Data Processing Agreement

1. Scope and Applicability

This DPA applies to the processing of personal data by VynCo on behalf of the Controller in connection with the provision of the VynCo platform and API services. The subject matter, duration, nature, and purpose of processing are described in Annex I of the Standard Contractual Clauses incorporated herein. This DPA applies to the extent that VynCo processes personal data subject to the Swiss Federal Data Protection Act (nDSG), the EU GDPR, UK GDPR, or other applicable data protection laws.

2. Definitions

"Personal Data" has the meaning given in Article 4(1) of the GDPR. "Processing" has the meaning given in Article 4(2) of the GDPR. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. "Subprocessor" means any third party engaged by VynCo to process personal data on behalf of the Controller.

3. Processing Instructions

VynCo shall process personal data only on documented instructions from the Controller. VynCo shall immediately inform the Controller if an instruction infringes applicable data protection law. The scope of processing is limited to account provisioning, API authentication, per-group rate-limit and quota tracking, billing, transactional communications, and service monitoring. VynCo aggregates publicly available corporate data from the following Swiss government and open data sources: Zefix (Swiss Commercial Register), SHAB / SOGC (Swiss Official Gazette of Commerce), SECO sanctions lists, OpenSanctions, Wikidata, and FAOA (Swiss Federal Audit Oversight Authority — audit firm registry). Personal data appearing in these public sources (e.g., board-member names, sanctions PEP entries, auditor names) is processed solely for the purpose of providing corporate intelligence services to the Controller.

4. Subprocessors

The Controller provides general authorization for VynCo to engage the following subprocessors. VynCo will notify the Controller of any intended changes at least 30 days in advance.

4.1 Current Subprocessors

4.2 Subprocessor Obligations

VynCo shall impose on each subprocessor data protection obligations no less protective than those set out in this DPA. VynCo remains fully liable for the performance of each subprocessor's obligations. If the Controller objects to a new subprocessor within 14 days of notification, VynCo shall use commercially reasonable efforts to provide an alternative.

5. Security Measures

VynCo implements and maintains the following technical and organizational measures:

5.1 Encryption

TLS 1.3 for all data in transit; AES-256 encryption at rest; Azure Key Vault for cryptographic key management with HSM backing; Argon2id hashing for API key secrets; magic-link authentication with HMAC-signed single-use tokens (no passwords stored).

5.2 Access Controls

Role-based access control (RBAC) with principle of least privilege; Multi-factor authentication required for all VynCo personnel access; Azure AD Privileged Identity Management for just-in-time administrative access.

5.3 Audit Logging

Comprehensive audit logs of all data access and administrative operations; Tamper-evident log storage with 12-month retention; Automated alerting on anomalous access patterns.

5.4 Organizational Measures

Background checks for all personnel with access to personal data; Annual security awareness training; Documented incident response plan; Regular penetration testing by qualified independent third parties.

6. Data Breach Notification

VynCo shall notify the Controller of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33(2) of the GDPR. VynCo shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation and remediation of the breach.

7. Data Subject Rights

VynCo shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15-22 of the GDPR. VynCo shall provide the Controller with self-service tools through the dashboard for data export (JSON, CSV) and account deletion to facilitate data subject rights.

8. International Transfers

VynCo shall not transfer personal data to a country outside the EEA unless appropriate safeguards are in place. The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Decision (EU) 2021/914 are incorporated by reference into this DPA.

9. Audit Rights

VynCo shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections. Audit requests must be submitted in writing with at least 30 days' notice.

10. Data Deletion and Return

Upon termination of the Service or upon the Controller's request, VynCo shall return all personal data in a structured, commonly used, machine-readable format (JSON or CSV) or delete all personal data within 30 days, and certify deletion in writing.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection law.

12. Term and Termination

This DPA shall remain in effect for the duration of VynCo's processing of personal data on behalf of the Controller. The obligations of VynCo under this DPA shall survive termination to the extent necessary to complete the deletion or return of personal data.