Data Processing Agreement (DPA)

For purposes of this DPA:

• Applicable Data Protection Law means the data protection laws applicable to the processing under the customer relationship, including, where relevant, the Swiss Federal Act on Data Protection and the GDPR.
• Personal Data means any information relating to an identified or identifiable natural person.
• Controller means the entity that determines the purposes and means of processing Personal Data.
• Processor means the entity that processes Personal Data on behalf of the Controller.
• Subprocessor means a third party engaged by Numezis to perform specific processing activities on behalf of the Customer.
• Personal Data Breach means a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

This DPA applies to all processor-side activities carried out by Numezis on behalf of the Customer in connection with the Service during the Subscription Term and any agreed transition, support, backup, or deletion period that follows.

The subject matter of the processing is the provision of the hosted Service and related support, security, maintenance, storage, transmission, troubleshooting, export, and account administration functions requested by the Customer. The duration of the processing corresponds to the period during which Numezis is instructed or otherwise required to process the relevant Personal Data under the customer relationship.

Depending on the configuration and use of the Service by the Customer, Numezis may process categories of Personal Data such as:

• identity and contact data of Authorized Users, employees, contractors, customers, suppliers, or other business contacts;
• account, authentication, access, and security metadata;
• business and transactional data contained in invoices, accounting records, purchasing records, contracts, payroll-related entries, document repositories, approval workflows, or other operational datasets uploaded by the Customer;
• support and troubleshooting data generated by the Customer's use of the Service; and
• logs, telemetry, and system-generated metadata associated with the operation, security, and support of the Service.

Data subjects may include the Customer's Authorized Users, employees, contractors, directors, consultants, suppliers, customers, prospects, counterparties, and any other natural persons whose Personal Data is submitted to or generated within the Service by or on behalf of the Customer.

Numezis processes Personal Data only as necessary to provide the Service and the related support, hosting, storage, transmission, export, backup, security, troubleshooting, monitoring, and account administration functions requested by the Customer. Processing may include collection, recording, organization, structuring, storage, consultation, use, disclosure by transmission, alignment, restriction, deletion, or destruction, depending on the Customer's configuration and instructions.

Documented instructions may arise from the Agreement, account settings, user permissions, API calls, support tickets, implementation workflows, written requests, or other documented uses of the Service initiated or authorized by the Customer.

Numezis will:

• process Personal Data only on documented instructions from the Customer, unless otherwise required by law;
• ensure that persons authorized to process Personal Data are subject to confidentiality obligations and appropriate training;
• implement and maintain appropriate technical and organizational measures designed to protect Personal Data;
• assist the Customer, taking into account the nature of the processing and information available to Numezis, in responding to lawful data subject requests and in meeting compliance obligations under Applicable Data Protection Law; and
• promptly inform the Customer if, in Numezis' opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by law from doing so.

The Customer authorizes Numezis to engage Subprocessors for infrastructure, hosting, storage, communications, security, support tooling, analytics, and other legitimate service-delivery purposes, provided that Numezis imposes data protection obligations on such Subprocessors that are materially no less protective than those set out in this DPA.

Numezis remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law and the underlying customer agreement. Where commercially appropriate, Numezis will make Subprocessor information available through contractual documentation, a trust center, or another reasonable disclosure mechanism.

If Numezis intends to add or replace a Subprocessor in a manner that materially affects processor-side risk, Numezis will use commercially reasonable efforts to provide advance notice and allow the Customer to raise a reasoned objection based on data protection concerns.

Numezis maintains a security program appropriate to the nature of the Service and the risks presented by the processing. Measures may include access controls based on least privilege, role separation, encryption in transit, encryption at rest where appropriate, logging, monitoring, authentication controls, vulnerability management, patching, incident response procedures, secure development practices, and backup and recovery safeguards.

The Customer acknowledges that security is a shared responsibility. The Customer remains responsible for configuring user access, approval flows, retention settings, endpoint security, lawful data minimization, and any additional measures required by the Customer's own regulatory environment.

Where Personal Data subject to this DPA is transferred outside Switzerland or outside the EEA/UK, Numezis will implement an appropriate transfer mechanism recognized by Applicable Data Protection Law, such as adequacy regulations, the EU Standard Contractual Clauses, the Swiss addendum, the UK addendum, or another approved safeguard.

Where relevant, Numezis may supplement such safeguards with technical, contractual, and organizational measures designed to address the risks associated with the transfer, taking into account the nature of the data, the destination, and the processing context.

Numezis will notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed under this DPA. Where operationally feasible, Numezis targets initial notice within 48 hours of such awareness for material incidents, recognizing that complex incidents may require staged communications.

The notice will include, to the extent known and reasonably available at the time, the nature of the breach, the categories of affected data, the likely consequences, the remediation steps taken or proposed, and any information reasonably necessary for the Customer to meet its own notification obligations under Applicable Data Protection Law.

Taking into account the nature of the processing and the information available to Numezis, Numezis will provide reasonable assistance to the Customer in responding to lawful data subject requests and in supporting the Customer's compliance with obligations relating to security, breach management, impact assessments, and consultations with competent supervisory authorities, where the Service is relevant to those obligations.

If a request requires disproportionate effort, custom engineering, significant legal review, or services beyond the standard capabilities of the Service, Numezis may charge reasonable fees, provided such fees are disclosed in advance where commercially practicable.

Upon termination or expiry of the relevant Service, and subject to the underlying agreement, Numezis will delete or return Personal Data processed under this DPA after the end of any agreed export or transition period, unless continued retention is required by law, necessary to preserve security logs, or required for legitimate evidentiary or dispute-management purposes.

Where return is requested, Numezis may satisfy that obligation by making Customer Data available through the standard export capabilities of the Service or through another commercially reasonable export method. Unless otherwise agreed, processor-side deletion is typically completed within 30 days after the end of the applicable transition window.

Upon reasonable written request, Numezis will make available information reasonably necessary to demonstrate compliance with this DPA. Numezis may satisfy this obligation through security documentation, compliance questionnaires, policies, summaries of audit reports, or other standard assurance materials.

If such information is not sufficient under Applicable Data Protection Law, the Customer may request an audit no more than once per year, during normal business hours, with reasonable prior notice, and subject to confidentiality, security, and business continuity safeguards. Audits must be proportionate, may not expose other customers' information, and may be conducted through an independent third-party auditor bound by confidentiality obligations.

Unless an audit reveals a material breach by Numezis, the Customer bears its own audit costs and reimburses reasonable internal costs incurred by Numezis in facilitating the audit.

This DPA is governed by the law and dispute resolution provisions stated in the underlying customer agreement, except to the extent Applicable Data Protection Law imposes mandatory rules that prevail. If any provision of this DPA is held invalid or unenforceable, the remainder remains effective to the maximum extent permitted by law.

Questions relating to this DPA, Subprocessors, transfers, data subject requests, or processor-side compliance may be addressed to privacy@numezis.com. Commercial or contractual questions may also be sent to hello@numezis.com, and Numezis will route them to the appropriate compliance or legal contact.