TermsData Processing Agreement

1. Preamble

1.1 This agreement, together with its annexes, supplements our terms of use by specifying the terms and conditions for the subcontracting of personal data in the context of the provision of our service.

1.2 Our objective is to ensure adequate protection of personal data in accordance with all data protection laws that may be applicable to you, including, but not limited to, the Federal Data Protection Act, the Cantonal Data Protection Acts, or the General Data Protection Regulation.

2. Subject of the agreement

2.1 This agreement governs any transfer of personal data that you entrust to us and any processing of personal data that we carry out on your behalf. In this context, you are the controller, and we act as the processor.

2.2 You transfer personal data to us exclusively for the purposes of processing it in direct connection with the provision of our service. The description of the processing carried out is specified in Annex 1.

3. Order of priority

3.1 This agreement, together with its annexes, forms an integral part of the terms of use.

3.2 In the event of any conflict or inconsistency between this agreement and the terms of use or any other agreement binding us, the provisions of this agreement shall prevail, unless otherwise agreed in writing.

3.3 In the event of any discrepancy in the interpretation of the language versions of this agreement, the French version shall prevail.

4. Definitions

4.1 Personal data means any information relating to an identified or identifiable natural person.

4.2 The data subjects are all natural persons whose personal data are being processed. Where applicable, personal data relating to identified or identifiable legal persons are also considered personal data.

4.3 The processing of personal data refers to all operations relating to personal data, regardless of the means and processes used, including the collection, recording, storage, use, modification, communication, archiving, erasure or destruction of data.

4.4 The supervisory authority designates the competent data protection authority, which is responsible for ensuring compliance with applicable data protection laws.

5. Your duties

5.1 You undertake and guarantee that you have obtained all the necessary authorisations from the data subjects so that we can lawfully process their personal data in accordance with applicable data protection laws.

5.2 You undertake and guarantee that you will respond in accordance with applicable data protection laws to all requests from data subjects, the supervisory authority and other third parties.

5.3 You undertake to inform us as soon as possible of any error or irregularity that you may notice in the context of our subcontracting relationship.

6. Our obligations

6.1 We undertake not to use the data for any purpose other than that for which you provide it to us.

6.2 We undertake and guarantee to you that appropriate measures are in place to prevent any unauthorised direct access to the content of your data. If technical access is necessary, we obtain your prior consent. In addition, a logging system is in place to document each access.

6.3 We undertake to inform you immediately if we are forced, under foreign law or a court decision, to communicate personal data to a foreign authority, or if such a risk exists.

6.4 We will designate a contact person for data protection issues and will inform you in case of a change of contact person.

6.5 We undertake, insofar as it can reasonably be required of us, taking into account the use of our service, the nature of the processing and the information available to us, to assist you in meeting your obligations with regard to data protection impact assessment and prior consultation.

6.6 We guarantee the application of the principles of data protection by design and by default.

7. Our staff and confidentiality

7.1 We limit access to personal data to our collaborators and to people working for us, only when such access is necessary. We ensure that these people respect the obligations set out in this agreement.

7.2 We guarantee that our collaborators and the people working for us are trained in the processing of personal data in accordance with legal requirements regarding data protection and good practices in this area.

7.3 We guarantee that the collaborators responsible for data processing and the other persons working for us are bound by confidentiality obligations, which endure beyond our contractual relationship with them.

7.4 Certain data may be subject to secrecy, in particular official secrecy or professional secrecy. We automatically submit to secrecy with regard to this data in our capacity as auxiliary and we respect the related requirements.

8. Data security

8.1 We undertake to implement appropriate organisational and technical measures to guarantee the security of personal data. These measures aim to ensure their confidentiality, integrity, availability and traceability, taking into account the risks involved.

8.2 These measures take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the likelihood and severity of the risks to the personality and fundamental rights of the data subjects. We regularly reassess these measures as part of our risk management system.

8.3 We would like to inform you that we are SOC 2 Type II certified. This certification attests to our compliance and commitment to data security. We are committed to maintaining this certification and will inform you in the event of non-renewal or withdrawal.

8.4 We also undertake to implement the necessary actions to guarantee the continuity of our activities and to inform you of any breach of data security.

9. Data security breach

9.1 In the event of a data security breach, we undertake to use all reasonable means to identify it and understand the reasons for it and the circumstances in which it occurred.

9.2 We take all necessary measures to avoid, contain and limit the impact of the breach. We undertake to document all elements concerning its discovery, its cause and its impact, as well as the measures to remedy it.

9.3 We undertake to inform you of the breach as soon as possible through our contact person for data protection matters.

9.4 This notification contains all the information necessary to enable you to fulfil your own notification obligations towards the supervisory authority and the data subjects. The information includes, but is not limited to:

• The nature of the breach, as well as, as far as possible, a reference to the time and duration of the breach, the categories and approximate number of personal data concerned and of data subjects.
• The consequences, including possible risks, for the persons concerned.
• The measures taken to remedy the violation and mitigate the consequences, including possible risks.
• The name and contact details of our contact person for data protection matters.

9.5 If we are unable to provide you with all the information at the same time, we will provide you with the missing information as soon as possible.

9.6 We undertake, insofar as it can reasonably be required of us, and at your request, to assist you in the fulfilment of your own reporting obligations to the supervisory authority and the data subjects. You will consult with us on this as soon as possible.

10. Sub-processors

10.1 We will only delegate the processing of personal data to further processors with your consent. Any processing of personal data carried out by our further processors may only involve processing operations necessary for the provision of the service.

10.2 Your consent is deemed to be given in general for the further processors listed in Annex 2 to this agreement.

10.3 In the event of any amendment to Annex 2, we will inform you at least sixty days in advance. You may object to this amendment within thirty days of our notification. This objection may only be made on legitimate grounds relating to data protection law. The deletion of a sub-processor may not be objected to.

10.4 If mutual agreement on the use of a sub-processor cannot be reached within this period, you have the option of terminating the use of our service on an extraordinary basis, provided that you demonstrate that the objection is necessary under data protection law.

11. Cross-border disclosure of personal data

11.1 In principle, we process personal data in Switzerland.

11.2 As an exception to this principle, personal data may be disclosed outside Switzerland if one of the following criteria is met:

• The State of destination ensures an adequate level of protection, recognised by an adequacy decision or by the Swiss-U.S. Data Privacy Framework for certified organisations.
• The transfer is governed by standard contractual clauses or any other appropriate guarantee provided for by the applicable data protection laws.

11.3 We undertake, to the extent reasonable, to ensure that our subcontractors comply with the applicable rules on cross-border data communication.

11.4 We inform you through Annex 2 of the places where personal data is communicated outside Switzerland and the criteria applied.

12. Requests from data subjects

12.1 Taking into account the type of processing and the information we have at our disposal, we undertake, at your request, to fulfil your obligations towards data subjects exercising their rights (e.g. right of access, right of rectification). You must forward to us any request you receive in relation to the processing of personal data.

12.2 If we receive a request from a data subject, we will transfer it to you upon receipt. We will also inform the data subject that you are responsible for following up on their request, specifying your contact details and the date of the transfer.

12.3 It is mutually agreed that you assume full responsibility for responding to requests from data subjects.

13. Control obligations

13.1 You may request an audit of our subcontracting relationship. This audit may be carried out by you or by a competent third party, provided that this third party is not in competition with us. We will cooperate fully to facilitate the audit, in accordance with the agreed terms and conditions.

13.2 You must give us at least sixty days' notice of your intention to audit. This notification must at least specify the purpose of the audit, the scope of the audit, the data audited, the methods used, the envisaged duration and the identity of the competent third party or parties, if any. You or the designated competent third party must undertake in writing to respect the confidentiality of the information to which you will have access in the context of the audit.

13.3 We guarantee that access to the necessary information will be granted without undue delay, while ensuring the security of the data concerned.

13.4 An audit report will be drawn up and made available to us free of charge at the end of the audit. This report will contain the findings as well as recommendations to correct any identified shortcomings.

14. Disposal of data

14.1 At the end of the provision of the service or at your request, and subject to the legal obligations of conservation, we undertake to:

• Return all or some of your personal data to you in a commonly used electronic format; or
• Delete it without keeping a copy.

15. Compensation and liability

15.1 You undertake to compensate us for any expenses and disbursements incurred in the context of assistance related to your data protection obligations and the performance of audits.

15.2 This obligation to compensate does not apply if you can demonstrate that these expenses result from a fault on our part or that it is not for you to bear them.

15.3 We undertake to indemnify you for any third-party claim arising from a breach of this agreement or of the applicable data protection laws. Such indemnification applies to all damages, costs, claims or expenses incurred by you as a result of such breaches.

16. Other provisions

16.1 This agreement is valid for as long as our service is provided to you. It automatically ends when this service ceases.

16.2 We reserve the right to make changes to this agreement at any time. We undertake to inform you and to provide you with the new amended version.

Annex 1 – Description of the processing of personal data

Preamble

This annex describes the processing of personal data in accordance with point 2 of the agreement.

Nature and purposes of data processing

The purpose of processing personal data is to provide and improve the services defined in the terms of use, in particular:

• Meeting management: Collaborative preparation of agendas, real-time drafting of minutes, and follow-up of decisions and tasks assigned to participants.
• Task management: Creation and allocation of tasks within shared workspaces, monitoring of project progress, and prioritisation of activities for better organisation.
• Project management: Plan projects with start and due dates, add statuses to update the team on progress, and get an overview of all ongoing projects.
• Internal communication: Sending notifications and reminders related to activities on the platform, as well as transactional emails such as password recovery and confirmations of important actions.
• Service improvement: Analysing the use of the platform to optimise functionality, ensure the smooth operation and security of the service, and provide an improved user experience.

Categories of personal data processed

The categories of personal data processed include:

• Contact details: We process your contact details, such as your surname, first name, address, correspondence language, telephone number or email address.
• Professional details: We process your professional details, in particular your professional status, title, job title, the name of your organisation and your place of work.
• Economic data: We process your economic data such as your billing address and payment information.
• Service data: We process service data, i.e. data created by users when using our service. This data includes information entered directly by users, data created automatically by the platform based on interactions and information sent to us by authorised methods when using another service.
• Internet and connection data: For technical reasons and in order to improve our service, each use of the service generates certain data, including your IP address, information about your Internet service provider and your device's operating system, information about the referring URL, information about the browser used, and the date and time of access.

Categories of data subjects

The categories of data subjects include:

• Internal users of the service (e.g. your employees).
• External users of the service (e.g. your business partners or your own customers).
• Persons whose personal data is entered by internal or external users.

Annex 2 – Our sub-processors

Preamble

This annex lists our sub-processors and any guarantees regarding cross-border data disclosure in accordance with points 10 and 11 of the agreement.