Ueli AI ChatbotUeliAI Chatbot
Beta-Phase Notice: This platform is in beta stage. The legal texts below are templates and do not replace legal counsel. Before commercial use, we recommend review by a Swiss data protection lawyer.

Data Processing Addendum (DPA)

For B2B customers · Swiss DPA (revDSG) Art. 9

When do you need a DPA?

If your organisation processes third-party personal data via the platform, Art. 9 revDSG (the Swiss DPA) requires a written DPA. Fines for non-compliance go up to CHF 250,000 under Swiss law. If you additionally process data of EU subjects, Art. 28 GDPR applies in parallel (fines up to EUR 20 million or 4 % of global annual turnover).

What the DPA covers (GDPR Art. 28(3))

  1. Subject matter and duration of processing
  2. Nature and purpose
  3. Categories of data subjects and data types
  4. Rights and obligations of controller and processor
  5. Technical and organisational measures (TOMs)
  6. Sub-processors
  7. Support for data-subject rights and breach notifications
  8. Return or deletion after end of processing

What the Provider commits to as Processor

  • Processing only on documented instructions of the controller
  • Confidentiality of all personnel and sub-contractors
  • TOMs per GDPR Art. 32: industry-standard encryption in-transit and at-rest, strict tenant isolation at database level, audit logging, access controls, regular encrypted backups, server hardening (detailed technical specification available on request under NDA)
  • Assistance with data-subject rights
  • Breach notification within 72 hours (GDPR Art. 33)
  • Deletion or return of all data at end of contract
  • Assistance with DPIAs (GDPR Art. 35)
  • Annual audit right with 14 days’ notice

Sub-processors

ProviderLocationPurposeData types
Hetzner Online GmbHGunzenhausen, DE (data center Falkenstein, DE)Server, DB and AI-model hostingAll data (encrypted at rest)
Cloudflare Inc.San Francisco, USDNS, CDN, DDoS protectionIP addresses, request headers, routing metadata only

How to conclude a DPA

Email [email protected] with subject “DPA request” and your company details, contact person, data types, expected number of data subjects, and any sector-specific requirements (FINMA, HIPAA, ISO 27018, etc.). The Provider will send a DPA draft within 5 business days.

Template download

Currently in preparation. A template will be published before official launch. During beta, DPAs are drafted individually upon request.

FAQ

Do small municipalities also need a DPA?

Yes. The Swiss DPA (revDSG) does not exempt small organisations. As soon as third-party personal data is processed (resident records, tax files, HR), a DPA with each processor is required.

Can I use my own DPA template?

Yes. The Provider will review your template and respond with any necessary annexes (in particular for sub-processors and TOMs).

Does the DPA satisfy GDPR as well?

Yes. Art. 9 revDSG is largely aligned with Art. 28 GDPR. The same DPA satisfies both regimes. For Swiss customers, revDSG is the primary basis.