Legal

Data Processing Agreement

1. Definitions and Scope

This Data Processing Agreement (DPA) supplements the Master Services Agreement and applies to processing of personal data when VNC AG acts as a Data Processor on behalf of the Customer (Data Controller). This DPA complies with GDPR Article 28 and Swiss nFADP requirements.

2. Roles and Responsibilities

Customer acts as Data Controller and determines the purposes and means of processing. VNC AG acts as Data Processor and processes personal data only on documented instructions from Customer. VNC AG shall:

  • Process data only for the agreed purposes
  • Not process data for independent purposes
  • Comply with data subject rights
  • Maintain confidentiality
  • Implement appropriate security measures

3. Processing Instructions

Customer shall provide written instructions regarding:

  • Categories of personal data to be processed
  • Categories of data subjects
  • Purposes of processing
  • Duration of processing
  • Type of processing operations

VNC AG shall not process data beyond these instructions without prior written consent from Customer. Customer is responsible for lawfulness of instructions.

4. Sub-processors

VNC AG may engage sub-processors (third-party vendors) to assist in processing. VNC AG shall:

  • Inform Customer of any changes to sub-processors
  • Obtain prior written consent for new sub-processors
  • Impose equivalent data protection obligations via written contract
  • Remain liable for sub-processor performance

Customer may object to engagement of sub-processors.

5. Data Security and Confidentiality

VNC AG implements technical and organizational measures appropriate to the risk level:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Regular security audits and penetration testing
  • Incident response and breach notification procedures
  • Employee training on data protection
  • Secure deletion or return of data upon termination

VNC AG ensures confidentiality of all personnel with access to personal data.

6. Data Subject Rights

VNC AG shall, in a timely manner and at no additional cost:

  • Provide personal data in response to data subject requests
  • Assist with access, correction, deletion, and portability requests
  • Support data subject objections to processing
  • Facilitate consent withdrawal
  • Provide information necessary for Customer to fulfil data subject rights

VNC AG shall inform Customer immediately of any data subject requests received.

7. Data Breach Notification

VNC AG shall notify Customer without undue delay (no later than 24 hours) after becoming aware of a personal data breach. Notification shall include:

  • Facts and effects of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences
  • Measures taken or proposed to address the breach

VNC AG is not liable for Customer's failure to notify data subjects if VNC AG provided timely notification.

8. Audit Rights and Compliance

Customer has the right to audit VNC AG's compliance with this DPA. VNC AG shall:

  • Maintain records of processing activities
  • Cooperate with supervisory authorities
  • Provide evidence of compliance upon request
  • Allow audits by Customer or independent auditors
  • Permit inspections of facilities handling personal data

Audits may be conducted no more frequently than once annually unless a breach or suspected non-compliance is reported.

9. Data Transfer and Return

Upon termination of services, VNC AG shall, at Customer's choice:

  • Return all personal data to Customer in machine-readable format
  • Securely delete all personal data and provide written certification
  • Retain data only as required by law

Customer is responsible for ensuring compliance with data protection laws regarding data after transfer from VNC AG.

10. Term and Amendments

This DPA is effective on the date of the Master Services Agreement and continues as long as personal data is processed. This DPA may be amended to comply with changes in law. Amendments become effective 30 days after notification unless Customer objects. In case of conflict between this DPA and the Master Services Agreement, this DPA prevails regarding data protection matters.

Last updated: 2026