Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Pausemark AG ("Processor"), headquartered in Zurich, Switzerland, and the customer ("Controller") for the provision of Pausemark services. This DPA governs the processing of personal data by the Processor on behalf of the Controller.

2. Definitions

Terms used in this DPA have the meanings given to them in the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR), and the main service agreement between the parties, unless otherwise defined herein.

3. Scope of Processing

The Processor shall process personal data only as necessary to provide the services, including:

• Categories of Data Subjects: Controller's employees, end users, and website visitors
• Types of Personal Data: Contact information, usage data, website performance data, and analytics data
• Processing Activities: Storage, analysis, monitoring, optimization, and reporting
• Duration: For the term of the service agreement plus the data retention period specified in our Privacy Policy

4. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data have committed to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with data protection obligations, including breach notification
• Delete or return all personal data upon termination of the service agreement, at the Controller's choice
• Make available all information necessary to demonstrate compliance and allow for audits

5. Sub-processors

The Processor may engage sub-processors to assist in providing the services. The Processor shall maintain a list of current sub-processors and notify the Controller of any intended additions or replacements with at least 30 days' prior notice. The Controller may object to a new sub-processor by notifying the Processor within 14 days. The Processor shall impose data protection obligations on sub-processors that are no less protective than those in this DPA.

6. International Transfers

Personal data is primarily processed and stored in Switzerland. Any transfer of personal data outside Switzerland or the EEA shall only occur with appropriate safeguards in place, including Standard Contractual Clauses or adequacy decisions recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the European Commission.

7. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures, including:

• Encryption of personal data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response and disaster recovery procedures
• Employee security training and awareness programs

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable notice and during normal business hours.

10. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller's election, delete or return all personal data within 90 days, unless retention is required by applicable law.

11. Governing Law

This DPA is governed by the laws of Switzerland. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Zurich, Switzerland.