Data Processing Agreement (DPA)

• Personal data: any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) and Swiss data protection law.
• Processing: any operation or set of operations performed on personal data.
• Personal data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
• Subprocessor: any processor engaged by Numezis to carry out a specific processing activity on behalf of the Customer.
• Documented instructions: written or manifestly implied instructions arising from the main agreement, the Terms, this DPA, Service configuration, and product documentation.

Subject matter. This DPA governs processing by Numezis, as processor, of personal data the Customer, as controller, provides or makes available to Numezis through use of the Service.

Term. This DPA applies for the duration of the contractual relationship, plus the time required to return or delete personal data in accordance with the Return and deletion section.

Depending on use of the Service, processed personal data may include:

• Identification & account data: first name, last name, business email address, role, internal identifier.
• Authentication & security data: IP address, browser fingerprint, authentication tokens, MFA logs.
• Business contact data: business phone number, billing address.
• Imported/generated business data: data contained in invoices, accounting entries, employee records, contracts, etc.
• Usage & telemetry metadata: timestamps, actions performed, application errors.

Exact categories depend on enabled modules and the Customer’s operational choices.

Data subjects may include, in particular:

• Customer authorized users;
• Customer employees, contractors, customers, suppliers, and partners; and
• any other individuals whose data is processed by the Customer through the Service.

Numezis processes personal data only for the following purposes and to the extent necessary:

• provision, configuration, and maintenance of the Service;
• authentication and access management;
• billing and payment management (via Stripe);
• technical support and incident resolution;
• security, abuse detection, and fraud prevention;
• backup, restore, and disaster recovery;
• continuous improvement of the Service (with anonymization/aggregation where applicable); and
• compliance with legal obligations.

Numezis commits to:

• process personal data only on documented Customer instructions;
• ensure persons authorized to process personal data are bound by confidentiality obligations;
• provide periodic privacy and cybersecurity training to relevant personnel; and
• apply access limitations based on need-to-know (least privilege), with access controls, MFA where applicable, logging, and periodic reviews.

List. Authorized subprocessors are listed in Annex 1.

Changes. Numezis may add or replace subprocessors subject to:

• providing notice by email or via the notification center at least 30 calendar days in advance; and
• allowing the Customer to object on legitimate grounds within 15 days of the notice.

Liability. Numezis remains responsible for the acts and omissions of its subprocessors within the limits set out in the main agreement.

Numezis implements risk-appropriate technical and organizational measures, including:

• encryption in transit (TLS) and, where applicable, at rest;
• access management (least privilege), MFA where applicable;
• logical separation of environments (prod / staging / dev);
• logging, monitoring, and alerting;
• backup and restore procedures;
• vulnerability management and security patching; and
• an incident response process.

Primary location. Application services are operated primarily in Switzerland (notably on cloud infrastructure in the Zurich region).

Transfers. Where transfers outside Switzerland/EEA are necessary, Numezis implements appropriate safeguards under applicable law (such as the 2021 Standard Contractual Clauses) and, where required, a transfer impact assessment (TIA) and reasonable supplementary measures.

Timing. Numezis will notify the Customer without undue delay and, where applicable, no later than 48 hours after becoming aware of a personal data breach likely to affect data subject rights and freedoms.

Information. To the extent available: nature of the breach, categories and approximate volume of personal data, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.

Cooperation. Numezis will cooperate with the Customer to enable compliance with notification obligations to authorities and data subjects.

Numezis assists the Customer, to the extent reasonably possible and taking into account the nature of processing, in responding to data subject rights requests (access, rectification, erasure, restriction, objection, portability).

Upon termination. Upon the Customer’s written instructions and within the technical limits of the Service, Numezis will:

• return personal data in a commonly used structured format (for example JSON, CSV); and
• permanently delete remaining copies.

Timing. Return or deletion will occur within 30 days following effective termination, except where legal retention is required or where retention is necessary for evidentiary purposes in the event of a dispute.

Audit right. Once per contractual year and with 30 days' prior notice, the Customer may conduct (or have conducted by an independent auditor) an audit of compliance with this DPA.

Conditions. Audits must be performed during business hours, without materially disrupting the Service, and with due regard for the confidentiality of other customers. Audit costs are borne by the Customer unless material non-compliance is identified.

Swiss law.

Exclusive jurisdiction: ordinary courts at the registered office of Numezis SA (Lausanne).

For any request related to this DPA, privacy, or data protection compliance, contact privacy@numezis.com (or contact@numezis.com with subject “GDPR / FADP request”).