Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Terms of Service between biz collect (the "Processor") and the Customer (the "Controller"). It applies whenever the Processor processes personal data on behalf of the Controller in connection with the Service. By using the Service, Controller agrees to this DPA.

1. Definitions

Terms not defined here have the meanings given in the Terms of Service or, where applicable, in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the revised Swiss Federal Act on Data Protection ("revFADP").

• "Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in Article 4 of the GDPR.
• "Sub-processor" means any third-party processor engaged by the Processor.
• "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914, as updated.

2. Roles

The Controller determines the purposes and means of processing Personal Data. The Processor processes Personal Data on behalf of and on the documented instructions of the Controller. The Controller is responsible for ensuring that its instructions, the use of the Service, and the categories of data submitted comply with applicable law.

3. Subject matter, duration, nature and purpose

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

4. Controller obligations

The Controller shall:

• Ensure that it has a valid legal basis for the processing of Personal Data via the Service.
• Provide all required information to Data Subjects under Arts. 13 and 14 GDPR.
• Refrain from submitting special categories of Personal Data (Art. 9 GDPR) or Personal Data relating to criminal convictions (Art. 10 GDPR) via the Service except as permitted by the Service.
• Respond to Data Subject requests, supported by the Processor under Section 5.

5. Processor obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law to which the Processor is subject.
• Ensure confidentiality of personnel authorised to process Personal Data, who shall be subject to obligations of confidentiality.
• Implement appropriate technical and organisational measures as set out in Annex 2.
• Engage Sub-processors only in accordance with Section 7 and Annex 3.
• Assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests for exercising Data Subject rights.
• Notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach.
• Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies unless retention is required by law.
• Make available all information necessary to demonstrate compliance and allow for and contribute to audits, as set out in Section 9.

6. International transfers

Where processing of Personal Data involves transfers out of the European Economic Area or Switzerland to a country not recognised as providing an adequate level of protection, the parties agree that the 2021 EU Standard Contractual Clauses (Module 2: Controller to Processor) apply and are incorporated by reference. For transfers originating in Switzerland, the SCCs are deemed amended in line with the recognized addenda of the Swiss Federal Data Protection and Information Commissioner.

7. Sub-processors

The Controller authorises the Processor to engage the Sub-processors listed in Annex 3 at the effective date of this DPA. The Processor shall notify the Controller at least 30 days in advance of any intended additions or replacements of Sub-processors, giving the Controller the opportunity to object on reasonable grounds. If the Controller objects on reasonable grounds, the parties shall work together in good faith to resolve the objection.

The Processor shall impose data-protection obligations on every Sub-processor that are no less protective than those set out in this DPA.

8. Data subject rights

The Processor shall assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (access, rectification, erasure, restriction, portability, objection, automated decision-making).

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted on at least 30 days' prior written notice, no more than once per calendar year (except where required by a supervisory authority or following a Personal Data Breach), and subject to reasonable confidentiality obligations. The Controller shall bear the cost of any audit unless the audit reveals a material breach of this DPA by the Processor.

10. Term and termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Service, the Processor shall delete or, at the Controller's election, return Personal Data within 30 days unless retention is required by law.

11. Conflict and severability

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. If any provision of this DPA is held to be invalid, the remaining provisions remain in full force and effect.

Annex 1 - Description of the processing

Annex 2 - Technical and organisational measures

The Processor implements the following measures to ensure a level of security appropriate to the risk:

• Encryption in transit - all communications use TLS 1.2 or higher.
• Encryption at rest - managed via our Sub-processors' encryption (Clerk and Convex provide encryption at rest for the data they hold on our behalf).
• Authentication - multi-factor authentication enforced for all administrative access; password and credential management policies.
• Access control - least-privilege access; role-based access controls; access reviewed periodically.
• Logging and monitoring - audit logs of administrative actions; anomaly detection for suspicious access patterns.
• Incident response - documented incident response procedure; breach notification within 72 hours of becoming aware (Section 5).
• Resilience and backups - regular backups handled by our Sub-processors with industry-standard retention; geographic redundancy where supported.
• Personnel - all personnel with access to Personal Data are bound by confidentiality obligations.
• Sub-processor management - written agreements with all Sub-processors; periodic review.
• Secure software development - code review, dependency vulnerability scanning, prompt patching.

Annex 3 - Sub-processors

The following Sub-processors are authorised at the effective date of this DPA:

The current list is always available at bizcollect.dev/legal/subprocessors.

Questions about this policy? Email info@bizcollect.dev. Previous versions of every legal document are visible in our public Git history.