Data Processing Agreement (Switzerland)
Swiss Clients - Enterprise Version
Federal Act on Data Protection (FADP)
Whisperit SA
Version of 15.01.2026
Preamble
This Data Processing Agreement ("DPA") supplements the General Terms and Conditions of Whisperit SA and governs the processing of personal data carried out by Whisperit SA ("Processor") on behalf of the Client ("Controller") in the context of the use of the Whisperit Software.
This DPA complies with the revised Federal Act on Data Protection (FADP, in force since 1 September 2023) and the Data Protection Ordinance (DPO).
This Enterprise DPA provides enhanced guarantees adapted to the requirements of large organisations and regulated sectors.
1. Definitions
Personal data: All information relating to an identified or identifiable natural person.
Sensitive personal data: Data on religious, philosophical, political or trade union opinions or activities; data on health, intimate sphere or racial or ethnic origin; genetic and biometric data; data on criminal or administrative proceedings or sanctions; data on social assistance measures.
Processing: Any operation relating to personal data, regardless of the means used, including in particular the collection, recording, storage, use, modification, disclosure, archiving, erasure or destruction.
Controller: The Client who determines the purposes and means of the processing.
Processor: Whisperit SA, which processes data on behalf of the Controller.
Data security breach: Any breach of security resulting in the loss, erasure, destruction, modification or unauthorised disclosure of personal data, or unauthorised access thereto.
FDPIC: Federal Data Protection and Information Commissioner.
2. Subject and Scope of Processing
2.1 - Categories of Data Processed
| Category | Description | Retention Period | Legal Basis |
|---|---|---|---|
| Identification data | Name, first name, professional email, function | Duration of contract + 3 months | Performance of the contract |
| Connection data | Access logs, IP addresses, timestamps | 90 rolling days | Legitimate interest (security) |
| Document content | Texts, files processed by the Software | Duration of contract + 3 months | Performance of the contract |
| Transcription data | Audio dictations, transcriptions | Duration of contract + 3 months | Performance of the contract |
| Usage metadata | Usage statistics, preferences | Duration of contract | Performance of the contract |
| Billing data | Billing details | 10 years (legal obligation) | Legal obligation |
2.2 - Categories of Data Subjects
- Users of the Software (employees, collaborators of the Client)
- Persons mentioned in the documents processed by the Software
- Professional contacts of the Client
2.3 - Purposes of Processing
The processing is carried out exclusively for:
- The provision of Whisperit SaaS services in accordance with the Contract
- Technical maintenance, bug fixing and incident resolution
- Improvement of the performance and stability of the Software
- Customer support and technical assistance
- Billing and administrative management of the Contract
- Compliance with legal obligations applicable to the Processor
2.4 - Absolute Exclusions
The data is never used for:
- The training, fine-tuning or improvement of artificial intelligence models
- The resale, rental or commercial sharing with third parties
- Profiling, targeted advertising or direct marketing
- Behavioural analysis for commercial purposes
- Any purpose not expressly provided for in this DPA
2.5 - Sensitive Personal Data
Principle: The Software is not designed to process sensitive personal data within the meaning of Art. 5 let. c FADP.
Exception: If the Controller uses the Software to process documents containing sensitive data (notably health data in the context of legal files), it shall inform the Processor in writing beforehand. In this case:
a) The Processor shall apply enhanced security measures
b) Access to the data shall be limited to strictly necessary personnel
c) Additional encryption may be implemented upon request
d) The Controller shall assume responsibility for the lawfulness of the processing
3. Obligations of the Processor
3.1 - Documented Instructions
The Processor shall process personal data only on documented instruction from the Controller. Instructions may be given:
- In writing (email, letter)
- Via the Software's administration interface
- By any means enabling proof to be preserved
If the Processor considers that an instruction violates the FADP or other legal provisions, it shall immediately inform the Controller. The Processor may suspend the execution of the instruction until written confirmation from the Controller. The Processor may refuse to execute a manifestly unlawful instruction.
3.2 - Confidentiality of Personnel
The Processor guarantees that:
a) All persons involved in the processing of data, including auxiliaries and persons authorised to process personal data, are subject to a contractual or legal obligation of confidentiality.
b) Personnel receive initial and ongoing training on:
- Data protection (FADP, DPO)
- The attorney's professional secrecy (Art. 321 Swiss Criminal Code and Art. 13 LLCA/BGFA)
- Internal security policies
- Incident management
c) Access to data is limited to personnel whose functions require it (need-to-know principle).
d) A register of authorised persons is maintained and available upon request.
3.3 - Attorney's Professional Secrecy
Article 321 of the Swiss Criminal Code and Article 13 LLCA/BGFA: The Processor expressly acknowledges occupying the position of auxiliary within the meaning of Art. 321 para. 1 of the Swiss Criminal Code and Art. 13 of the Federal Act on the Free Movement of Lawyers (LLCA/BGFA).
The Processor undertakes to:
a) Absolute compliance: Not to disclose any information covered by professional secrecy, to any authority whatsoever, without the prior written consent of the Client.
b) Specific training: Ensure that any employee or sub-processor having potential access to the Client's data receives training on the obligations arising from the attorney's professional secrecy, including:
- Nature and scope of professional secrecy
- Applicable criminal sanctions (Art. 321 Swiss Criminal Code)
- Procedures in the event of access requests
c) Procedure in the event of authority request:
- Immediately inform the Client of any request unless such information is legally prohibited
- Not proceed with any disclosure without written instruction from the Client
- Challenge any request incompatible with professional secrecy
- Exhaust available remedies if the Client so requests, the Client being liable to bear the full costs thereof
d) Requests from foreign authorities: Refuse any request from a foreign authority and immediately inform the Client, unless such notification is legally prohibited in Switzerland.
e) Survival of obligation: Obligations relating to professional secrecy survive the end of the Contract without limitation of time.
3.4 - Technical Security Measures
The Processor implements the following technical measures:
Encryption:
- Data at rest: AES-256
- Data in transit: TLS 1.2 minimum, TLS 1.3 negotiated by default
- Encryption keys: Secure management with periodic rotation
Access control:
- Multi-factor authentication (MFA) mandatory
- Role-based access control (RBAC)
- Robust password policy (min. 12 characters, complexity)
- Automatic lockout after 5 failed attempts
- Sessions expired after 30 minutes of inactivity
Infrastructure protection:
- Web Application Firewall (WAF)
- Intrusion detection and prevention system (IDS/IPS)
- DDoS protection
- Network segmentation
- Monthly vulnerability scanning
- Annual penetration tests
Logging:
- Access and action logs retained according to the log retention schedule detailed in Section 3.4bis
- Security logs retained according to the log retention schedule detailed in Section 3.4bis
- Log integrity guaranteed (timestamping, signing)
- Real-time monitoring with alerts
3.4bis - Log Retention Schedule
| System | Content | Retention | Location |
|---|---|---|---|
| Azure Monitor | Infrastructure logs | 30 days | Switzerland / EU |
| LangSmith | LLM prompts and responses | 14 days | EU (Germany) |
| Zitadel | Authentication events | 7 days | Switzerland |
| Sentry | Application error logs | 14 days | EU (Germany) |
| Application logs | Access and action logs | 90 rolling days | Switzerland |
The Processor centralises security-relevant events and retains them in accordance with the periods above. Where a specific regulatory or contractual obligation requires longer retention, the Processor and the Controller may agree on extended retention in writing.
3.5 - Organisational Security Measures
Governance:
- Documented information security policy
- Designated security officer
- Security committee with quarterly reviews
Access management:
- Formalised onboarding/offboarding process
- Semi-annual access rights review
- Principle of least privilege
Incident management:
- Documented incident response procedure
- Designated incident response team
- Annual procedure tests
Business continuity:
- Documented business continuity plan (BCP)
- Tested disaster recovery plan (DRP)
- RTO (Recovery Time Objective): 4 hours
- RPO (Recovery Point Objective): 1 hour
3.6 - Backups and Restoration
- Daily full backups
- Incremental backups every 4 hours
- Geographic replication in Switzerland
- Monthly documented restoration tests
- Backup retention: 30 rolling days
3.7 - Sub-processing
General authorisation: The Controller authorises the Processor to engage the sub-processors listed on Sub-processors at the date of signature of the Contract.
Modification procedure:
a) The Processor shall notify the Controller in writing at least 30 days before any addition, replacement or removal of a sub-processor
b) The notification shall include:
- Identity and location of the sub-processor
- Nature of the processing concerned
- Data protection guarantees
- Justification for the engagement
c) The Controller shall have 15 business days to issue a reasoned objection
d) In the event of an objection:
- The parties shall consult in good faith
- If no agreement is reached, the Controller may terminate without charge the part of the Contract concerned
Obligations imposed on sub-processors:
- Obligations equivalent to those of this DPA
- Controller's audit right
- Processor's liability for the acts of its sub-processors
3.8 - Data Location
Hosting in Switzerland: The Controller's client content data (documents, conversations, transcripts, user records) is hosted exclusively on servers physically located in Switzerland.
This guarantee covers:
- Production data
- Backups
- Application-level logs and metadata
Operational services exception: Certain operational services that do not process privileged client document content may be hosted outside Switzerland:
- Error monitoring (Sentry, EU - Germany): processes application error logs only, no client document content
- LLM observability and tracing (LangSmith, EU - Germany): processes LLM prompts and responses for debugging and quality assurance. Configurable per tenant; can be disabled upon written request (see Section 3.8bis)
- Transactional emails (Loops, USA): processes email addresses and notification content only
- Product analytics (Mixpanel, USA): processes anonymised usage statistics, no client content
Upon written request addressed to privacy@whisperit.ai, the Client may request the deactivation of any operational service involving non-Swiss processing, with the understanding that certain technical support and diagnostic capabilities may be reduced.
Exception for AI services: Processing by AI APIs may involve temporary transit outside Switzerland. In this case:
- No data is retained by the AI provider beyond the session
- Contractual guarantees prohibit any use for training
- The Client may request the deactivation of AI features involving transit outside Switzerland
3.8bis - Deep Research Feature (United States Processing)
The Software includes a Deep Research feature that uses the OpenAI API (United States) for advanced internet-based research. Only the user's research query is transmitted to OpenAI; no client documents or their contents are sent. OpenAI's data usage policy states that API data is not used for model training.
This feature is available across all data residency tiers on an opt-in basis. For clients subject to professional secrecy, use of this feature requires explicit written acknowledgement that research queries transit through US infrastructure. The Client may choose to use or refrain from using this feature at its discretion.
4. Rights of Data Subjects
4.1 - Enhanced Assistance
The Processor assists the Controller in responding to requests from data subjects exercising their rights:
| Right | Assistance Deadline | Included Services |
|---|---|---|
| Access | 5 business days | Data export, access report |
| Rectification | 3 business days | Modification in the system |
| Erasure | 5 business days | Deletion + certificate |
| Restriction | 3 business days | Data marking |
| Portability | 10 business days | Standard format export |
4.2 - Procedure
a) The Controller transmits the request to the Processor in writing
b) The Processor acknowledges receipt within 24 hours
c) The Processor executes the request within the indicated deadlines
d) The Processor confirms execution in writing with, where applicable, an erasure certificate
4.3 - Direct Requests
If a data subject addresses a request directly to the Processor, the Processor shall:
a) Inform the Controller within 48 hours
b) Not respond directly unless instructed by the Controller
c) Redirect the person to the Controller if appropriate
5. Notification of Data Breaches
5.1 - Notification Deadline
In the event of a data security breach, the Processor shall notify the Controller:
- Critical violations (exfiltration, ransomware): Within 24 hours
- Other violations: Within 48 hours
The deadline runs from the moment the Processor becomes aware of the violation.
5.2 - Content of Initial Notification
The initial notification shall include at minimum:
a) Date and time of detection of the violation
b) Nature of the violation (confidentiality, integrity, availability)
c) Categories of data concerned
d) Estimated number of persons concerned
e) Estimated number of records concerned
f) Description of likely consequences
g) Immediate measures taken
h) Contact point details
5.3 - Supplementary Notification
Within 72 hours of the initial notification, the Processor shall provide:
a) Detailed analysis of the cause of the violation
b) Precise timeline of events
c) List of systems and data affected
d) Impact assessment
e) Corrective measures implemented
f) Recommendations for the Controller
5.4 - Cooperation
The Processor shall:
a) Fully cooperate with the Controller for any notification to the FDPIC
b) Provide the information necessary for notification to data subjects
c) Participate in crisis meetings if requested
d) Implement the agreed corrective measures
5.5 - Documentation
The Processor maintains a register of violations including:
- Description of the violation
- Data and persons concerned
- Measures taken
- Notification decisions
This register is available to the Controller upon request.
6. Audit and Control
6.1 - Audit Right
The Controller has an annual audit right to verify the Processor's compliance with the obligations of this DPA.
6.2 - Audit Procedures
Audit request:
- Written request 30 calendar days in advance
- Scope of the audit defined jointly
- Independent auditor subject to confidentiality
Conduct:
- During business hours (9:00–17:00, business days)
- Maximum duration: 3 days
- Access to relevant premises, systems and documentation
- Possibility of interviews with designated personnel
Limitations:
- No significant disruption to operations
- Protection of the Processor's trade secrets
- No access to other clients' data
- No access to proprietary source code
6.3 - Audit Report
- The auditor submits its report to both parties
- The Processor has 30 days to respond to observations
- A remediation plan is established for non-conformities
- A follow-up audit may be requested for critical non-conformities
6.4 - Costs
- Auditor fees: borne by the Controller
- Processor personnel time: included (max. 16 hours/year)
- Beyond: invoiced at the agreed hourly rate
6.5 - Certifications and Reports
In addition to or as an alternative to the on-site audit, the Processor makes available:
- SOC 2 Type II reports (target: 2027)
- ISO 27001 certificate (target: 2027)
- Penetration test reports (redacted version)
- Annual compliance attestation signed by management
7. Assistance with Legal Obligations
7.1 - Data Protection Impact Assessment (DPIA)
The Processor assists the Controller in carrying out data protection impact assessments:
a) Provision of necessary technical information
b) Description of security measures
c) Assessment of risks related to the processing
d) Recommendations for mitigation measures
Assistance is provided within 15 business days of the request.
7.2 - Register of Processing Activities
The Processor maintains a register of processing activities in accordance with Art. 12 FADP, including:
- Identity of the Processor and the Controller
- Categories of processing carried out
- Transfers to third countries
- Security measures
An extract of the register is available upon request.
7.3 - Cooperation with Authorities
In the event of a request from the FDPIC:
a) The Processor shall immediately inform the Controller (unless legally prohibited)
b) The parties shall consult on the response to be provided
c) The Processor shall disclose only the minimum necessary
d) The Controller shall be kept informed of developments
8. Duration and End of Processing
8.1 - Duration
This DPA enters into force on the date of signature of the main Contract and remains in force for its entire duration.
8.2 - Data Restitution
At the end of the Contract, the Controller has 90 days to request the restitution of its data.
Available restitution formats:
- JSON (JavaScript Object Notation)
- CSV (tabular data)
- PDF (documents)
- Original native format (if available)
Documentation provided:
- Schema of exported data
- Field dictionary
- Import guide
8.3 - Secure Deletion
At the end of the restitution period or upon the Controller's early request:
a) The Processor proceeds with the secure deletion of all data
b) The deletion covers:
- Production data
- Backups (within the following 30 days)
- Logs containing personal data
- Data held by sub-processors
c) Destruction certificate: The Processor issues a certificate attesting:
- Date of deletion
- Scope of deleted data
- Deletion method used
- Confirmation of notification to sub-processors
8.4 - Surviving Obligations
The following obligations survive the end of the Contract:
- Confidentiality and professional secrecy: without limitation
- Retention of security logs: 1 year after deletion
- Availability for post-contractual audit: 1 year
9. International Transfers
9.1 - Principle
Client content data is hosted exclusively in Switzerland. No transfer to a country not offering an adequate level of protection is carried out without appropriate safeguards.
9.2 - Adequate Countries
Switzerland recognises as adequate the countries listed by the Federal Council (Annex 1 DPO), notably the EEA Member States.
9.3 - Guarantees for AI Providers
For AI services involving data transit:
a) Ephemeral processing: No retention beyond the processing session
b) Contractual guarantees:
- Standard contractual clauses if applicable
- Prohibition of use for training
- Equivalent security commitment
c) Risk assessment: The Processor maintains a documented risk assessment for each AI provider
9.4 - Deactivation Option
The Controller may request the deactivation of functionalities involving data transit outside Switzerland. In this case, certain AI functionalities may be limited.
10. Guarantees Specific to Artificial Intelligence
10.1 - Non-Training
The Processor guarantees that the Controller's data is never used to:
- Train AI models
- Fine-tune existing models
- Improve algorithms
- Constitute training datasets
This guarantee applies to the Processor and all its AI providers.
10.2 - Transparency
The Processor keeps up to date:
a) The list of AI models used in the Software
b) The location of processing for each model
c) The guarantees obtained from each provider
This information is available on Sub-processors.
10.3 - Enterprise API Contracts
All AI providers are bound by Enterprise-level agreements including:
- Explicit exclusion of training on client data
- Non-retention commitment
- Audit right
- Policy change notification
10.4 - Provider Policy Change
In the event of a modification of the terms of service of an AI provider incompatible with the guarantees of this DPA:
a) The Processor shall immediately cease using that provider
b) The Controller shall be informed within 48 hours
c) An alternative provider shall be put in place within 30 days
d) Failing this, the Controller may terminate the Contract without charge, it being understood that any amounts owed by the Controller to the Processor as at the date of termination shall remain due.
11. Liability
11.1 - Processor's Liability
The Processor is liable for damages caused by processing that does not comply with this DPA or the Controller's instructions (within the limits of Section 3.1).
11.2 - Limitation
The Processor's liability under this DPA is subject to the limitations provided in the General Terms, except in the event of:
- Intentional or grossly negligent violation
- Violation of professional secrecy (Art. 321 Swiss Criminal Code)
- Violation of essential security obligations
11.3 - Indemnification
The Processor indemnifies the Controller against any fine or administrative sanction resulting directly from a violation of this DPA by the Processor, within the contractual liability caps.
12. Final Provisions
12.1 - Hierarchy of Documents
In the event of a conflict:
- This DPA prevails over the General Terms for data protection matters
- The annexes supplement the body of the DPA
- The Controller's specific instructions supplement the DPA
12.2 - Modifications
Any modification of this DPA requires written form and the signature of both parties.
12.3 - Applicable Law
This DPA is governed by Swiss law.
12.4 - Jurisdiction
Any dispute relating to this DPA shall be submitted to the courts of Prilly, Switzerland.
12.5 - Severability
If a provision of this DPA is invalid, the other provisions shall remain in force. The parties agree to replace the invalid provision with a valid provision most closely approximating the original intent.
Annex A: Detailed Technical and Organisational Measures
A.1 - Physical Security of Data Centres
| Measure | Description |
|---|---|
| Location | Switzerland exclusively |
| Certification | ISO 27001, SOC 2 Type II |
| Physical access | Biometrics + badge + PIN |
| Surveillance | 24/7, cameras, security personnel |
| Fire protection | Early detection, automatic extinguishing |
| Power supply | Dual power supply, generators, UPS |
| Climate control | Redundant, temperature monitoring |
A.2 - Logical Security
| Domain | Measures |
|---|---|
| Encryption at rest | AES-256, centralised key management |
| Encryption in transit | TLS 1.2 minimum, TLS 1.3 negotiated by default, annually renewed certificates |
| Authentication | MFA mandatory, SSO supported |
| Authorisation | RBAC, principle of least privilege |
| Network | Segmentation, firewall, IDS/IPS |
| Application | WAF, OWASP Top 10 protection |
| Endpoints | EDR, antimalware, disk encryption |
A.3 - Organisational Security
| Process | Description |
|---|---|
| Governance | Designated CISO, quarterly security committee |
| Policy | Documented and communicated security policy |
| Training | Initial + annual, phishing awareness |
| Recruitment | Background checks, NDA |
| Departure | Immediate access revocation |
| Suppliers | Security assessment, contractual clauses |
A.4 - Vulnerability Management
| Activity | Frequency |
|---|---|
| Vulnerability scanning | Monthly |
| Penetration tests | Annual (external) |
| Code review | Continuous (SAST/DAST) |
| Patch management | Critical: 24h, High: 7 days, Medium: 30 days |
| Bug bounty | Active programme |
A.5 - Continuity and Recovery
| Indicator | Objective |
|---|---|
| RTO (recovery time) | 4 hours |
| RPO (max data loss) | 1 hour |
| Target availability | 99.5% |
| BCP/DRP test | Annual |
| Backups | Daily, replicated, 30 days |
Annex B: Sub-processor List
See: Sub-processors
The list includes for each sub-processor:
- Company name and address
- Processing location
- Nature of services
- Data protection guarantees
- Date of addition to the list
Annex C: Points of Contact
Data protection:
- Email: dpo@whisperit.ai
- Address: Whisperit SA, Prilly, Switzerland
Security incidents:
- Email: security@whisperit.ai
- Telephone: +41 21 539 46 60 (24/7 emergency line)
Support:
- Email: support@whisperit.ai
- Portal: Support
Whisperit SA — Prilly, Switzerland
| Related document | Link |
|---|---|
| General Terms and Conditions | Terms |
| Privacy Policy | Privacy Policy |
| DPA European Union (GDPR) | DPA EU |
| Sub-processor List | Sub-processors |
| Technical Data Flow Documentation | Data Flow |