Effective Date: 01 October 2024

Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("Agreement") forms part of the Terms of Service ("Principal Agreement") between Delos Analytica AG ("Delos Analytica," "Processor," "we," "us," or "our") and users ("Client," "Controller," "you," or "your") of our AI-supported SaaS solution ("Service").

By using our Service, you agree to the terms of this Agreement regarding the Processing of Personal Data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

2.1. "Personal Data" means any information relating to an identified or identifiable natural person as defined under the GDPR.

2.2. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.

2.3. "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data.

2.4. "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller.

2.5. "Sub-Processor" means any third party appointed by or on behalf of the Processor to Process Personal Data.

2.6. "Applicable Data Protection Laws" means all data protection laws and regulations applicable to the Processing of Personal Data under this Agreement, including the GDPR.

3. Roles and Responsibilities

3.1. Controller and Processor

  • You are the Controller of Personal Data you provide in connection with your use of the Service.
  • Delos Analytica AG acts as the Processor of such Personal Data.

4. Subject Matter and Details of Processing

4.1. Purpose of Processing

  • The Processor will Process Personal Data as necessary to provide the Service pursuant to the Principal Agreement.

4.2. Duration of Processing

  • The Processing shall continue for the duration specified in the Principal Agreement or until the termination of your account.

4.3. Nature of Processing

  • Collection, storage, analysis, and use of Personal Data to provide and improve the Service.

4.4. Types of Personal Data

  • Email address
  • Company association
  • First name and last name
  • Phone number
  • Physical address
  • User-generated data entered for analysis purposes

4.5. Categories of Data Subjects

  • Employees or representatives of the Controller authorized to use the Service.

5. Obligations of the Processor

5.1. Processing on Documented Instructions

  • The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to international data transfers, unless required by law.

5.2. Confidentiality

  • The Processor ensures that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3. Security Measures

  • The Processor shall implement appropriate technical and organizational measures as described in Section 8 to ensure a level of security appropriate to the risk.

5.4. Assistance to Controller

  • The Processor shall assist the Controller in fulfilling obligations to respond to Data Subjects' requests and in ensuring compliance with GDPR Articles 32 to 36.

5.5. Data Breach Notification

  • The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

5.6. Data Return and Deletion

  • Upon termination of the Principal Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data, unless law requires storage.

6. Obligations of the Controller

6.1. Compliance with Laws

  • The Controller shall comply with all obligations under Applicable Data Protection Laws, including providing necessary notices and obtaining required consents.

6.2. Instructions

  • The Controller shall ensure that its instructions for the Processing of Personal Data comply with Applicable Data Protection Laws.

7. Sub-Processing

7.1. Authorized Sub-Processors

  • The Controller authorizes the Processor to engage Sub-Processors to Process Personal Data.

7.2. List of Sub-Processors

We use the following Sub-Processors:

  • Google Cloud
  • Vercel
  • Mixpanel
  • Hotjar
  • Google Analytics
  • Google Ads
  • Typeform
  • Meta Ads

7.3. Sub-Processor Obligations

  • The Processor ensures that Sub-Processors are bound by data protection obligations compatible with those of the Processor under this Agreement.

7.4. Changes to Sub-Processors

  • The Processor will inform the Controller of any intended changes to Sub-Processors, giving the Controller the opportunity to object.

8. Security Measures

The Processor implements the following technical and organizational measures:

8.1. Access Control

  • Access to Personal Data is restricted to authorized personnel who require it for their duties.

8.2. Encryption

  • Personal Data is encrypted in transit using SSL/TLS and at rest where applicable.

8.3. Physical Security

  • Data centers are secured with controlled access and surveillance systems.

8.4. Network Security

  • Firewalls and intrusion detection systems protect against unauthorized access.

8.5. Regular Audits

  • Security systems and processes are regularly tested and evaluated.

8.6. Employee Training

  • Staff receive training on data protection and privacy obligations.

9. International Data Transfers

9.1. Data Transfer Locations

  • Personal Data may be transferred and stored outside the country where it was originally collected, including to the USA and Uruguay.

9.2. Adequate Safeguards

  • The Processor ensures appropriate safeguards are in place for international transfers, such as Standard Contractual Clauses or other lawful mechanisms.

10. Data Subject Rights

10.1. Assistance

  • The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

10.2. Notification

  • If a Data Subject contacts the Processor directly, the Processor shall promptly inform the Controller.

11. Data Breach Notification

11.1. Obligation to Notify

  • The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data Breach.

11.2. Content of Notification

  • The notification shall include sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach.

12. Audit Rights

12.1. Availability of Information

  • The Processor shall make available all information necessary to demonstrate compliance with this Agreement.

12.2. Audit Requests

  • The Controller may request audits or inspections, which the Processor shall accommodate, subject to reasonable notice and confidentiality obligations.

13. Liability and Indemnity

13.1. Liability

  • The liability of each party under this Agreement shall be subject to the exclusions and limitations of liability set out in the Principal Agreement.

13.2. Indemnity

  • Each party agrees to indemnify and hold harmless the other party against any losses arising from its breach of this Agreement.

14. Duration and Termination

14.1. Duration

  • This Agreement is effective from the Effective Date and shall continue until the termination of the Principal Agreement.

14.2. Termination

  • Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data, unless continued storage is required by law.

15. Governing Law and Jurisdiction

15.1. Governing Law

  • This Agreement shall be governed by the laws of Switzerland.

15.2. Jurisdiction

  • Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Zug, Switzerland.

16. Changes to this Agreement

16.1. Modification

  • We may update this Agreement from time to time. We will notify you of any significant changes by posting the new Agreement on our website and updating the Effective Date.

16.2. Acceptance of Changes

  • Your continued use of the Service after any changes to this Agreement constitutes your acceptance of the revised terms.

17. Contact Information

For questions or concerns about this Agreement, please contact:

Delos Analytica AG
Sennweidstrasse 43
6312 Steinhausen
Switzerland
Email: silvan.kraehenbuehl@delosanalytica.com

18. Miscellaneous

18.1. Severability

  • If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

18.2. Entire Agreement

  • This Agreement, together with the Principal Agreement and any other policies incorporated by reference, constitutes the entire agreement between the parties regarding the Processing of Personal Data.

By using our Service, you acknowledge that you have read and understood this Data Processing Agreement and agree to be bound by its terms.

GDPR Compliance Statement

Effective Date: 01 October 2024

Delos Analytica AG is committed to complying with the General Data Protection Regulation (GDPR). This statement outlines our commitment and measures to ensure GDPR compliance.

1. Compliance Measures

1.1. Data Protection Principles

We adhere to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: Processing is performed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Personal Data is collected for specified, explicit, and legitimate purposes.
  • Data Minimization: Only data necessary for the purposes is collected and processed.
  • Accuracy: Personal Data is kept accurate and up to date.
  • Storage Limitation: Data is retained only for as long as necessary.
  • Integrity and Confidentiality: Appropriate security measures are in place to protect Personal Data.

1.2. Consent Management

  • We obtain and record user consent where required, particularly for marketing communications and the use of cookies.

1.3. Data Subject Rights

We facilitate the exercise of Data Subjects' rights, including:

  • Access: Right to obtain confirmation and access to their Personal Data.
  • Rectification: Right to have inaccurate Personal Data corrected.
  • Erasure: Right to have Personal Data erased ("right to be forgotten").
  • Restriction: Right to restrict Processing under certain conditions.
  • Data Portability: Right to receive Personal Data in a structured, commonly used format.
  • Objection: Right to object to Processing based on legitimate interests.

1.4. Data Breach Notifications

  • We promptly inform authorities and affected users in the event of a Personal Data Breach as required by GDPR.

1.5. Record Keeping

  • We maintain records of Processing activities as required by GDPR Article 30.

2. Data Protection Officer

  • Name: Silvan Krähenbühl
  • Contact: silvan.kraehenbuehl@delosanalytica.com

3. User Rights

3.1. Access, Rectification, Deletion

  • Users can manage their Personal Data through their account settings or by contacting us at silvan.kraehenbuehl@delosanalytica.com.

3.2. Objection and Restriction

  • Users can request limitations on the Processing of their Personal Data by contacting us.

4. Legal Bases for Processing

4.1. Contractual Necessity

  • Processing is necessary for the performance of the Service contract between Delos Analytica AG and the user.

4.2. Legitimate Interests

  • Processing is necessary for the purposes of our legitimate interests in improving the Service and ensuring security, provided these interests are not overridden by the Data Subject's rights and interests.

CCPA Compliance Statement


Effective Date: 01 October 2024

While we currently do not conduct business with California residents, we include this statement to ensure future compliance with the California Consumer Privacy Act (CCPA).

1. Applicability

  • This policy applies to Personal Information collected from California residents.

2. User Rights

California residents have the following rights:

2.1. Right to Know

  • Request disclosure of the categories and specific pieces of Personal Information we have collected.

2.2. Right to Delete

  • Request deletion of Personal Information we have collected.

2.3. Right to Opt-Out

  • Right to opt-out of the sale of Personal Information (Note: We do not sell Personal Information).

2.4. Non-Discrimination

  • You will not receive discriminatory treatment for exercising your CCPA rights.

3. Do Not Sell Policy

  • We do not sell Personal Information. Users are automatically opted out of any sale of Personal Data.

4. Verification Process

  • Identity Verification: Identity verification is conducted via email confirmation and may include two-factor authentication in the future.
  • Submitting Requests: Requests can be made by contacting us at silvan.kraehenbuehl@delosanalytica.com.
DELOS Analytica AG
Sennweidstrasse 43, 6312 Steinhausen, Switzerland
contact@delosanalytica.com
©2024 DELOS Analytica AG
Terms of Service
Privacy Policy
Cookie Policy
Data Processing Agreement
End User License Agreement (EULA)