Data Processing Agreement (DPA)

1. Subject Matter and Duration

1.1 This Data Processing Agreement ("DPA") governs the processing of personal data by the Processor on behalf of the Controller in the context of the use of the getProspects SaaS platform, as further described in the Terms of Service.

1.2 The DPA is concluded for the duration of the contractual relationship between the Controller and the Processor and terminates automatically upon termination of the main contract.

1.3 The Processor processes personal data solely on documented instructions from the Controller, unless required to do so by applicable Swiss or EU law. In such case, the Processor will inform the Controller of that legal requirement before processing, unless such notification is prohibited.

2. Nature and Purpose of Processing

The Processor processes the following categories of personal data on behalf of the Controller:

• Contact data of leads and business contacts (name, e-mail address, company, job title, phone number)
• Communication data (sent e-mails, open rates, click behaviour, reply status)
• Company data (industry, company size, website URL, LinkedIn profile)
• Interaction data (video views, link clicks, replies, sales page visits)
• User-provided content (text templates, prompts, uploaded files)

Purpose of processing: provision of the getProspects SaaS platform for lead research, e-mail and outreach automation, AI-assisted personalisation, video generation, and campaign tracking.

The categories of data subjects are: leads, business contacts, and customers of the Controller.

3. Obligations of the Processor

The Processor undertakes to:

• process personal data only on documented instructions from the Controller (Art. 28(3)(a) EU GDPR; Art. 9(2) Swiss FADP)
• ensure that persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
• implement appropriate technical and organisational measures (TOMs) in accordance with Art. 32 EU GDPR and Art. 8 Swiss FADP, as set out in Annex 1 to this DPA
• not engage another processor (sub-processor) without prior specific or general written authorisation from the Controller; where general authorisation is granted, the Processor must inform the Controller of intended changes and give the Controller the opportunity to object
• assist the Controller in ensuring compliance with its obligations relating to data subject rights, security, breach notification, data protection impact assessments, and consultation with supervisory authorities
• at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, unless applicable law requires storage of the data
• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller

4. Technical and Organisational Measures (TOMs)

The Processor maintains the following measures to protect personal data:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher (HTTPS). Data at rest is encrypted using AES-256 or equivalent.
• Access control: Role-based access rights, principle of least privilege, multi-factor authentication for administrative access.
• Availability: Regular automated backups, redundant infrastructure, disaster recovery procedures.
• Integrity: Logging of system access and modifications; integrity checks for critical data operations.
• Pseudonymisation: Personal data is pseudonymised where technically feasible and appropriate.
• Physical security: Data is hosted on servers in Germany (Hetzner Online GmbH), which are physically secured in accordance with ISO 27001 standards.
• Incident management: Defined procedures for detecting, reporting, and managing data breaches.
• Vendor management: Sub-processors are contractually bound to maintain equivalent data protection standards.

5. Sub-Processors

The Controller grants general authorisation for the engagement of the following sub-processors. The Processor will inform the Controller of any intended changes (addition or replacement) in advance, giving the Controller the opportunity to object.

Sub-processor	Purpose	Registered office	Transfer basis
Hetzner Online GmbH	Server hosting	Germany (EEA)	Within EEA
OpenAI LLC	AI text generation and transcription	USA	Standard contractual clauses (Art. 46(2)(c) EU GDPR; Art. 16 Swiss FADP)
Microsoft Azure (Microsoft Corporation)	Cloud infrastructure and services	USA	Standard contractual clauses; EU–US Data Privacy Framework
Stripe Inc.	Payment processing	USA	Standard contractual clauses; PCI-DSS compliant
Nylas Inc.	E-mail API and calendar integration	USA	Standard contractual clauses
DropContact SAS	Lead data enrichment	France (EEA)	Within EEA

6. International Data Transfers

6.1 Where personal data is transferred to countries outside Switzerland or the EEA that do not offer an adequate level of data protection, such transfers are carried out on the basis of the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) EU GDPR and the corresponding Swiss SCCs approved by the FDPIC under Art. 16 Swiss FADP, or on the basis of an adequacy decision by the European Commission or the Swiss Federal Council.

6.2 The Processor maintains an up-to-date record of international data transfers and will provide the Controller with relevant transfer documentation upon request.

7. Data Breach Notification

7.1 The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Controller's data.

7.2 The notification will include at minimum: a description of the nature of the breach; the categories and approximate number of data subjects and records concerned; the name and contact details of the data protection contact point; a description of likely consequences; and a description of the measures taken or proposed to address the breach.

7.3 The Controller remains responsible for notifying the competent supervisory authority (FDPIC and/or relevant EU data protection authority) and affected data subjects where required by law.

8. Data Subject Rights

8.1 The Processor will assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under the Swiss FADP and EU GDPR (access, rectification, erasure, restriction, data portability, objection).

8.2 Where a data subject contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.

9. Termination and Return / Deletion of Data

9.1 Upon termination of this DPA (and the underlying main contract), the Processor will, at the Controller's choice, return all personal data to the Controller in a standard machine-readable format or securely delete it within 30 days, unless applicable law requires continued storage.

9.2 The Processor will provide the Controller with written confirmation of deletion upon request.

9.3 Backup copies will be overwritten within the regular backup cycles.

10. Audit Rights

10.1 The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA, including the TOMs described in Section 4.

10.2 The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor designated by the Controller, provided the Controller gives reasonable advance notice (at least 14 calendar days), the audit does not unreasonably interfere with the Processor's business operations, and the auditor is bound by an appropriate confidentiality obligation. Audit costs are borne by the Controller unless the audit reveals a material breach by the Processor.

11. Governing Law and Jurisdiction

11.1 This DPA is governed by Swiss substantive law, in particular the Swiss Federal Act on Data Protection (FADP / nDSG; SR 235.1) and the Swiss Code of Obligations (OR; SR 220).

11.2 To the extent the Controller is established in the EU/EEA and processes personal data of EU/EEA residents, the provisions of the EU GDPR apply in parallel.

11.3 The exclusive place of jurisdiction for disputes arising from this DPA is Chur, Canton Graubünden, Switzerland.

12. Contact

Last updated: October 2025 — © 2025 Shift AI AG – getProspects.io