Ask AI
How can we help? 👋

Data Protection Agreement

Last updated: 4th January, 2023


Pursuant to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter, “GDPR”), this Data Protection Addendum is


[NAME], with registered office in [ADDRESS] and from hereafter referred to as the “Customer


ORCA AG., with registered office in Zurich, Baeckerstrasse 26, and from hereafter referred to as the “Provider”.

The Customer and Provider are together referred to as “Parties” in this Agreement.


  1. The Parties concluded an Agreement concerning the provision of cloud services and software licensing (hereinafter also referred to as the “Agreement”), as well explained in detail in the Agreement;
  1. in the execution of the Agreement, the Provider accesses to the Customer’s data established in the Privacy Policy;
  1. the Provider shall collect and process data acquired and/or received during the performance of the Agreement mainly through electronic means and for purposes related to the fulfillment of the obligations undertaken upon the signing of the Agreement;
  1. Provider shall only process Customer Personal Data on Customer’s documented instructions, including as set out under this Agreement, unless processing is otherwise required by Applicable Laws. If Provider engages in processing based upon legal requirements, Provider shall, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before such processing of that Personal Data.


the Provider meets the requirements of experience, professionality, and reliability with regard to the protection of personal data and that it provides adequate and reasonable guarantees regarding the implementation of appropriate technical and organisational measures to ensure that the processing complies with the GDPR requirements and safeguards the rights of data subjects;


The Provider accepts the responsibility of handling operations of the data acquired and/or received in the performance of the Agreement, for the purpose of fulfilling the obligations provided for by the aforementioned privacy regulations, where the Provider complies with:

  1. The Provider shall handle the relevant data exclusively for the purpose of performing the activities outlined in the Agreement, in a lawful and fair manner, and in compliance with the provisions of personal data protection law, as well as the provisions of the Agreement itself.
  1. Regarding to this DPA, the Provider shall be obliged to:
  1. comply with any requirements provided for by the GDPR, including future amendments and additions to existing privacy legislation;
  1. comply with the operational instructions and guidelines outlined herein, drafted in accordance with the GDPR;
  1. either return or destroy the personal data at the end of the handling of the same, as per the written instructions provided by the Customer and provide an appropriate certificate in order to ensure the personal data security and comply with legal formalities;
  1. maintain records of the processing activities performed on behalf of the Customer;
  1. ensure that the individuals entrusted with sensitive access have committed to confidentiality or are bound by appropriate confidentiality obligations;
  1. adopt and comply with all appropriate measures in accordance with the risk level of the processing, as outlined in Articles 32 et seq. of the GDPR;
  1. cooperate in the event of requests received from the Supervisory or Judicial Authorities pertaining to the processing operations covered by this deed, providing the Customer with all necessary information required to address the Authorities' inquiries in a timely manner;
  1. promptly inform the Customer if it directly receives requests from the Supervisory or Judicial Authorities or undergoes inspections, and cooperate for any necessary or requested actions and interventions;
  1. provide the Customer with the documentation necessary to demonstrate compliance with all obligations and to allow the performance of audits, including inspections, conducted by the Customer or designated Sub-processors;
  1. assist the Customer, whenever feasible, in fulfilling its obligation to respond to requests related to data subject's rights as per Articles 12 et seq. of the GDPR;
  1. promptly inform the Customer of any deficiencies identified in the security measures or any aspect of the processing that could potentially expose the Customer to civil and/or criminal liabilities, allowing appropriate precautions to be taken;
  1. inform the Customer without undue delay of any personal data breaches that occur during the processing carried out on its behalf and provide the Customer, within 24 hours of becoming aware of the breach, with relevant information that may have an impact on the security of the personal data processed;
  1. unless otherwise agreed upon with the Customer, store the data within Switzerland and the European Economic Area (EEA), including when the processing, in whole or in part, is carried out by any Sub-processors appointed in accordance with this DPA.
  1. The Provider may use Data Processor(s) (hereinafter also referred to as “Sub-Processor”) with prior written authorisation to manage specific processing activities, providing periodic updates to the Customer (at least every six months) regarding any appointment and/or replacement. The communication shall specify the delegated processing activities, the identifying information of the Sub-Processor, and the data of the outsourcing contract. The Sub-Processor must be bound to obligations similar to those provided by the Customer upon Provider, as stated in a specific contract or appointment agreement. It is the responsibility of the Provider to ensure that the Sub-Processor provides adequate guarantees in terms of expertise, reliability, and resources for implementing suitable technical and organisational measures to ensure compliance with the principles and requirements of the GDPR. Should the Sub-Processor fail to fulfill its data protection obligations resulting in a personal data breach, the Provider shall bear the full liability to the Customer for such shortcomings. The Customer reserves the right to verify the guarantees, technical and organizational measures of the Sub-Processor through audits and inspections, including by making use of third parties. To this end, the Customer shall give the Sub-Processor at least five working days' notice in advance.
  1. Data processing is to be understood as being carried out, pursuant to Article 28 of the GDPR, under the supervision of the Customer, who may, at any time and with due notice, carry out audits and issue any further specific instructions for its performance, as well as request its termination if imposed by the need to comply with legal prohibitions or obligations, or with provisions of the Supervisory and/or Judicial Authorities.

This appointment of the Provider shall be deemed to be revoked, as of right, upon the expiration of the Agreement – which constitute an integral and substantial part thereof – including any renewals, whether implicit or explicit, for any reason, of the aforementioned contractual relationship, effective from the date of such termination.

All communications provided for by this deed of appointment, as well as any communication concerning the personal data protection in general, shall be made by registered letter with acknowledgment of receipt or by certified e-mail

IN WITNESS WHEREOF, this Agreement is entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.


Customer Provider

Signature_________________________ Signature ___________________

Name____________________________ Name: _____________________

Title_____________________________ Title: ______________________

Date Signed_______________________  Date Signed: ________________


Signature_________________________ Signature ___________________

Name____________________________ Name: _____________________

Title_____________________________ Title: ______________________

Date Signed_______________________  Date Signed: ________________

Did this answer your question?