Accord de traitement des données

1. Champ d'application

1. This DPA applies to the processing of personal data by VynCo on behalf of the Controller in connection with the provision of the VynCo platform and API services.
2. The subject matter, duration, nature, and purpose of processing, as well as the types of personal data and categories of data subjects, are described in Annex I of the Standard Contractual Clauses incorporated herein.
3. This DPA applies to the extent that VynCo processes personal data subject to the Swiss Federal Data Protection Act (nDSG) as the primary framework, the EU General Data Protection Regulation (GDPR) for EU residents, UK GDPR for UK residents, or other applicable data protection laws.

2. Définitions

• “Personal Data” has the meaning given in Article 4(1) of the GDPR.
• “Processing” has the meaning given in Article 4(2) of the GDPR.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
• “Subprocessor” means any third party engaged by VynCo to process personal data on behalf of the Controller.

3. Instructions de traitement

1. VynCo shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or member state law.
2. VynCo shall immediately inform the Controller if, in its opinion, an instruction infringes the Swiss Federal Data Protection Act (nDSG), GDPR, or other applicable data protection provisions.
3. The scope of processing is limited to: account provisioning, API authentication, credit tracking, billing, transactional communications, and service monitoring.

4. Sous-traitants

The Controller provides general authorization for VynCo to engage the following subprocessors. VynCo will notify the Controller of any intended changes to subprocessors at least 30 days in advance, providing the Controller an opportunity to object.

4.1 Sous-traitants actuels

4.2 Obligations des sous-traitants

1. VynCo shall impose on each subprocessor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.
2. VynCo remains fully liable to the Controller for the performance of each subprocessor's obligations.
3. If the Controller objects to a new subprocessor within 14 days of notification, VynCo shall use commercially reasonable efforts to make available an alternative or allow the Controller to terminate the affected services without penalty.

5. Mesures de sécurité

VynCo implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

5.1 Chiffrement

• TLS 1.3 for all data in transit (API, dashboard, internal services)
• AES-256 encryption at rest for all storage (Azure Storage Service Encryption)
• Azure Key Vault for cryptographic key management with HSM backing
• Argon2id hashing for passwords and API key secrets

5.2 Contrôles d'accès

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication required for all VynCo personnel access
• Azure AD Privileged Identity Management for just-in-time administrative access
• Network segmentation with Azure Virtual Network and Private Endpoints

5.3 Journalisation des audits

• Comprehensive audit logs of all data access and administrative operations
• Tamper-evident log storage with 12-month retention
• Automated alerting on anomalous access patterns
• Regular review of access logs by security personnel

5.4 Mesures organisationnelles

• Background checks for all personnel with access to personal data
• Annual security awareness training and GDPR compliance training
• Documented incident response plan with annual tabletop exercises
• Regular penetration testing by qualified independent third parties

6. Notification de violation de données

1. VynCo shall notify the Controller of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33(2) of the GDPR.
2. The notification shall include, to the extent available:
   • A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records concerned
   • The name and contact details of VynCo's Data Protection Officer
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to address the breach and mitigate its effects
3. VynCo shall cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
4. VynCo shall document all Data Breaches, including the facts, effects, and remedial actions taken, and make such documentation available to the Controller upon request.
5. Notification of a Data Breach shall be sent to the Controller's designated security contact via email and, where available, through the VynCo dashboard notification system.

7. Droits des personnes concernées

1. VynCo shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15-22 of the GDPR (access, rectification, erasure, restriction, portability, and objection).
2. If VynCo receives a request directly from a data subject, VynCo shall promptly redirect the request to the Controller, unless legally prohibited from doing so.
3. VynCo shall provide the Controller with self-service tools through the dashboard for data export (JSON, CSV) and account deletion to facilitate data subject rights.
4. VynCo shall respond to the Controller's assistance requests within 10 business days.

8. Transferts internationaux

1. VynCo shall not transfer personal data to a country outside the EEA unless appropriate safeguards are in place, as described in Section 4 (Subprocessors).
2. The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by European Commission Decision (EU) 2021/914 are incorporated by reference into this DPA and shall apply to transfers of personal data to countries not covered by an adequacy decision.
3. For transfers to the United States, VynCo and its subprocessors rely on the EU-US Data Privacy Framework where certified, supplemented by SCCs.
4. VynCo shall conduct and document transfer impact assessments for each subprocessor located outside the EEA.

9. Droits d'audit

1. VynCo shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller.
2. Audit requests must be submitted in writing with at least 30 days' notice. Audits shall be conducted during business hours and shall not unreasonably interfere with VynCo's operations.
3. VynCo shall provide the Controller with copies of relevant third-party audit reports (e.g., SOC 2 Type II) upon request, subject to confidentiality obligations.
4. The Controller shall bear its own costs for audits, unless the audit reveals material non-compliance by VynCo, in which case VynCo shall bear the reasonable costs.

10. Suppression et restitution des données

1. Upon termination of the Service or upon the Controller's request, VynCo shall, at the Controller's choice, return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV) or delete all personal data.
2. Deletion shall be completed within 30 days of the request or termination, and VynCo shall certify deletion in writing.
3. VynCo may retain personal data to the extent required by applicable law (e.g., billing records for tax purposes), provided that such data is isolated and protected from further processing.

11. Responsabilité

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection law, including obligations related to data breach notification, subprocessor compliance, and data subject rights.

12. Durée et résiliation

1. This DPA shall remain in effect for the duration of VynCo's processing of personal data on behalf of the Controller.
2. The obligations of VynCo under this DPA shall survive termination to the extent necessary to complete the deletion or return of personal data and to comply with applicable law.