Data Processing Agreement under GDPR Art. 28.

This Data Processing Agreement (the "DPA") is entered into between the customer that has accepted the Guard.ch Terms of Service (the "Customer") and the operator of Guard.ch:

Processor

Zesiger.net Individual Enterprise (Einzelunternehmen)

Legal representative

Janis Zesiger

Address

Mügeri 340, 5046 Schmiedrued, Switzerland

UID

CHE-488.503.816

Data protection contact

dpa@guard.ch

This DPA forms an integral part of the Terms of Service whenever the Customer processes personal data of third parties through Guard.ch. By accepting the Terms, the Customer accepts this DPA on behalf of itself and any affiliate using its account. The DPA is pre-signed by the Processor. Enterprise customers may request a counter-signed paper copy by writing to dpa@guard.ch.

Where applicable data protection law requires additional clauses (for example the EU Standard Contractual Clauses or the Swiss FADP transfer addendum), those clauses are incorporated by reference and prevail over any conflicting term of the Terms of Service.

Unless otherwise defined, capitalised terms have the meanings below.

Applicable Data Protection Laws

The Swiss Federal Act on Data Protection (FADP), Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act 2018, and any other privacy or data protection statute that applies to the parties' processing under this DPA.

Controller

The natural or legal person that determines the purposes and means of the Processing of Personal Data.

Processor

Zesiger.net Individual Enterprise, processing Personal Data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in the course of providing Guard.ch.

Processing

Any operation performed on Personal Data, including collection, recording, storage, retrieval, transmission, erasure or destruction.

Subprocessor

A third party engaged by the Processor to process Personal Data on behalf of the Controller, including hosting providers, edge node operators, and storage vendors.

Data Subject

The identified or identifiable natural person to whom Personal Data relates.

Service

The Guard.ch session-replay platform, including the capture browsers, the replay viewer, and any ancillary tooling.

The Processor processes Personal Data on the Controller's behalf solely to deliver the Service and to comply with the Controller's documented instructions. The detailed description of the Processing is set out in Annex I below and summarised here.

For the Processing of session capture content and workspace artefacts, the Customer is the Controller and Zesiger.net is the Processor. The Customer determines the URLs that are captured and the personnel with access to the workspace.

For limited matters where each party determines its own purposes and means, both parties act as independent controllers. These limited matters include: billing and tax records, fraud prevention on the Service itself, statutory record-keeping by the Processor, and the operation of the Processor's own marketing site.

The Customer warrants that it has a valid legal basis under Applicable Data Protection Laws for instructing the Processor to capture the URLs and content it submits, including any required transparency notices to data subjects of the captured sites where legally required.

The Processor undertakes the following with respect to the Controller's Personal Data.

5.1 Documented instructions

The Processor processes Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do otherwise by Union or Member State law to which the Processor is subject. In that case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are set out in this DPA, the Terms of Service, and any in-product configuration chosen by the Controller (workspace settings, plan selection, access controls).

5.2 Confidentiality (Art. 28(3)(b) GDPR)

The Processor ensures that personnel authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security of processing (Art. 32 GDPR)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A summary of those measures is set out in Annex II and described in detail at /legal/security. The Processor regularly tests, assesses and evaluates the effectiveness of those measures.

5.4 Assistance with data subject requests

Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.

5.5 Assistance with DPIA and breach response

The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor. This includes assistance with data protection impact assessments and prior consultations with supervisory authorities.

5.6 Return or deletion at end of services

At the choice of the Controller, the Processor deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless Union or Member State law requires storage of the Personal Data. Standard deletion happens automatically when the plan retention window expires, and no later than one (1) month after subscription termination.

5.7 Demonstration of compliance

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allows for and contributes to audits conducted by the Controller or another auditor mandated by the Controller, subject to section 10 below.

The Controller grants the Processor a general authorisation to engage Subprocessors for the Processing of Personal Data. The current list of authorised Subprocessors is maintained at /legal/subprocessors.

The Processor will notify the Controller of any intended addition or replacement of a Subprocessor at least thirty (30) days in advance, by updating the subprocessors page and, where the Controller has subscribed to change notifications, by email. The Controller may object to the proposed change on reasonable data protection grounds within that thirty day window. If the parties cannot agree on a resolution, the Controller may terminate the affected portion of the Service without penalty as its sole remedy.

The Processor imposes on every Subprocessor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor remains fully liable to the Controller for the performance of each Subprocessor's obligations.

Recorded sessions and account data are stored in Helsinki, Finland, inside the European Economic Area. Edge capture nodes that perform live browser capture operate in Singapore, Salt Lake City (United States) and Beauharnois (Canada). Transient capture data may therefore be processed outside the EEA and Switzerland for the brief period required to render and stream the session before it is encrypted and stored in Helsinki.

Transfers of Personal Data outside the EEA, Switzerland or the United Kingdom are governed by the European Commission's Standard Contractual Clauses, Module 3 (processor to subprocessor), as amended by implementing decision 2021/914. For data subjects in Switzerland, the Swiss Federal Data Protection and Information Commissioner's amendments to the SCCs apply. For data subjects in the United Kingdom, the International Data Transfer Addendum issued by the ICO applies.

The Processor has documented a transfer impact assessment for each destination country and will make a redacted copy available to the Controller on written request to dpa@guard.ch.

The Service exposes self-service tooling that allows the Controller to search, export, redact and delete captured sessions and workspace artefacts. The Controller is responsible for using that tooling to respond to data subject requests within the statutory deadline.

Where the Controller cannot fulfil a request through self-service tooling, the Processor will assist on written request to dpa@guard.ch. Standard assistance is included in the subscription fee. Excessive or repetitive requests may be subject to reasonable cost recovery as permitted by Art. 12(5) GDPR.

The Processor notifies the Controller of any Personal Data breach affecting the Controller's data without undue delay and in any event within forty-eight (48) hours of the Processor becoming aware of the breach. Notification is sent to the security contact registered on the Controller's workspace and, in parallel, to the primary account owner.

The notification contains, to the extent known at the time of notification:

• A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
• The contact details of the Processor's data protection contact for follow-up communication.

The Processor cooperates with the Controller and provides additional information as it becomes available so that the Controller can meet its own obligations under Articles 33 and 34 GDPR. The Processor does not notify supervisory authorities or data subjects on the Controller's behalf unless explicitly instructed to do so in writing.

The Controller has the right to audit the Processor's compliance with this DPA once every twelve (12) months, or more frequently if triggered by a Personal Data breach affecting the Controller or a binding order from a competent supervisory authority. The Controller bears the cost of the audit unless the audit reveals a material breach by the Processor, in which case the Processor reimburses reasonable audit costs.

Audits are conducted on at least thirty (30) days' prior written notice, during normal business hours, and in a manner that does not unreasonably interfere with the Service or the confidentiality of other customers. The Controller may mandate a third-party auditor, subject to that auditor signing the Processor's standard non-disclosure agreement. The Processor may satisfy audit requests by providing existing third-party attestations (such as a SOC 2 Type II report or an ISO 27001 certificate) where these cover the scope of the request.

The liability of each party under this DPA is governed by the limitation of liability provisions of the Terms of Service. The aggregate liability of the Processor under this DPA and the Terms of Service combined is capped as set out in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Laws, including liability towards data subjects under Article 82 GDPR.

The Controller indemnifies the Processor against claims by data subjects or supervisory authorities to the extent those claims arise from the Controller's instructions or content (for example URLs the Controller instructed the Service to capture in breach of Applicable Data Protection Laws). The Processor indemnifies the Controller against claims arising from the Processor's breach of its obligations under this DPA.

This DPA enters into force on the effective date stated above or, if later, the date on which the Controller first accepts the Terms of Service. It remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination of the subscription, the Processor stops processing Personal Data on behalf of the Controller and, in accordance with section 5.6, deletes or returns the data at the Controller's choice. Provisions that by their nature should survive termination (confidentiality, liability, governing law) continue in effect.

This Annex describes the Processing of Personal Data carried out by the Processor on behalf of the Controller, as required by Clause 8.1(b) of the EU Standard Contractual Clauses.

The Processor implements the technical and organisational measures described in full at /legal/security. The summary below covers the categories required by Clause 8.6 of the EU SCCs.

• Pseudonymisation and encryption. Captured artefacts encrypted at rest with AES-256 and in transit with TLS 1.3. Workspace tenancy keys derived per customer; account credentials hashed with Argon2id.
• Confidentiality, integrity, availability and resilience. Network isolation between capture nodes; per-session ephemeral browser containers destroyed after upload; signed audit log for every replay and download; multi-region storage replication for the Helsinki primary.
• Restoration after incident. Encrypted off-site backups with documented restore drills at least quarterly; documented incident response runbook with named on-call.
• Regular testing, assessment and evaluation. Continuous dependency scanning, quarterly internal penetration tests, annual external penetration test, monthly access review.
• User identification and authorisation. SSO with SAML or OIDC, optional WebAuthn, role-based access control inside the workspace, session controls, IP allow-lists for enterprise plans.
• Data protection by design and by default. Minimum-necessary capture profiles, plan-based retention, automated redaction tooling for known credential patterns, default deny on cross-workspace access.
• Governance. Documented data protection contact, internal incident escalation policy, subprocessor register, change management for production access.
• Physical security. Storage operated from Tier III data centres with biometric access control, twenty-four hour monitoring, and environmental hazard protection.

The full set of measures, including current control descriptions and any relevant third-party attestations, is published at /legal/security and updated whenever the controls materially change.

The current list of authorised Subprocessors, including the legal entity name, country of processing, scope of Processing and applicable transfer mechanism, is published at /legal/subprocessors and forms part of this DPA.

The Controller is deemed to have approved each Subprocessor listed on that page at the time the Controller accepts this DPA. Subsequent additions or replacements are notified in accordance with section 6.

This DPA is governed by the substantive law of Switzerland, without regard to its conflict of laws rules. The place of jurisdiction for any dispute arising out of or in connection with this DPA is Schmiedrued, Switzerland, subject to any mandatory venue under Applicable Data Protection Laws (in particular the right of data subjects to bring claims before the courts of their habitual residence).

For any data protection question or to exercise rights under this DPA, contact dpa@guard.ch or, as a fallback, legal@guard.ch.