt8 or using the platform, this Agreement shall become effective. The term of this Agreement shall conform with the term of the STANDARD SUBSCRIPTION FORM (or with the last active Contract in the case of several Contracts) between the Customer and the Contractor under which the Contractor shall process Personal Data for the Customer provided that no obligations beyond this arise from the provisions of this Agreement. In addition, the DPA shall automatically end when the Contractor no longer processes any Personal Data for the Customer pursuant to the Contract or upon termination of the (last active) contract. 

The possibility of termination for good cause with immediate effect shall remain reserved. Good cause shall include, in particular, a repeated or serious breach by one Party of the provisions of the Contract, this DPA or of Applicable Data Protection Law. The extraordinary right of termination pursuant to Section 10 shall also entitle to termination without notice. Termination of this Agreement with immediate effect shall also entitle the Customer to terminate the Contract without notice.   

  1. NATURE, SUBJECT AND CATEGORIES OF DATA 

  1. Nature of Data 

Nature and Purpose of data processing include:  

  • All data provided by the Customer to create sustainability reporting. 

  • Additionally, data related to Customer employees that is relevant for the maintenance of user accounts and their associated credentials. 

  • Information necessary for the creation and management of contractual relationships with the Customer. 

  1. Data Subjects  

The processing may involve the following categories of data subjects: 

  • Users & Customers 

  • Employees 

  • Suppliers 

  • Partners 

  • Contractors 

  1. Data Categories  

The categories of data subjects may include all user data, such contact information such as name, email, position, and phone number, as well as organizational roles and usage data. 

  1. PROCESSING INSTRUCTIONS AND NOTIFCATIONS 

The Contractor shall process Personal Data exclusively for the intended purpose in accordance with the respective Contract or the documented instructions of the Customer.  

As a rule, instructions are deemed submissions via the Pelt8 Platform.  

The Contractor shall inform the Customer without delay if it is of the opinion that an instruction violates applicable data protection law. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.  

Notifications to the authorities or to data subjects regarding data protection violations and infringements may only be carried out by the Contractor itself after prior instruction by the Customer. Any deviating obligations of applicable law (e.g. binding decrees of competent authorities) shall remain reserved; the Customer must be informed of these in a timely manner, provided this is legally permissible.  

  1. DATA SECURITY  

The Contractor shall take suitable technical and organizational measures (TOM) in accordance with Contractor’s Data Security Policy; the current version is published on the Contractor 's website (https://www.pelt8.com/legal/data-security). 

The measures are subject to technical progress and further development. Alternative or additional measures may be implemented if the level of protection provided by the specified measures is not undercut. 

  1. CONFIDENTIALITY

The Contractor undertakes to treat Personal Data obtained under the Contract or this DPA as confidential and to make it available only to persons who need access to the Personal Data in order to perform their duties towards the Contractor.  

The Contractor shall ensure that the persons authorized to process the Personal Data are obliged to maintain confidentiality/secrecy to the extent that they are not subject to a statutory duty of confidentiality.  

Employees and other persons working for the Contractor who deal with relevant Personal Data shall be forbidden to process such Personal Data outside this Contract and this DPA.  

The confidentiality/secrecy obligation shall continue for a period of five years after termination of this DPA. 

  1. CONTACT PERSONS  

  1. Contact person at the Customer  

Data protection-related incidents must be reported by the Contractor to the Customer immediately after their discovery and without culpable delay. For this purpose, the Contractor must inform the Customer’s contact persons as indicated in the STANDARD SUBSCRIPTION FORM within normal business hours. If no form is signed, as in the case of testing accounts, the Contractor must inform the person associated with the test email address.

  1. Contact person at the Contractor  

Julian Osborne, CEO, Butzenstrasse 1, 8038 Zurich, Switzerland Tel: +41 79 373 92 24; E-Mail: info@pelt8.com 

  1. RIGHTS OF THE DATA SUBJECTS  

If a data subject contacts the Contractor directly with requests for correction, deletion, information, or other claims concerning Personal Data, the Contractor shall immediately inform the data subject, if assignment to the Customer is possible based on the information provided by the data subject.  

The Contractor shall support the Customer, while taking account of the type of processing with suitable technical and organizational measures, to meet its obligation to answer enquiries from data subjects regarding their rights in accordance with Applicable Data Protection Law.  

The Contractor's support obligations towards the Customer pursuant to this Section shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services. 

  1. DATA PROTECTION BREACHES  

The Contractor shall immediately inform the Customer if:  

  1. The Contractor or a sub-processor determines or suspects that a data protection breach has occurred. Such information must be delivered in accordance Applicable Data Protection Law (including type, scope, extent of the breach) so that the Customer is able to fulfil any possible reporting obligation to the competent data protection authority and/or the data subjects in accordance with Applicable Data Protection Law.  

  1. The Personal Data must be passed on to a competent authority.  

  1. An enquiry, subpoena or application to view or check the processing is received by a competent authority, unless the law prohibits the Customer from being notified. If a data protection breach occurs on the Contractor's or on a sub-processor's premises, the Contractor shall take reasonable measures at its own cost to identify the cause of the data protection breach as well as to ensure that the Personal Data is protected and reduce the likelihood of any possible negative consequences for the data subjects. The Contractor's support obligations towards the Customer pursuant to this Section 8 shall be performed free of charge. The Parties may agree on a remuneration arrangement for further support services.

  1. RETENTION AND DELETION OF DATA 

The Contractor shall return all data, data carriers and other materials to the Customer immediately upon the Customer's first instruction. The Contractor may not retain Personal Data for longer than is necessary for the fulfillment of its obligations under the Contract, provided that no legal obligation to retain Personal Data exists to the contrary.  

Upon termination of the Contract, the Personal Data received under the Contract or these DPA shall either be surrendered to the Customer or deleted in accordance with the contractual provisions; if such a provision is missing, the Personal Data shall either be surrendered to the Customer and existing copies deleted, or they shall be deleted, at the Customer's discretion, unless the Contractor is required by law to retain or store Personal Data. Until deletion or surrender, the Contractor shall continue to ensure compliance with these DPA.  

The Contractor is entitled to use anonymized and aggregated data, where individual data subjects cannot be identified, even after the termination of this Agreement, exclusively for the purpose of improving the Software, enhancing its features, and optimizing its performance, in strict compliance with the Data Processing Agreement (DPA), the General Data Protection Regulation (GDPR), and all relevant data protection regulations. The Contractor shall ensure, in accordance with the DPA and applicable data protection laws, that the data provided by the Client is anonymized at the source and in a manner that completely prevents the identification of data origin by any party, including the Contractor itself.

  1. INVOLVEMENT OF SUB-PROCESSORS AND CLOUD-SERVICES  

The Contractor shall hereby receive prior general written permission to involve sub-processors and Cloud Services for processing of Personal Data. Insofar as the permissible subcontractors do not already result from the contract can be found on the Contractor Website under https://www.pelt8.com/legal/list-of-sub-processors

The list of sub-processors and Cloud Services shall be kept up to date on an ongoing basis. The Contractor may add or replace sub-processors and Cloud Services at its discretion, informing the Customer in advance with reasonable notice. The Customer may object within twenty days if there is an objectively compelling reason under Applicable Data Protection Law. If no objection is made, the new sub-processor or Cloud Service is deemed accepted. If a mutually agreeable solution cannot be found, the Contractor has the right to terminate without notice. 

The Contractor must ensure sub-processors are subject to the same obligations as the Contractor under this DPA and the respective Contract. Upon request, the Contractor shall provide the Customer with information about the agreement's essential content and the sub-processor's compliance with data protection obligations. The Contractor is liable for the proper selection, instruction, and supervision of sub-processors. Upon request, the Contractor shall provide the Customer with a copy of its agreements with sub-processors to verify compliance.

  1. DOCUMENTATION, PROCESSING INVENTORY  

Each Party shall be responsible for observing its documentation obligations, in particular the record of processing activities, insofar as this is required by Applicable Data Protection Law.  

Each Party shall support the other in a reasonable manner while fulfilling its documentation obligations, including the provision of information which the other Party requires from it in an appropriate format (e.g. through the use of an electronic system) so that the other Party can meet its obligations in connection with the record of processing activities. 

  1. DATA PROTECTION IMPACT ASSESSMENT  

If the Customer is obligated to perform a data protection impact assessment or to consult a supervisory authority in advance under Applicable Data Protection Law, the Contractor shall, at the Customers request, provide free of charge those documents that are generally available for the services of the respective Contract. Any additional support shall be mutually agreed between the Contractual Parties.  

  1. VERIFICATION OBLIGATIONS AND AUDIT RIGHTS 

The Contractor shall verify its compliance with this DPA by suitable means. The Customer may inspect or audit this compliance, directly or through appointed auditors under strict confidentiality and without a competitive conflict, if: 

  1. The Contractor fails to provide sufficient verification of its technical and organizational measures. 

  1. There has been a breach of Personal Data protection. 

  1. A supervisory authority officially requests a check. 

  1. The Customer has a direct audit right under Applicable Data Protection Law. 

The Contractor must cooperate with the audit. The Parties shall agree in advance on the time, duration, and subject of the audits, and on security and confidentiality provisions, unless prior notice would jeopardize the audit's purpose. Audits should not unduly disturb the Contractor's operations and are generally limited to three working days per year. 

Each Party shall bear its own costs for the audit or inspection. If the audit exceeds three working days, the Contractor may request remuneration for additional support. 

If significant breaches or shortcomings are detected, the Contractor must take corrective measures immediately at no extra cost.  

Information provided during an audit is deemed Pelt8 Confidential Information. 

  1. GEOGRAPHY

The processing of the Personal Data shall take place in Switzerland, in a member state of the European Union (EU), in another state party to the Agreement on the European Economic Area (EEA), in a country which has an adequate level of protection according to the adequacy decision of the European Commission or the Swiss Federal Data Protection Commissioner, or in third countries.  

If data is processed in third countries, the Contractor shall implement additional appropriate legal, technical or organizational measures. 

  1. LIABILITY

The Contractor shall be liable to the Customer for culpable violations of this DPA. The liability of the Parties under this DPA shall be governed by the liability provisions in the GENERAL TERMS AND CONDITIONS (GTC); the current version is published on the Contractor 's website (https://www.pelt8.com/legal/general-terms-and-conditions). 

  1. FINAL PROVISIONS 

The final provisions of this DPA shall be governed by the same terms as the GENERAL TERMS AND CONDITIONS (GTC) ); the current version is published on the Contractor 's website (https://www.pelt8.com/legal/general-terms-and-conditions).