Azai Logo

Data Processing Agreement (DPA)

between

the customer

(hereinafter the “Controller”)

and

Azai AG

(hereinafter the “Processor”)

1. Subject Matter and Duration of Processing

The Processor provides the Controller with a cloud-based software platform for the management of construction projects (the “Platform”).

In the course of using the Platform, the Processor may process personal data on behalf of the Controller.

Processing takes place exclusively:

  • on the basis of the Terms of Service
  • this Data Processing Agreement
  • the documented instructions of the Controller

The duration of processing corresponds to the duration of the contractual relationship between the parties.

2. Nature and Purpose of Processing

Personal data is processed exclusively for the provision and operation of the Platform.

Processing includes in particular:

  • storage of project data
  • management of user accounts
  • provision of communication functions
  • document management
  • technical maintenance of the Platform
  • support services

The Processor does not process data for its own purposes.

3. Categories of Data Subjects

Processing may concern the following categories of persons:

  • employees of the Controller
  • project managers
  • site managers
  • contractors and subcontractors
  • contact persons at customers or suppliers

4. Categories of Personal Data

Depending on use of the Platform, the following data in particular may be processed:

  • name
  • email address
  • telephone number
  • company affiliation
  • project-related information
  • documents and communication content
  • usage and log data

The Controller independently determines which personal data is uploaded to the Platform.

5. Right to Issue Instructions

The Processor processes personal data solely in accordance with the instructions of the Controller.

Instructions may be issued via:

  • use of the Platform
  • written instructions
  • support requests

The Processor shall inform the Controller without undue delay if an instruction violates applicable data protection law.

6. Confidentiality

The Processor ensures that all persons with access to personal data

  • are bound to confidentiality, or
  • are subject to an adequate statutory duty of confidentiality

7. Technical and Organisational Measures (TOMs)

The Processor implements appropriate technical and organisational measures to protect personal data.

These measures include in particular:

  • access controls for systems
  • encryption of data transmission (e.g. HTTPS/TLS)
  • role-based access rights
  • regular backups
  • monitoring and logging
  • protection against unauthorized access

The Processor may adapt security measures provided that the level of security is not materially reduced.

8. Subprocessors

The Processor may engage subprocessors for the provision of the Platform.

These may in particular include:

  • cloud infrastructure providers
  • email delivery services
  • monitoring and logging services
  • authentication services

A current list of subprocessors in use is available here.

The Processor informs the Controller of changes to the subprocessor list.

The Controller may object to the use of a new subprocessor for legitimate reasons.

9. Transfers to Third Countries

If personal data is transferred to countries outside Switzerland or the European Economic Area, the Processor shall ensure that appropriate safeguards are in place.

This may be achieved by means of:

  • adequacy decisions
  • Standard Contractual Clauses
  • other legally permissible safeguards

10. Assistance to the Controller

The Processor shall support the Controller, where possible, with:

  • responding to data protection requests from data subjects
  • compliance with statutory data protection obligations
  • data protection impact assessments
  • security measures

11. Notification of Data Breaches

The Processor shall inform the Controller without undue delay of

  • data breaches
  • security incidents
  • unauthorized access to personal data

Notification shall be made within 48 hours after becoming aware of the incident.

12. Audit and Demonstration Obligations

The Processor shall provide the Controller, upon request, with the information required to demonstrate compliance with this Agreement.

Audits may be carried out by means of:

  • document reviews
  • certifications
  • security reports

On-site audits are only permissible with reasonable prior notice and subject to the protection of trade secrets.

13. Return and Deletion of Data

After termination of the contractual relationship, the Processor shall:

  • give the Controller the opportunity to export data
  • subsequently delete personal data

Deletion shall take place within 60 days after the end of the contract unless statutory retention obligations apply.

14. Liability

The liability of the parties is governed by the provisions set out in the Terms of Service.

15. Validity and Amendments

This Data Processing Agreement applies for the entire duration of use of the Platform.

The Processor may amend this Agreement if legal changes or technical developments make this necessary.

The Controller will be informed of material changes.

16. Order of Precedence

In the event of contradictions between this Agreement and the Terms of Service, this Data Processing Agreement shall take precedence with regard to the processing of personal data.