Data Processing Agreement

1. Introduction, Scope, Definitions

(1) This agreement regulates the rights and obligations of the Controller and Processor (hereinafter referred to as "Parties") in the context of processing personal data on behalf.

(2) This agreement applies to all activities in which employees of the Processor or subcontractors commissioned by them process personal data of the Controller on their behalf.

(3) Terms used in this agreement are to be understood according to their definition in relevant data protection laws, in particular the Swiss Federal Act on Data Protection (Data Protection Act – DSG) and the EU General Data Protection Regulation (GDPR). In this sense, the Controller is the "Controller", the Processor is the "Processor". Insofar as declarations are to be made "in writing" in the following, written form according to Art. 12 OR is meant. Otherwise, declarations can also be made in other forms, provided that adequate verifiability is ensured.

2. Subject and Duration of Processing

2.1 Subject

The Processor undertakes the following processing:

Processing of personal data originating from the user and with which Triventa comes into contact.

The processing is based on the provision of the web application «Triventa» as a service via the Internet as Software as a Service and the conclusion of the subscription under acceptance of the general terms and conditions (T&C).

2.2 Duration

The processing begins with the conclusion of the subscription and continues indefinitely until termination of this agreement or the subscription by either party.

3. Type, Purpose and Data Subjects of Data Processing

3.1 Type of Processing

The Processor processes personal data as part of operating the web application «Triventa» as a cloud-based Software-as-a-Service solution.

The processing includes in particular:

• Storage, structuring, evaluation and management of data entered by the Controller
• User management incl. authentication and role-based access control
• Appointment and meeting management incl. external appointment coordination
• Sending of system-relevant emails (e.g. invitations, notifications, confirmations)
• Temporary processing of calendar data as part of appointment coordination
• Technically necessary logging to ensure operation, security and error analysis

Processing for the Processor's own purposes or for marketing purposes does not take place.

3.2 Purpose of Processing

The processing of personal data is carried out exclusively for the following purposes:

• Digital organization and management of organizations (companies)
• Management of users, roles and organizational responsibilities
• Planning, coordination and confirmation of appointments and meetings
• Integration of external calendar services (Google Calendar, Microsoft Outlook) for availability queries
• Operation, maintenance, troubleshooting and further development of the web application «Triventa»
• Sending of transaction-related emails
• Fulfillment of legal retention and verification obligations

3.3 Type of Data

As part of Triventa – depending on use – the following categories of personal data are processed:

a) Master Data

• First and last name
• Organization / Affiliation

b) Contact Data

• Email address
• Optional phone number

c) Organizational and Usage Data

• Roles and permissions within the organization
• Appointment and meeting assignments
• Status information (e.g. invitation status)

d) Authentication and Security Data

• User ID
• Encrypted access credentials
• Tokens (e.g. session or access tokens)

e) Calendar-Related Data

• Time slots and availabilities
• Appointment confirmations

No complete calendar contents are permanently stored, but exclusively the time information required for appointment finding. These are permanently deleted at the latest 3 months after the end date of the appointment.

f) Communication Data

• Sending and delivery information of emails (no content analysis)

g) Technical Metadata

• IP addresses in server logs
• Times of accesses and actions

No particularly sensitive personal data within the meaning of the DSG is systematically processed.

3.4 Categories of Data Subjects

Affected by the processing are:

• Users and administrators of the Controller's organization
• Invited external participants (e.g. meeting partners)
• Contact persons whose email address is used for appointment coordination

4. Obligations of the Processor

(1) The Processor processes personal data exclusively as contractually agreed or as instructed by the Controller, unless the Processor is legally obliged to carry out certain processing. If such obligations exist for them, the Processor informs the Controller before processing, unless the notification is legally prohibited. The Processor does not use the data provided for processing for any other purposes, in particular not for their own purposes.

(2) The Processor confirms that they are familiar with the relevant general data protection regulations. They observe the principles of proper data processing.

(3) The Processor undertakes to strictly maintain confidentiality during processing.

(4) Persons who may gain knowledge of the data processed on behalf must commit themselves to confidentiality in writing, unless they are already subject to a relevant legal confidentiality obligation.

(5) The Processor ensures that the persons employed by them for processing have been familiarized with the relevant provisions of data protection and this agreement before the start of processing. Corresponding training and awareness-raising measures are to be repeated appropriately regularly. The Processor ensures that persons employed for contract processing are continuously appropriately instructed and monitored with regard to the fulfillment of data protection requirements.

(6) In connection with the commissioned processing, the Processor supports the Controller as necessary in fulfilling their data protection obligations, in particular in creating and updating the directory of processing activities, in carrying out the data protection impact assessment and a necessary consultation of the FDPIC. The required information and documentation are to be kept and forwarded to the Controller immediately upon request.

(7) If the Controller is subjected to a control by the FDPIC or other bodies or if data subjects assert rights against them, the Processor undertakes to support the Controller to the necessary extent, insofar as the processing on behalf is affected.

(8) The Processor may only provide information to third parties or the data subject after prior consent by the Controller. They will immediately forward inquiries directed directly to them to the Controller.

(9) Contract processing takes place exclusively within Switzerland, the EU or the EEA.

5. Security of Processing

(1) The data security measures described in the separate data protection provisions are established as binding. They define the minimum owed by the Processor.

(2) The description of the measures must be so detailed that for a knowledgeable third party it is always clear beyond doubt what the owed minimum should be based on the description alone. A reference to information that cannot be directly taken from this agreement or its annexes is not permitted.

(3) The data security measures can be adapted according to technical and organizational further development, as long as the level agreed here is not undercut. The Processor must immediately implement changes necessary to maintain information security.

(4) Significant changes must be communicated to the Controller immediately.

(5) Insofar as the security measures taken do not or no longer meet the requirements of the Controller, the Processor notifies the Controller immediately.

(6) The Processor ensures that the data processed on behalf is strictly separated from other data stocks.

(7) Copies or duplicates are not created without the knowledge of the Controller. Exceptions are technically necessary, temporary reproductions, insofar as an impairment of the data protection level agreed here is excluded.

6. Regulations for Correction, Deletion and Blocking of Data

(1) The Processor will only correct, delete or block data processed as part of the contract according to the contractual agreement made or according to the Controller's instructions.

(2) The Processor will comply with the corresponding instructions of the Controller at any time and also beyond the termination of this agreement.

7. Subcontracting Relationships

(1) The Controller agrees that the Processor may engage sub-processors to provide the service and may forward the personal data recorded by the user to them.

(2) Triventa ensures that data protection obligations comparable to those agreed in this agreement have been contractually imposed on the subcontractor. The Controller receives insight into the relevant contracts between Processor and subcontractor upon request.

(3) The rights of the Controller must also be able to be effectively exercised against the subcontractor. In particular, the Controller must be entitled to carry out controls at subcontractors at any time to the extent specified here or to have them carried out by third parties.

(4) The Processor carefully selects the subcontractor with special consideration of the suitability of the technical and organizational measures taken by the subcontractor.

(5) If the subcontractor does not comply with their data protection obligations, the Processor is liable for this to the Controller.

(6) Currently, the subcontractors designated in Annex 2 with name, address and contract content are employed with the processing of personal data to the extent mentioned there and approved by the Controller. The other obligations of the Processor towards subcontractors laid down here remain unaffected.

8. Rights and Obligations of the Controller

(1) The Controller alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.

(2) The Controller informs the Processor immediately if they discover errors or irregularities when checking the contract results.

(3) The Controller is entitled to control compliance with data protection regulations and contractual agreements at the Processor to an appropriate extent themselves or through third parties, in particular by obtaining information and inspecting the stored data and data processing programs as well as other on-site controls.

9. Notification Obligations

(1) The Processor immediately notifies the Controller of violations of the protection of personal data processed on behalf. Justified suspected cases must also be reported. The notification must contain at least the following information:

• a. a description of the nature of the personal data breach, if possible with indication of the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned;
• b. the name and contact details of a contact point for further information;
• c. a description of the likely consequences of the personal data breach;
• d. a description of the measures taken or proposed by the Processor to remedy the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

(2) Significant disruptions in contract execution as well as violations by the Processor or persons employed by them against data protection regulations or the provisions made in this agreement must also be reported immediately.

(3) The Processor immediately informs the Controller of controls or measures by supervisory authorities or other third parties, insofar as these have references to contract processing.

(4) The Processor ensures to support the Controller in their obligations according to Art. 24 DSG to the necessary extent.

10. Instructions

(1) The Controller reserves a comprehensive right to issue instructions with regard to processing on behalf.

(2) In the event of a change or long-term prevention of the named persons, successors or representatives must be communicated to the other party immediately.

(3) The Processor will immediately draw the Controller's attention if an instruction issued by the Controller violates legal regulations in their opinion. The Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the person responsible at the Controller.

11. Termination of the Contract

(1) After termination of the contract according to T&C, all personal data will be deleted at the latest 3 months thereafter or upon request of the user in the role of administrator.

(2) The Processor is obliged to bring about the deletion of personal data also at subcontractors.

(3) Documentation that serves as proof of proper data processing must be kept by the Processor at least until the end of the third calendar year after the end of the contract. They can hand them over to the Controller for their discharge.

12. Liability

(1) For compensation for damages that a person suffers due to inadmissible or incorrect data processing in the context of the contractual relationship, Controller and Processor are liable as joint and several debtors.

(2) The Processor bears the burden of proof that damage is not the result of a circumstance for which they are responsible, insofar as the relevant data was processed by them under this agreement.

(3) The Processor is liable to the Controller for damages that the Processor, their employees or those commissioned by them with contract execution or the sub-service providers employed by them culpably cause in connection with the provision of the commissioned contractual service.

(4) Numbers (2) and (3) do not apply insofar as the damage arose through the correct implementation of the commissioned service or an instruction issued by the Controller.

13. Special Termination Right

(1) The Controller can terminate the main contract and this agreement at any time without observing a period ("extraordinary termination") if there is a serious violation by the Processor against data protection regulations or the provisions of this agreement, the Processor cannot or will not execute a lawful instruction of the Controller or the Processor refuses control rights of the Controller contrary to the contract.

(2) A serious violation exists in particular if the Processor does not or has not fulfilled the obligations specified in this agreement, in particular the agreed technical and organizational measures to a considerable extent.

(3) In the case of insignificant violations, the Controller sets the Processor an appropriate deadline for remedy. If the remedy does not occur in time, the Controller is entitled to extraordinary termination as described in this section.

(4) The Processor must reimburse the Controller for all costs incurred by them through the premature termination of the main contract or this contract as a result of an extraordinary termination by the Controller.

14. Miscellaneous

(1) Both parties are obliged to treat all knowledge of business secrets and data security measures of the other party obtained in the context of the contractual relationship confidentially even beyond the termination of the contract. If there are doubts whether information is subject to the confidentiality obligation, it is to be treated as confidential until written release by the other party.

(2) For supplementary agreements, written form and express reference to this agreement are required.

(3) Should individual parts of this agreement be ineffective, this does not affect the effectiveness of the agreement otherwise.

Annex 1 – Technical and Organizational Measures

The following sets out the contract-related technical and organizational measures to ensure data protection and data security that the Processor must at least establish and continuously maintain. The goal is to ensure in particular the confidentiality, integrity and availability of the information processed on behalf.

Confidentiality

• Access control: No data storage at Triventa. Software and data are completely hosted in external data centers, which prevent unauthorized access to processing facilities through multi-level access control principles.
• Login control: Secure passwords (minimum length 7 characters, uppercase, lowercase, number and special character), only hash value of password is stored, JWT authentication
• Access control: Triventa offers various access roles that restrict reading, copying, changing or deleting data.
• Separation control: Separation of test and production system, access to data of other companies or organizations is prevented by JWT and CustomerId validation.

Integrity

• Transfer control: Secure connection via HTTPS

Availability and Resilience

• Availability control: There is protection against accidental damage or destruction or loss through escalation paths and emergency plans.
• Recoverability: Stores data in redundant data stores, regularly performs database backups.

Procedures for Regular Review, Assessment and Evaluation

• Privacy-friendly default settings: User accounts are created by default with the lowest access role and thus restrict reading, copying, changing and deleting personal data.

Annex 2 – Approved Sub-Processors

Company	Location	Contract Content	DPA
Supabase Inc.	Switzerland (Bern region)	Backend infrastructure, authentication, database, edge functions	Link
GitLab Inc.	Europe (EU)	Hosting and delivery of static Angular frontend (GitLab Pages)	Link
Stripe	Stripe Technology Europe, Dublin, Ireland	Payment service provider	Link
Zoho Corporation	EU (data centers in Europe)	Sending transaction-related emails	Link
Google LLC	EU / USA	Calendar integration (availability query via Google Calendar API)	Link
Microsoft Corporation	EU / Switzerland	Calendar integration (availability query via Microsoft Outlook / Graph API)	Link

Note: Google and Microsoft are used exclusively for temporary processing of calendar availabilities. Permanent storage of complete calendar data does not take place.