Data Processing Agreement

Last Updated: 27.11.2025

1. Purpose

1.1 CVFY AG ("CVFY" or "Provider") supplies customers ("Customer" or collectively "Parties") with software designed for the governance and provisioning of Microsoft 365 tools ("Product"). This Product is delivered in accordance with the General Terms and Conditions ("Main Agreement"), which the Customer accepts upon ordering.

1.2 Using the Product involves CVFY processing personal data on the Customer's behalf. This Data Processing Agreement ("DPA" or "Agreement") defines the rights and obligations of both Parties regarding data protection laws in relation to the Product's use under the Main Agreement.

1.3 This Agreement is an essential component of the Main Agreement. It supports both Parties in adhering to personal data processing regulations, including applicable laws in the US, Mexico, Canada, Switzerland, and the EU. This includes, but is not limited to, the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Swiss Federal Data Protection Act (FADP), and the EU General Data Protection Regulation (GDPR), along with any other current or future data protection laws ("Data Protection Laws").

2. Scope

2.1 This DPA and its Annexes apply to all activities connected to the Main Agreement where CVFY processes personal data for the Customer.

2.2 Annex 1 details the categories of personal data, processing purposes, and data subjects involved.

3. Definitions

3.1 Terms used in this Agreement have the meanings assigned by Data Protection Laws unless defined otherwise here. If terms (e.g., "sensitive personal data" vs. "special categories of personal data") vary across applicable laws, this DPA adopts the broader interpretation to encompass all meanings. In case of conflict between specific legal provisions, the law governing the Agreement prevails.

3.2 Specific definitions for this Agreement:

(a) "Security Incident" refers to any security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data on systems controlled by the Customer.
(b) "Subcontractor" denotes any service provider hired by CVFY (or its subcontractors) to process personal data for the Main Agreement. This applies only to providers directly involved in Product delivery. Ancillary service providers (e.g., telecommunications, transport, disposal, or general system maintenance) are not considered Subcontractors.
(c) "In writing" or "written" includes electronic forms that provide text proof, such as email.

4. Legal Responsibility of the Customer

4.1 Under this DPA, the Customer retains the role of "Controller" as defined by Data Protection Law.

4.2 The Customer acknowledges CVFY as a "Service Provider" under Data Protection Laws. CVFY will not collect, use, retain, disclose, sell, or share personal data for any purpose other than those specified in this Agreement or as explicitly instructed by the Customer in writing.

4.3 The Customer warrants that the transfer of personal data to CVFY and its Subcontractors, and their processing of it, is lawful and not prohibited by other statutory or contractual obligations. The Customer is solely responsible for complying with data protection obligations, especially regarding data subject rights.

4.4 The Customer confirms that the technical and organizational measures (TOMs) implemented by CVFY (Annex 2) are adequate for protecting the personal data processed and comply with Data Protection Laws.

4.5 The Customer must immediately notify CVFY of any data protection violations or irregularities discovered during the Agreement term.

4.6 Upon request, the Customer will provide CVFY with information needed to maintain a record of processing activities, if CVFY does not already have access to it.

4.7 If CVFY must provide information to authorities regarding data processing under this DPA, the Customer agrees to assist CVFY promptly.

5. Data Processing and Instructions

5.1 CVFY processes personal data solely on the Customer's behalf and according to documented instructions and this Agreement, unless legally required to do otherwise. In such cases, CVFY will inform the Customer of the legal requirement beforehand, unless prohibited by law on public interest grounds.

5.2 The Customer's instructions are primarily defined in this DPA. Any deviation or additional instruction requires CVFY's written consent. Such instructions must be documented, and any resulting costs will be borne by the Customer. CVFY may implement such instructions via other procedures in the Main Agreement.

5.3 Instructions must be clear, lawful, and consistent with this DPA. If CVFY believes an instruction violates the law or this Agreement, it may suspend execution after notifying the Customer until the instruction is confirmed.

5.4 CVFY may anonymize or aggregate personal data so that individuals are no longer identifiable. This data may be used to improve the Product and services. The Parties agree that such anonymized/aggregated data is not personal data under this Agreement. Its use is strictly for enhancing security and quality in compliance with regulations.

5.5 Data processing generally occurs within the EEA or Switzerland. CVFY may process data elsewhere if the Customer is informed in advance and cross-border transfer requirements are met.

6. Technical and Organizational Measures

6.1 CVFY implements appropriate technical and organizational measures (TOMs) as required by FADP, GDPR, and other laws, detailed in Annex 2. CVFY may modify these measures provided the protection level is not reduced.

6.2 CVFY ensures that all personnel processing personal data are bound by confidentiality obligations.

7. Information, Cooperation, and Support

7.1 CVFY will assist the Customer, where reasonable, in fulfilling data subject rights (Chapter III GDPR), ensuring security, reporting breaches, and conducting impact assessments. The Customer will reimburse CVFY for documented costs unless the support is needed due to CVFY's breach of law or this DPA.

7.2 If a data subject contacts CVFY directly, CVFY will forward the request to the Customer promptly.

7.3 CVFY will provide available information necessary to prove compliance with this Agreement, if not already available to the Customer.

7.4 The Customer may audit CVFY's compliance (including inspections) directly or via a bound third party. CVFY will contribute to such audits upon reasonable notice. The Customer bears the costs unless the audit reveals a breach by CVFY.

7.5 For inspections (Section 7.4), the Customer may access CVFY's premises during business hours (Mon-Fri, 10 am - 6 pm) with prior notice, at their own expense, minimizing disruption and maintaining confidentiality. CVFY may withhold sensitive business information or information that would breach other obligations.

7.6 Alternatively, CVFY may prove compliance by submitting a current report from an independent auditor or a certification, provided it allows adequate verification by the Customer.

7.7 Clarification: If the Customer reasonably believes the documents in 7.6 are insufficient, they may proceed with an inspection under 7.4. Urgent or critical inspections are not restricted to business hours or prior notice.

7.8 CVFY will notify the Customer of any Security Incident without undue delay and provide available details. CVFY will take steps to contain and investigate the incident.

7.9 Notification of a Security Incident is not an admission of fault or liability by CVFY.

8. Subcontractors

8.1 The Customer generally authorizes CVFY to engage Subcontractors for data processing. Annex 3 lists current Subcontractors.

8.2 CVFY will inform the Customer in writing before adding or replacing Subcontractors. The Customer may object within 14 days for important data protection reasons (proven to CVFY). If no objection is raised, the change is accepted. If a valid objection is made, CVFY may terminate the Main Agreement and DPA.

8.3 CVFY must have a written contract with Subcontractors imposing obligations equivalent to this Agreement.

8.4 For Subcontractors outside Switzerland/EEA, Section 5.5 applies. The Customer authorizes CVFY to sign standard contractual clauses (EU SCCs) with Subcontractors on the Customer's behalf. The Customer agrees to support this process. CVFY may require the Customer to sign directly with the Subcontractor. Refusal entitles CVFY to terminate the agreements.

9. Duration and Termination

9.1 This Agreement is effective alongside the Main Agreement and continues as long as CVFY holds the Customer's personal data.

9.2 Upon termination, CVFY will, per Customer instructions:

(a) Return all personal data and copies; or
(b) Destroy all personal data and copies.

CVFY will confirm the return/destruction in writing.

9.3 Section 9.2 excludes data CVFY is legally required to keep or needs for documenting processing or defending claims.

10. Indemnification and Costs

10.1 CVFY's liability is governed by the Main Agreement. The Customer indemnifies CVFY against third-party claims resulting from the Customer's breach of this Agreement, other agreements (e.g., Microsoft), or data protection laws.

10.2 The Customer indemnifies CVFY against fines imposed on CVFY to the extent the Customer is responsible for the sanctioned infringement.

11. Miscellaneous

11.1 Parties will provide this Agreement to courts/authorities upon request. The Customer will provide it to data subjects if required.

11.2 Amendments require written consent. The Customer may update Annex 1 if processing doesn't change significantly, notifying CVFY. CVFY may update technical measures (Annex 2) if security is maintained, notifying the Customer.

11.3 Assignment of this Agreement requires CVFY's written consent.

11.4 Swiss law governs this Agreement. Exclusive jurisdiction lies with the courts at CVFY's registered office, subject to mandatory legal provisions.