Commissioned Data Processing Agreement

(Version from November 2025)
 

B3 digital AG, Ilgenstrasse 7, CH-9200 Gossau SG (the “Processor”) provides services for the contractual partner (the “Controller”, together the “Parties”) in accordance with the concluded contract and the General Terms and Conditions of Use for “buildagil” (the “Master Agreement”). Part of the provision of services involves the processing of personal data within the meaning of the applicable data protection laws. In order to fulfil the requirements, the parties conclude the following Agreement. This Agreement supplements the agreements set out in the Master Agreement and specifies them with regard to the requirements of the FADP and the GDPR.

This Agreement applies to all services covered by the Master Agreement during which the Processor, or any Sub-Processor engaged by the Processor under this Agreement, processes personal data relating to the Controller.

 

The following personal data/categories of personal data are or may be processed:

- Personal master data (e.g. name, e-mail address, address, telephone number, other information provided by the person)

- Communication data (e.g. name, e-mail address, telephone number, IP address, other information provided by the person)

- Personal data in project content

Categories of data subjects are:

- The Controller’s users

- Other users who are consulted by the Controller

 

The Processor processes the personal data exclusively for the purpose of fulfilling the Master Agreement. The Processor does not process the personal data for any other purposes and, in particular, is not authorised to disclose it to third parties (with the exception of the Sub-Processors involved).
 

The Controller is responsible for compliance with the provisions of data protection law, in particular for the lawfulness of data transfer to the Processor and the lawfulness of commissioned data processing by the Processor.

The Processor may only process personal data in accordance with the instructions of the Controller. An instruction is a written order issued by the Controller directing the Processor to handle personal data in a certain way. The instructions of the Controller are set out in this Agreement and in the Master Agreement. The Controller has the right to issue written instructions to the Processor at any time, which supplement, amend or replace the existing instructions. The Processor shall comply with these instructions to the extent they are feasible to implement and objectively reasonable within the scope of the contractually agreed services. The Processor shall be bound by instructions only if the Processor is subject to a statutory processing obligation. This must be immediately communicated to the Controller and documented.

Instructions from the Controller must be addressed in writing to the Processor. The Controller shall inform the Processor in writing of the employees authorised to issue instructions. The other party must be notified of any change in the recipient of instructions (Processor) and the employee authorised to issue instructions (Controller).

The Processor must inform the Controller immediately if the Processor is of the opinion that an instruction violates data protection regulations. The Processor is authorised to suspend the execution of the corresponding instruction until it is confirmed or amended by the Controller.

 

The Processor shall process the personal data exclusively in accordance with the provisions of this Agreement and the Master Agreement. The fulfilment of legal, regulatory or official requirements and obligations remains reserved. The Controller shall inform the Processor immediately if the Controller discovers a breach of data protection provisions in the provision of services by the Processor.

The Processor shall ensure that the employee involved in the processing of the personal data is prohibited from processing the personal data for purposes other than those specified in the Master Agreement or in deviation from this Agreement. Furthermore, the Processor shall ensure that the employees involved in the processing of personal data are bound to confidentiality and have been instructed in the data protection regulations relevant to them. This also includes information about the obligation to follow instructions in this commissioned data processing relationship.

The Processor shall publish on its website the contact details of the person responsible for data protection, who also serves as the data protection advisor or data protection officer under the FADP or the GDPR.

The Processor shall inform the Controller immediately of any controls, actions or investigations by the supervisory authorities.

At the Controller’s request, the Processor shall provide all information necessary for the Controller to perform a data protection impact assessment, consult with the supervisory authority and make any required notification to that authority.

The Processor shall keep a record of processing activities (Art. 12 FADP and Art. 30(2) GDPR) and provide the Controller with the current version upon request. Upon the Controller’s request, the Processor shall supply information for inclusion in the Controller’s directory.

Further mandatory statutory obligations of the Processor shall remain unaffected by this Agreement.

 

The Processor shall take the technical and organisational measures set out in Attachment 1 to protect the processed personal data and to ensure data security appropriate to the risk (Art. 8 FADP and Art. 32(1) GDPR). The security concept described there contains the technical and organisational measures appropriate to the identified risk, taking into account the protection objectives according to the state of the art and with special consideration of the IT systems and processing procedures used by the Processor.

Technical and organisational measures must adapt to technological progress. In this respect, the Processor may modify the agreed technical and organisational measures or put in place other equivalent measures at any time. The agreed level of protection should not be lowered. Significant changes must be documented. Additional measures may be implemented by agreement in a supplement.

 

To the extent that a data subject directly contacts the Processor for the exercise of their rights (Chapter 4 of the Data Protection Act and Chapter III of the GDPR, e.g. right of access, erasure, rectification or data portability), the Processor shall forward this request to the Controller without delay or refer the data subject to the Controller, provided that an assignment to the Controller is possible according to the data subject’s information. The Processor may only provide information directly to the data subject and to third parties with the prior written consent of the Controller. However, the Processor shall support the Controller in an appropriate manner in responding to requests and enforcing the rights of data subjects.

 

Upon request, the Processor shall provide the Controller with all relevant information to document compliance with the obligations under the FADP/GDPR and this Agreement.

The Controller or an auditor appointed by the Controller may inspect compliance with the obligations under this Agreement, in particular compliance with the technical and organisational measures taken, at the Processor’s premises during normal business hours without disrupting operations. In the context of such an audit, the principle of proportionality must be observed and the interests of the Processor worthy of protection (in particular confidentiality interests) must be protected in an appropriate manner. The audit must be announced at least two (2) weeks in advance. If an audit is carried out without the required prior notice or otherwise in breach of the agreed lead time, the Processor’s obligation to acquiesce and cooperate shall cease unless the Controller can demonstrate good cause for failing to give notice or to be in compliance with the lead time. The Controller shall bear all costs of such audits.

The Controller and its supervisory authorities reserve the right to carry out mandatory statutory audits.

If, following the submission of evidence or reports or as part of an audit, it is found that the Processor is not complying with certain obligations under this Agreement or that there are defects in implementation, the Processor is obliged to implement appropriate measures immediately and free of charge to remedy the identified nonconformities.

 

The Processor shall inform the Controller immediately if any personal data breaches become known to the Processor or one of its Sub-Processors and shall provide the Controller with all relevant information in text form (type and extent of the breach, possible remedial measures, etc.). In such a case, the parties shall take the necessary measures to ensure the protection of the personal data concerned and to minimise possible adverse consequences for the data subjects and the parties.

 

Wherever reasonably practicable, the Processor will process personal data in Switzerland or within the EU/EEA. From the EU’s perspective, the European Commission has adopted an adequacy decision for Switzerland under Article 45(1) of the GDPR.

Disclosure of personal data by the Processor to recipients outside Switzerland or outside the EU/EEA is only permitted if the Processor complies with the provisions of Art. 16 et seq. FADP and Chapter V of the GDPR.

The Processor may permit employees entrusted with processing the Controller’s personal data to process such information on mobile devices. The Processor must ensure that the contractually agreed technical and organisational measures are also complied with during mobile work. In particular, the Processor must ensure that storage locations are configured to prevent any local storage of personal data on the IT systems used when such information is processed off-site. If that is not possible, the Processor shall ensure that local storage is encrypted and that no other persons can access the relevant information.

 

All data media and data records provided shall remain the property of the Controller. No copies or duplicates shall be made without the Controller’s knowledge. Excluded from this are backup copies, insofar as these are necessary to ensure proper commissioned data processing, as well as data that is required to comply with the Processor’s statutory retention obligations.

Upon completion of the contractually agreed services, or earlier at the Controller’s request – and in any event no later than upon termination of the Master Agreement – the Processor shall either return to the Controller all documents, processing and utilisation results and databases related to the Master Agreement that are in the Processor’s possession, or, with the Controller’s prior consent, destroy them in a manner corresponding to the required level of protection.

The Processor may retain documentation demonstrating compliance with proper commissioned data processing, in accordance with the applicable retention periods, beyond the end of the Master Agreement. Alternatively, the Processor can hand over the documentation to the Controller at the end of the Master Agreement.

 

The Processor is authorised to engage Sub-Processors. The Sub-Processors engaged when this Agreement takes effect are listed in Attachment 2. The Processor shall notify the Controller in advance of any engagement of new Sub-Processors or any replacement of existing Sub-Processors after this Agreement comes into force. The Controller may object to the appointment of a new Sub-Processor or the replacement of an existing Sub-Processor for good cause under data protection law within a period of thirty (30) days (calculated from the date of receipt of the information). If an important reason under data protection law arises and the parties cannot resolve it amicably, the Controller has the right to extraordinary termination of the Master Agreement.

The Processor undertakes to structure its contractual Agreements with the Sub-Processors to ensure compliance with this Agreement, including by requiring sufficient guarantees to provide adequate data security in particular.

Upon written request, the Controller may obtain from the Sub-Processor information regarding: (a) the essential terms of their contractual agreement; (b) the Sub-Processor’s implementation of its data protection obligations; and (c) the safeguards it provides to ensure adequate data security.

For the purposes of this regulation, “services provided by Sub‑Processors” exclude ancillary third‑party services the Processor engages to support its performance under the Master Agreement, such as telecommunications or maintenance of data‑processing systems, where access to personal data cannot be ruled out. However, the Processor is obliged to take appropriate technical and/or organisational measures to ensure the security of the Controller’s personal data and to take control measures even for such ancillary services.

 

The term of this Agreement is based on the term of the Master Agreement. Accordingly, this Agreement shall also terminate upon termination of the Master Agreement or upon cessation of the Processor’s services, unless any provision of this Agreement imposes obligations that extend beyond such termination or cessation.

 

The Processor’s liability to the Controller for culpable breaches of this Agreement is governed primarily by the Master Agreement and, subsidiarily, by the applicable statutory provisions.

 

No amendment or addition to this Agreement is effective unless made in writing and expressly identified as an amendment or addition to this Agreement. The same applies to the waiver of this formal requirement.

For the purposes of this Agreement, “written” means either a paper document with original signatures or a document signed using an advanced or qualified electronic signature.

If any provision or part of this Agreement is found to be void, ineffective or incomplete, the validity of the Agreement and the legal relationship it establishes shall remain unaffected in all other respects. If any provision is invalid and/or incomplete, the remaining provisions shall remain valid and enforceable. Any void, ineffective and/or incomplete provision shall be replaced by a legally valid substitute agreed by the parties that most closely approximates the intent of the original provision. In case of discrepancies between language versions, the German version shall prevail.

This Agreement supersedes all prior agreements, arrangements and declarations relating to commissioned data processing.

The applicable law and jurisdiction specified in the Master Agreement between the Processor and the Controller shall apply.


 

This Attachment 1 to the Commissioned Data Processing Agreement in accordance with the FADP and GDPR describes the technical and organisational measures taken by the Processor to protect the personal data being processed and to ensure data security appropriate to the risk (Art. 8 FADP, Art. 3 GDPR and Art. 32(1) GDPR). The measures described below apply when the Processor itself processes personal data. With respect to the processing of personal data by Sub-Processors, the Processor shall ensure, through appropriate contractual agreements, that such Sub-Processors implement appropriate and suitable technical and organisational measures.

1. Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable person.

2. Encryption

Encryption converts plaintext into ciphertext using additional information called a “key,” which is to remain indecipherable for those who do not know it.

- Use of cryptographic libraries and software components

- Data hashing

- Transport encryption (SSL/TLS) – “in transit” encryption

- Hard drive encryption

- Encryption of data in the data processing centres – “at rest” encryption

- Multi-level encryption of data in the software

- Use of a key management system

3. Ability to maintain confidentiality

Confidentiality means that personal data is protected against unauthorised disclosure.

- Physical access control

- Access to the rack for authorised persons only

- 24/7 monitoring by on-site security personnel

- Security fence designed to resist climb-over attempts and subterranean tunnelling

- Attendance/presence records

- Visitor passes with accompaniment of visitors by employees of the data processing centre operator

- Security provided by alarm systems

- Defined restricted access areas

- Access control via contactless chip card and PIN, or optionally with biometric features

- Doors are secured by electric door closers and badge readers

- Security doors and/or windows

- Electronic access control

- Access for authorised persons only

- Lock screen after a brief period of inactivity

- Authorisation concept according to the need-to-know principle

- Additional log-in for certain applications

- Encryption of communication and data

- Encryption of data media/hard drive encryption

- SSH access only with key-based authentication

- Transport encryption for web access

- Ongoing training and awareness efforts

- Employees: commitment to confidentiality

- Separation according to purpose

- Network segmentation

- Drafting contracts with service providers

4. Ability to ensure integrity

Ensuring integrity means ensuring that the data remains accurate and unaltered and that the systems function correctly. When the term integrity is applied to “data,” it means that the data is complete and unchanged. Measures should be taken to prevent damage/alteration of the protected data during processing or transmission.

- Trackability of entries on the portal

- Control of data transmission

- TLS encryption

- Logging

- Functional responsibilities/role concept

- Arrangements for deputisation during absences

- Authorisation concept

- Sensitive authorisation is divided among several people

- Principle of dual control

- E-mail encryption (if required)

- Encryption of mobile devices, separate work instructions for handling mobile data media

- Use of https connections

- Antivirus system kept up to date

- Firewall, WAF

- Network Access Control (NAC)

- Monitoring the network and system landscape for anomalies (e.g. with a SOC/SIEM)

- Logging and monitoring of relevant data entries and changes, relevant user activities and relevant administrative and service activities

5. Ability to ensure availability

The availability of services, features of an IT system, IT applications or IT networks, or even information, is present if users can always use them as intended.

- Redundant data processing centres

- UPS

- Monitoring and alerting

- Air conditioning systems

- Backup concept

- Separate backup storage/retention

- Appropriate backup procedures (daily, weekly, monthly)

- Restart plan

- Fire and extinguishing water protection in the server rooms

- Arrangements for deputisation during absences

- Overvoltage protection

- Uninterruptible power supply (UPS)

- Air conditioning

- Video surveillance

- Use of RAIDs

- Mirroring of hard drives

- Vulnerability management for the regular identification, assessment and elimination of vulnerabilities (e.g. using a vulnerability scanning tool)

- Annual penetration tests of critical systems and applications

- Standard procedure/patch management for regular updates of protection software (e.g. virus scanners), endpoint hardening, update and patch management

- Change management for the management and control of all changes

- Use of hardened base images for endpoints

- Security baselining of the endpoints

6. Ability to ensure resilience

Systems are resilient if they are so robust that they can function even during times of frequent access and/or heavy utilisation.

- ISO/IEC 27001-certified data processing centres

- ISO/IEC 9001-certified data processing centres

- Redundant software components (high availability)

- Scalability during operation

7. Intentional and lawful access to personal data

- Commitment of employees to rules of conduct and confidentiality

- Implementation of internal company data protection guidelines

- Training for all authorised employees

- Role concept

- Documentation of responsibilities

- Definition of recipients of instructions

- Personalised login

- Creation of a user master record for each user

- Documented assignment, management, regular review and revocation of authorisations

- Logging and monitoring of relevant access to IT systems

- Password policy for complex passwords

- Procedure for resetting forgotten passwords

- Separate access for different systems and applications

- Automatic client blocking (timeout)

- 2-factor authentication (where possible)

- Access only for persons when it is absolutely necessary for their work

- Erasure of data from an employee’s work equipment upon departure

8. Procedures for regular review, assessment and evaluation

- Measures to ensure data minimisation

- Measures to ensure data quality

- Measures to ensure limited data storage

- Measures to enable data portability and to ensure the erasure of data

- Order or contract control

- Regular auditing by the data protection officer

- Evaluation of audit reports

- Implementation of a continuous improvement process

- Alignment with information security standards (ISO 27001)


 

This Attachment 2 to the Commissioned Data Processing Agreement in accordance with the FADP and GDPR lists the Sub-Processors engaged by the Processor. The appointment of new Sub-Processors and the replacement of existing Sub-Processors shall be governed by the provisions of the aforementioned Agreement.