Articles on: OTHERS

shield-halvedData Processing Agreement (DPA)

Effective Date: 06 August 2025


1. Introduction


This Data Processing Agreement ("Agreement") forms part of the Terms of Service ("Principal Agreement") between Delos Analytica AG ("Delos Analytica," "Processor," "we," "us," or "our") and users ("Client," "Controller," "you," or "your") of our AI-supported SaaS solution ("Service").


By using our Service, you agree to the terms of this Agreement regarding the Processing of Personal Data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.


2. Definitions


  • 2.1. "Personal Data" means any information relating to an identified or identifiable natural person as defined under the GDPR.
  • 2.2. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
  • 2.3. "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
  • 2.4. "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller.
  • 2.5. "Sub-Processor" means any third party appointed by or on behalf of the Processor to Process Personal Data.
  • 2.6. "Applicable Data Protection Laws" means all data protection laws and regulations applicable to the Processing of Personal Data under this Agreement, including the GDPR.


3. Roles and Responsibilities

3.1. Controller and Processor


  • You are the Controller of Personal Data you provide in connection with your use of the Service.
  • Delos Analytica AG acts as the Processor of such Personal Data.


4. Subject Matter and Details of Processing

4.1. Purpose of Processing


The Processor will Process Personal Data as necessary to provide the Service pursuant to the Principal Agreement.


4.2. Duration of Processing


The Processing shall continue for the duration specified in the Principal Agreement or until the termination of your account.


4.3. Nature of Processing


Collection, storage, analysis, and use of Personal Data to provide and improve the Service.


4.4. Types of Personal Data


  • Email address
  • Company association
  • First name and last name
  • Phone number
  • Physical address
  • User-generated data entered for analysis purposes


4.5. Categories of Data Subjects


Employees or representatives of the Controller authorized to use the Service.


5. Obligations of the Processor

5.1. Processing on Documented Instructions


The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to international data transfers, unless required by law.


5.2. Confidentiality


The Processor ensures that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


5.3. Security Measures


The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, but are not limited to:


  • Access Control: Personal Data is accessible only by authorized personnel with role-based permissions and secure authentication procedures.
  • Encryption: All Personal Data is encrypted in transit using SSL/TLS protocols and, where applicable, encrypted at rest using industry-standard algorithms.
  • Physical Security: The Processor utilizes data centers with restricted access, surveillance systems, and environmental safeguards to prevent unauthorized physical access.
  • Network Security: Network infrastructure is protected with firewalls, intrusion detection systems, and secure monitoring to prevent and detect unauthorized access.
  • Employee Training: All staff involved in data processing are trained regularly on data protection requirements, data protection policies, and how to respond to security incidents.


These measures are reviewed and updated regularly in accordance with best practices and risk assessments to ensure continued compliance.


5.4. Assistance to Controller


The Processor shall assist the Controller in fulfilling its obligations under the Swiss Federal Act on Data Protection (revDSG), including but not limited to:


  • Responding to data subjects' requests concerning access, rectification, deletion, or objection,
  • Supporting the Controller in ensuring appropriate data security measures,
  • Notifying the Controller of personal data breaches, and
  • Cooperating in the performance of data protection impact assessments, where necessary.


Such assistance shall be provided within a maximum of 72 hours, in a timely and appropriate manner, proportionate to the nature of the processing and the sensitivity of the Personal Data involved.


5.5. Data Breach Notification


The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach.


The notification shall include all relevant information reasonably available to the Processor at the time, enabling the Controller to assess the impact and fulfill any potential reporting obligations to the Federal Data Protection and Information Commissioner (FDPIC) and affected Data Subjects.


5.6. Data Return and Deletion


Upon termination of the Principal Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless law requires storage.


6. Obligations of the Controller

6.1. Compliance with Laws


The Controller shall comply with all obligations under Applicable Data Protection Laws, including providing necessary notices and obtaining required consents.


6.2. Instructions


The Controller shall ensure that its instructions for the Processing of Personal Data comply with Applicable Data Protection Laws.


7. Sub-Processing

7.1. Authorized Sub-Processors


The Controller authorizes the Processor to engage Sub-Processors to Process Personal Data.


7.2. List of Sub-Processors


We use the following Sub-Processors:


  • AWS
  • Google Cloud
  • Vercel
  • Firecrawl
  • Trigger.dev
  • Twilio
  • Sentry
  • Github
  • OpenAI
  • Mixpanel
  • Hotjar
  • Google Workspace
  • Figma
  • Slack
  • Google Analytics
  • Google Ads
  • Meta Ads
  • Resend
  • Gitbook
  • Lovable
  • Supabase
  • Superhuman
  • Neon Tech
  • Hubspot
  • Typeform


7.3. Sub-Processor Obligations


The Processor ensures that each Sub‑Processor is bound by contractual obligations and demonstrates compliance with data protection laws that are compatible with those of the Processor under this Agreement. This may be evidenced by one or more of the following:


  • Incorporation of EU Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, where applicable under revDSG and/or GDPR;
  • Implementation of technical and organizational measures aligned with Article 8 revDSG;
  • Possession of independent security certifications, such as SOC 2 Type II or ISO 27001;
  • Availability of third-party compliance reports (e.g., SOC 2, ISO assessments) or equivalent internal documentation;
  • Maintenance of a publicly accessible Data Processing Agreement and clear documentation of GDPR or revDSG compliance commitments.


7.4. Changes to Sub-Processors


The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller the opportunity to reasonably object to such changes before the Sub-Processor is engaged.


8. Security Measures


The Processor implements the following technical and organizational measures:


8.1. Access Control


Access to Personal Data is restricted to authorized personnel who require it for their duties.


8.2. Encryption


Personal Data is encrypted in transit using SSL/TLS and at rest where applicable.


8.3. Physical Security


Data centers are secured with controlled access and surveillance systems.


8.4. Network Security


Firewalls and intrusion detection systems protect against unauthorized access.


8.5. Regular Audits


Security systems and processes are regularly tested and evaluated.


8.6. Employee Training


Staff receive training on data protection and privacy obligations.


9. International Data Transfers

9.1. Data Transfer Locations


Personal Data may be transferred and stored outside the country where it was originally collected, including to the USA and Uruguay.


9.2. Adequate Safeguards


The Processor ensures that appropriate safeguards are in place for international transfers of Personal Data, including the use of Standard Contractual Clauses (SCCs) or other lawful mechanisms as required under Swiss data protection law (revDSG) and, where applicable, the EU GDPR.


These safeguards are detailed and implemented in accordance with the requirements described in Section 7.3 (Sub‑Processor Obligations), including the use of SCCs, adherence to certification frameworks (e.g. Swiss‑US or EU‑US Data Privacy Frameworks), and independent security attestations such as SOC 2 or ISO 27001.


10. Data Subject Rights

10.1. Assistance


The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.


10.2. Notification


If a Data Subject contacts the Processor directly, the Processor shall promptly inform the Controller without undue delay. The Processor shall not respond to or continue communication with the Data Subject, unless explicitly instructed to do so by the Controller. All further handling of the request shall be directed by the Controller in accordance with applicable data protection laws.


11. Data Breach Notification

11.1. Obligation to Notify


The Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach. The notification shall include all relevant information reasonably available to the Processor at the time to support the Controller in assessing the breach and fulfilling any legal obligations under applicable data protection laws, including the Swiss Federal Act on Data Protection (revDSG).


11.2. Content of Notification


The notification shall include sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach.


12. Audit Rights

12.1. Availability of Information


The Processor shall make available all information necessary to demonstrate compliance with this Agreement.


12.2. Audit Requests


The Controller may request audits or inspections, which the Processor shall accommodate, no more than once per calendar year, unless required by a competent supervisory authority or in the event of a confirmed or suspected Personal Data Breach. All audits shall be subject to reasonable prior notice and conducted under appropriate confidentiality obligations. The scope and method of the audit shall be mutually agreed upon in advance.


13. Liability and Indemnity

13.1. Liability


The liability of each party under this Agreement shall be subject to the exclusions and limitations of liability set out in the Principal Agreement.


13.2. Indemnity


Each party agrees to indemnify and hold harmless the other party against any losses arising from its breach of this Agreement.


14. Duration and Termination

14.1. Duration


This Agreement is effective from the Effective Date and shall continue until the termination of the Principal Agreement.


14.2. Termination


Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data, unless continued storage is required by law.


15. Governing Law and Jurisdiction

15.1. Governing Law


This Agreement shall be governed by the laws of Switzerland.


15.2. Jurisdiction


Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Zug, Switzerland.


16. Changes to this Agreement

16.1. Modification


We may update this Agreement from time to time. We will notify you of any significant changes by posting the new Agreement on our website and updating the Effective Date.


16.2. Acceptance of Changes


Your continued use of the Service after any changes to this Agreement constitutes your acceptance of the revised terms.


17. Contact Information


For questions or concerns about this Agreement, please contact:


Delos Analytica AG Sennweidstrasse 43 6312 Steinhausen Switzerland Email: silvan.kraehenbuehl@delosanalytica.com


18. Miscellaneous

18.1. Severability


If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.


18.2. Entire Agreement


This Agreement, together with the Principal Agreement and any other policies incorporated by reference, constitutes the entire agreement between the parties regarding the Processing of Personal Data.


By using our Service, you acknowledge that you have read and understood this Data Processing Agreement and agree to be bound by its terms.


GDPR Compliance Statement


Effective Date: 06 August 2025


Delos Analytica AG is committed to complying with the General Data Protection Regulation (GDPR). This statement outlines our commitment and measures to ensure GDPR compliance.


1. Compliance Measures


1.1. Data Protection Principles


We adhere to the following data protection principles:


  • Lawfulness, Fairness, and Transparency: Processing is performed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal Data is collected for specified, explicit, and legitimate purposes.
  • Data Minimization: Only data necessary for the purposes is collected and processed.
  • Accuracy: Personal Data is kept accurate and up to date.
  • Storage Limitation: Data is retained only for as long as necessary.
  • Integrity and Confidentiality: Appropriate security measures are in place to protect Personal Data.


1.2. Consent Management


We obtain and record user consent where required, particularly for marketing communications and the use of cookies.


1.3. Data Subject Rights


We facilitate the exercise of Data Subjects' rights, including:


  • Access: Right to obtain confirmation and access to their Personal Data.
  • Rectification: Right to have inaccurate Personal Data corrected.
  • Erasure: Right to have Personal Data erased ("right to be forgotten").
  • Restriction: Right to restrict Processing under certain conditions.
  • Data Portability: Right to receive Personal Data in a structured, commonly used format.
  • Objection: Right to object to Processing based on legitimate interests.


1.4. Data Breach Notifications


We promptly inform authorities and affected users in the event of a Personal Data Breach as required by GDPR.


1.5. Record Keeping


We maintain records of Processing activities as required by GDPR Article 30.


2. Data Protection Officer



3. User Rights


3.1. Access, Rectification, Deletion


Users can manage their Personal Data through their account settings or by contacting us at silvan.kraehenbuehl@delosanalytica.com.


3.2. Objection and Restriction


Users can request limitations on the Processing of their Personal Data by contacting us.



4.1. Contractual Necessity


Processing is necessary for the performance of the Service contract between Delos Analytica AG and the user.


4.2. Legitimate Interests


Processing is necessary for the purposes of our legitimate interests in improving the Service and ensuring security, provided these interests are not overridden by the Data Subject's rights and interests.


CCPA Compliance Statement


Effective Date: 06 August 2025


While we currently do not conduct business with California residents, we include this statement to ensure future compliance with the California Consumer Privacy Act (CCPA).


1. Applicability


This policy applies to Personal Information collected from California residents.


2. User Rights


California residents have the following rights:


2.1. Right to Know


Request disclosure of the categories and specific pieces of Personal Information we have collected.


2.2. Right to Delete


Request deletion of Personal Information we have collected.


2.3. Right to Opt-Out


Right to opt-out of the sale of Personal Information (Note: We do not sell Personal Information).


2.4. Non-Discrimination


You will not receive discriminatory treatment for exercising your CCPA rights.


3. Do Not Sell Policy


We do not sell Personal Information. Users are automatically opted out of any sale of Personal Data.


4. Verification Process


  • Identity Verification: Identity verification is conducted via email confirmation and may include two-factor authentication in the future.
  • Submitting Requests: Requests can be made by contacting us at silvan.kraehenbuehl@delosanalytica.com.


Effective Date: 06 August 2025

Updated on: 09/02/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!