This agreement specifies the obligations of the parties with regard to the provisions of the Swiss Data Protection Act (DSG) and the EU General Data Protection Regulation (EU GDPR). In this respect, it supplements the contractual agreements ("contract") between Oniva Ltd (hereinafter referred to as "Oniva") and the customer. This may involve a single contract or several contracts between Oniva and the customer, in which Oniva acts as the service provider vis-à-vis the customer.

This agreement shall only apply insofar and to the extent that the following conditions are met:
‍
a) The customer is either the controller or processor within the scope of the FADP and/or the EU GDPR and

b) the customer involves Oniva as a processor or sub-processor within the scope of the contract for the processing of personal data or personal data covered by the scope of application of the FADP and/or the EU GDPR ("relevant data").

The subject matter, duration, type and purpose of the processing are set out in the contract. The categories of relevant data processed, the categories of data subjects and the technical and organisational measures to be taken ("TOM") are listed either in the contract or in one or more annexes to this agreement.

Oniva processes the relevant data exclusively for the purpose of contract fulfilment or for the purposes specified in the contract. The customer is responsible for the lawfulness of the data processing itself, including the permissibility of order/sub-order processing.
‍
The customer's instructions are documented in this agreement and the contract. The customer has the right to give Oniva further instructions in writing at any time with regard to the processing of the relevant data. Oniva shall comply with these instructions insofar as they can be implemented by Oniva within the scope of the contractually agreed services and are objectively reasonable. If such instructions lead to additional costs for Oniva or a changed scope of services, the contractually agreed contract amendment procedure shall apply.
‍
3 Oniva shall inform the customer immediately if it is of the opinion that an instruction violates the FADP or the EU GDPR. In this case, Oniva may suspend the implementation of the instruction until it has been confirmed or amended by the customer. The above shall not apply to instructions from the customer in connection with the granting of access authorisations or the disclosure of relevant data to the customer itself, and Oniva may assume at any time that these instructions are in compliance with the law. However, Oniva is entitled to request written confirmation from the customer.

Oniva processes the relevant data exclusively in accordance with the provisions of the contract and this agreement. The fulfilment of legal, regulatory or official obligations by Oniva remains reserved.

Oniva will implement the TOM defined in the contract and the annexes to this agreement to protect the relevant data. Oniva may adapt the agreed TOM at any time as long as the agreed level of protection is not undercut. In addition, Oniva shall continuously review the agreed TOM for the current state of the art and, if necessary, propose to the customer the implementation of additional measures, which can be agreed as part of a contract addendum.

Oniva undertakes to keep a register of processing activities with regard to the relevant data in accordance with Art. 12 para. 1 FADP and Art. 30 para. 2 EU GDPR. Oniva shall grant the customer access to the parts of this directory that are affected by Oniva's provision of services to the customer at any time upon request.

Oniva shall ensure that the employees and other auxiliary persons of Oniva involved in the processing of the customer's relevant data are prohibited from processing the relevant data for purposes other than those specified in the contract and in deviation from this agreement. Furthermore, Oniva shall ensure that the persons authorised to process the relevant data have committed themselves to confidentiality and/or are subject to an appropriate statutory duty of confidentiality. The confidentiality/confidentiality obligation shall continue to apply after termination of the contract.

Oniva shall inform the customer immediately if it becomes aware of breaches of the protection of the relevant data at Oniva or one of its subcontractors (data breach). Oniva shall inform the customer in writing (e-mail is sufficient) in an appropriate manner about the type and extent of the breach and possible remedial measures. In such a case, the parties shall take the necessary measures to ensure the protection of the relevant data and to minimise possible adverse consequences for the persons concerned and the parties and shall consult with each other immediately.

Oniva shall inform the customer of the contact person for data protection issues arising within the scope of the contract and, in cases where this is required under Art. 37 EU GDPR, the data protection officer.

Oniva undertakes to support the customer upon request and against separate remuneration agreed in advance within the scope of its possibilities in the fulfilment of the rights of the data subjects vis-à-vis the customer in accordance with Chapter 4 of the FADP and Chapter III of the EU GDPR. In addition, Oniva may offer the customer further support, e.g. in connection with a data protection impact assessment, consultation with the supervisory authority, notifications to the latter, etc., for a separate fee.

Relevant data must be released or deleted after the end of the contract in accordance with the contractual provisions. Oniva uses established procedures in the IT industry for the deletion of relevant data.

The customer shall independently take appropriate technical and organisational measures to protect the relevant data in its area of responsibility (e.g. on its own systems, buildings, applications/environments under its operational responsibility).
‍
The customer must inform Oniva immediately if it discovers violations of data protection regulations in the provision of services by Oniva.

The customer shall name to Oniva the contact person for data protection issues arising within the scope of the contract and, in cases where this is required under Art. 37 EU GDPR, the data protection officer.

Wendet sich eine betroffene Person mit Forderungen zur Berichtigung, Löschung, Auskunft oder anderen Ansprüchen zu relevanten Daten direkt an Oniva, wird Oniva die betroffene Person an den Kunden verweisen, sofern eine Zuordnung an den Kunden nach Angaben der betroffenen Person möglich ist. Die Unterstützung des Kunden seitens Oniva bei Anfragen betroffener Personen richtet sich nach Ziffer 3.

Oniva is obliged to provide the customer with information upon request in order to document compliance with the obligations under this agreement.

Any audit rights defined in the contract and any mandatory statutory audit rights of the customer or its supervisory authorities remain reserved. In any case, the principle of proportionality must be observed in the context of such audits and Oniva's interests worthy of protection (namely confidentiality) must be adequately taken into account. Unless otherwise agreed, the customer shall bear all costs of such audits (including proven internal costs incurred by Oniva in participating in the audit).

If, following the submission of evidence or reports or in the course of an audit, breaches of this agreement or deficiencies in the implementation of Oniva's obligations are identified, Oniva shall implement appropriate corrective measures immediately and free of charge.

Unless the contract contains more restrictive provisions on the involvement of third parties, Oniva is authorised to involve subcontractors, but must inform the customer in advance if it involves new subcontractors or replaces existing subcontractors after this agreement comes into force. The customer may object in writing within 30 days to the appointment of a new sub-processor or the replacement of an existing sub-processor for important data protection reasons. If there is an important reason under data protection law and if it is not possible for the parties to reach an amicable solution, the customer shall be granted a right of cancellation with regard to the service affected by this.

Oniva shall enter into agreements with its subcontractors to the extent necessary to fulfil its obligations under this agreement.

Any disclosure of relevant data by Oniva abroad or to an international organisation is only permitted if Oniva complies with the provisions of Art. 16 et seq. DSG or Chapter V of the EU GDPR. However, if such disclosure of relevant data is requested by or on behalf of the customer, compliance with the relevant provisions is the sole responsibility of the customer. The locations from which the customer or the customer's end users access and process personal data are neither controlled nor limited by Oniva.

Data elements used and technical and organizational measures (TOM)

Data elements used

The customer or the data subjects themselves provide Oniva AG (hereinafter referred to as "Oniva") with personal data (including in certain cases particularly sensitive personal data) and/or confidential data for processing within the scope of the contracts at their own discretion and on behalf of the customer vis-à-vis Oniva.

This may involve personal data of the following data subjects in particular:

In particular, this may involve the following types of personal data:

Personal information such as first name, last name, date of birth, age, gender, nationality, etc.
Business contact details such as email address, telephone number, address
Private contact details such as email address, telephone number, address
Details of identity documents
Information about professional life, such as job title, function, etc.
Information about private life, such as marital status, hobbies, etc.
User information such as login data, customer number, personnel number, user behavior, etc.
Technical information such as IP address, device information, etc.

These categories of data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

This data may, for example, be subject to professional secrecy, banking secrecy, official secrecy or the duty of confidentiality under social security law.

If the data has been encrypted by the customer and is therefore not accessible to Oniva, this does not constitute order data processing by Oniva. The agreement on order data processing is therefore not applicable to this data.

It is the sole responsibility of the customer to assess whether the technical and organisational measures described below are appropriate for the protection of the data entrusted to Oniva for processing (in particular in the case of particularly sensitive personal data or confidential data).

The following chapters describe the measures taken by Oniva with regard to the protection of personal data in the context of order data processing. Oniva maintains an Information Security Management System (ISMS), which is based on ISO27001 and other international standards.

The measures listed below are to be understood generically and shall apply in each case if nothing to the contrary is defined in the contract, e.g. if further product- or customer-specific measures are defined or if certain of the following measures are explicitly excluded. The following measures apply to cases in which Oniva processes the relevant data itself. If data processing is carried out by third parties commissioned by Oniva, Oniva shall ensure by means of suitable contractual agreements that the third parties comply with comparable measures.

Oniva divides the areas into security zones with different levels of security. These zones are divided into public, secure and zones. Public zones are accessible to everyone, such as the reception areas in an office building. A badge or key is required to gain access to secure zones. The badges of employees and service providers are personalised. The issuing of keys to authorised persons is logged. Visitors must register and are accompanied by the responsible employees in the secure zones. If non-personalised badges are used, a responsible person is appointed who keeps a log of the temporary holders.

Oniva ensures that the third-party data centres used by Oniva for the permanent storage of data are classified as highly secure zones. In high-security zones, there is no direct access from public zones to the high-security zone, but only via a secure zone. Access to the high-security zone requires identification with two elements and is logged.

Oniva's data centres have the necessary physical protection measures in place to detect a breach of the building's perimeter at an early stage and trigger an appropriate alarm. In buildings that are manned around the clock, the security staff are appropriately trained to process such alarms quickly and professionally and to initiate appropriate measures. If the buildings are not manned around the clock, the alarms are sent to a security service provider or the police to trigger an intervention.

Data centres used by Oniva have the other necessary protective measures in place to reduce risks from natural events such as lightning, rain, flooding, etc. to such an extent that they are no longer relevant to data centre operations.

Access to Oniva's systems always takes place with personalised identifications of the persons authorised by Oniva.

Access to the systems is always protected with at least a password or an equivalent authentication feature and the associated digital identification. The access data is stored in such a way that no direct derivation of the valid authentication feature is possible if this data were to become accessible.

Passwords must fulfil complex requirements and consist of at least three classes of the following elements: upper case letters, lower case letters, numbers, special characters. Passwords for personal accounts are never made accessible to third parties.

In the event of an incorrect login, identification can initially be blocked temporarily and then permanently after further unsuccessful attempts

If the user requires administration rights with an impersonal identity, the user must carry out a "step-up" procedure: This means that employees log on to the system with their personal account and then increase their rights on the system. On Unix systems, for example, this is done by using the sudo command. If no "step-up" procedure is possible, Oniva can determine at any time via the administration platform which user has used the impersonal administration identity. All administrative accesses are logged by Oniva and stored for a defined period of time.

Depending on the classification of users, portals accessible via the Internet require strong authentication when accessing the relevant data. Strong authentication is based on mobile ID, the use of an electronic token to generate one-time passwords or other secure means as a second factor.

Mobile ID is a service from Swisscom based on a SIM card with a security module for mobile phones specifically adapted for Swisscom users and thus represents secure identification of the user.

Devices that are given direct access to the company network are identified via a machine-readable certificate. Employees who use their personal device must log in via a virtual infrastructure to access the relevant customer data.

The authorisations on the systems are structured in roles. An identity is assigned one or more roles that are required to perform the person's organisational role. The roles are structured in such a way that only the data required to fulfil the task can be accessed.

The description of the roles and their authorisations are documented in role concepts. These concepts are regularly reviewed and updated. The role concept is managed and updated by the system administrator. For all roles, it is regularly checked whether the assigned users still require this role.

If an employee requires additional rights, they can order an additional role. This additional role is approved by the line manager and the role owner. The role owner can decide whether this approval is actually necessary or whether automatic approval can take place. A very limited number of roles are automatically assigned to the employee; these are roles from the organisational structure, such as membership of an organisational unit.

Data traffic between the customer's network and Oniva is encrypted where possible or protected by alternative measures. Alternative measures can be, for example, the use of dedicated logical lines or the use of direct fibre optic connections. The encryption of the connection is based on current protocols and protection mechanisms.

Access to the systems is logged and can be analysed using various methods.

Relevant data is always accessed via the Internet using an encrypted connection. Oniva uses the latest protocols and protection mechanisms. This encrypted connection is based on technologies on the network, session or application layer.

The customer's direct access to their personal data is protected by agreement with the customer via the transport route. Oniva offers corresponding services that enable virtual network connections to the customer. Other encryption technologies can also be used for these connections.

The permanent storage in the data centres used by Oniva is protected against loss with physical protection measures. This includes redundant power supplies and the necessary systems to enable self-sufficient operation for a defined period of time.

To protect against smoke or fire damage, the high-security rooms are equipped with smoke and fire alarm systems. In the event of an incident, either the security personnel or building staff present are deployed for an initial response or an extinguishing system is activated to minimise the potential damage. If there is no staff on site, the alarm is forwarded to the local fire brigade.

In the event of a defect, data carriers are rendered physically unusable by the data centre provider used in order to completely exclude the possibility of access.

Functioning data carriers are erased using standard industry erasure methods in such a way that it is almost impossible to reconstruct the data they contain. If such a procedure is not possible, the data carriers are rendered physically unusable or destroyed.

A return of data carriers to the customer is possible under defined circumstances. This requires that the storage system or data carrier has only been in use for this one customer. In this case, the provider of the data centre used by Oniva has a defined process for handing over the data carriers to the customer in a predefined building in a recorded manner.

Where Oniva is responsible for the input and processing of personal data, Oniva shall take the necessary technical and organisational measures to ensure that this data is recorded and processed correctly.

Oniva collects further personal data of the customer in Oniva systems for the provision of services. These systems are used, for example, to record error messages (incidents), change requests or invoicing. Oniva uses suitable quality measures to ensure that relevant data collected in this process is checked and corrected.

Oniva carefully selects potential subcontractors with access to the data and assigns the relevant data protection responsibilities to the suppliers.

Oniva has appointed a responsible organisation to ensure compliance with data protection requirements. This organisation can be contacted for enquiries at security@oniva.events. The first point of contact for questions about data protection at Oniva is the responsible Oniva account manager.

Depending on their role, new Oniva employees undergo a security check before starting their employment. This consists of various stages and is organised differently depending on the possibility of accessing relevant data. As a minimum, the check includes verification of a complete CV, the most recent references and obtaining a personal reference. Further stages involve signing a confidentiality agreement or a check in accordance with the federal government's personal security check.

New employees are familiarised with the relevant rules for their own security and data security when they start work.

Existing Oniva employees are regularly trained in the careful handling of data. This is achieved through messages on the intranet, blog posts, electronic awareness training on Oniva's internal learning platforms and on-site training sessions.

When the Oniva employee leaves the company, the main identity is automatically blocked on the Oniva systems. Access to the buildings is also blocked at the end of the last working day. It is the responsibility of the line manager to cancel all further access and to withdraw the badge and work equipment from Oniva on the employee's last working day.

Oniva stores the data in accordance with the contractual agreement in data centres with the necessary level of protection. These are third-party data centres (see 2.2).
‍
To ensure data availability, Oniva's storage systems are configured in such a way that more than one component can fail and the data is still available. This is achieved through redundant, distributed data carriers as well as redundant networks and power supplies.

Oniva backs up the data in accordance with the service description. The backup always takes place on storage systems in another data centre with a sufficient geographical distance between the two locations. The different geographical areas serve to minimise possible damage caused by natural events such as lightning, rain, flooding and debris flows to as few locations as possible.

Depending on the services purchased, the customer can also order different levels of data backups. This is shown in the service description or can be requested from the Oniva customer advisor.

Oniva has implemented the necessary processes to identify and evaluate reports of software vulnerabilities and patches and to derive the necessary further steps. The installation of patches may require the cooperation and approval of the customer. If a patch needs to be installed urgently, there is an emergency patch process depending on the service.

Oniva ensures that customer data cannot be viewed by others. To this end, the latest security procedures are used to ensure the separation of customer data on a logical or physical level.

Physical procedures are appropriate when the service and the systems used for this do not allow adequate logical separation. For cost reasons, Oniva always endeavours to use logical procedures wherever possible.

Depending on the service offering, the customer can request that their data be physically separated from the data of other customers. This option is not available in all offers.

Logical procedures have been checked by Oniva to ensure that these procedures cannot be overridden. If Oniva determines that the procedures no longer guarantee this, Oniva will take the necessary countermeasures to restore equivalent protection.

Oniva carries out regular system audits. In the technical area, this includes, for example, a regular check of the IP perimeter or security audits of platforms.
‍
Based on a risk analysis, new services are subjected to a technical review. Any defects identified are rectified by the responsible departments. Depending on the severity of the defects, a supplementary audit is carried out to prove the effectiveness of the rectification.

Oniva operates a risk management system throughout the company in order to identify and quantify risks and, together with the responsible organisations, initiate measures to reduce the risks.

Oniva participates in a bug bounty programme. This enables anyone to report security vulnerabilities identified in Oniva's services in a centralised manner. The reports are evaluated and the necessary countermeasures are taken, e.g. a patch is created for software or the code of a website is improved. Finally, the vulnerability report is published by the reporter and the reporter is compensated depending on the severity of the vulnerability.

Oniva's data protection organisation maintains a risk management system to identify and document Oniva's data protection risks and to ensure that the risks identified are dealt with accordingly. The data protection organisation ensures that there is appropriate communication and allocation of responsibility for data protection risks at all levels. The data protection organisation is in continuous communication with other risk management functions at Oniva.