Data Processing Agreement (EU/EEA)
European Union Clients - Enterprise Version
General Data Protection Regulation (GDPR)
Whisperit SA
Version of 15.01.2026
Preamble
This Data Processing Agreement ("DPA") supplements the General Terms and Conditions of Whisperit SA and constitutes a sub-processing agreement within the meaning of Article 28 of Regulation (EU) 2016/679 (GDPR).
It governs the processing of personal data carried out by Whisperit SA ("Processor") on behalf of the Client ("Controller") in the context of the use of the Whisperit Software.
This Enterprise DPA provides enhanced guarantees adapted to the requirements of large organisations, regulated sectors and large-scale processing.
1. Definitions
The terms used in this DPA have the meaning defined by the GDPR:
Personal data: Any information relating to an identified or identifiable natural person (Article 4(1) GDPR).
Special categories of data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation (Article 9 GDPR).
Processing: Any operation or set of operations performed or not by automated means and applied to personal data (Article 4(2) GDPR).
Controller: The natural or legal person who determines the purposes and means of the processing (Article 4(7) GDPR).
Processor: The natural or legal person who processes personal data on behalf of the Controller (Article 4(8) GDPR).
Personal data breach: A breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of personal data, or unauthorised access to such data (Article 4(12) GDPR).
Supervisory authority: An independent public authority established by a Member State (Article 4(21) GDPR).
2. Subject and Scope of Processing (Article 28(3) GDPR)
2.1 - Categories of Data Processed
| Category | Examples | Typical Legal Basis (determined by the Controller) | Retention Period |
|---|---|---|---|
| Identification data | Name, first name, professional email, function | Performance of the contract (Art. 6(1)(b)) | Duration of contract + 3 months |
| Connection data | Access logs, IP addresses, timestamps | Legitimate interest (Art. 6(1)(f)) | 90 rolling days |
| Document content | Texts, files processed by the Software | Performance of the contract (Art. 6(1)(b)) | Duration of contract + 3 months |
| Transcription data | Audio dictations, text transcriptions | Performance of the contract (Art. 6(1)(b)) | Duration of contract + 3 months |
| Usage metadata | Usage statistics, preferences | Legitimate interest (Art. 6(1)(f)) | Duration of contract |
| Billing data | Billing details, history | Legal obligation (Art. 6(1)(c)) | 10 years |
2.2 - Categories of Data Subjects
- Users of the Software (employees, collaborators, service providers of the Controller)
- Persons mentioned in the documents processed by the Software
- Professional contacts of the Controller
- Any person whose data is processed via the Software
2.3 - Purposes of Processing
The processing is carried out exclusively for:
- The provision of Whisperit SaaS services in accordance with the Contract
- Technical maintenance, bug fixing and incident resolution
- Improvement of the performance, stability and security of the Software
- Customer support and technical assistance
- Billing and administrative management of the Contract
- Compliance with legal obligations applicable to the Processor
2.4 - Absolute Exclusions
The data is never used for:
- The training, fine-tuning or improvement of artificial intelligence models
- The resale, rental, sharing or commercialisation with third parties
- Profiling within the meaning of Article 22 GDPR
- Targeted advertising or direct marketing
- Automated decision-making producing legal effects
- Any purpose not expressly authorised by the Controller
2.5 - Special Categories of Data (Article 9 GDPR)
Principle: The Software is not designed to process special categories of data within the meaning of Article 9 GDPR.
Controller's responsibility: If the Controller uses the Software to process documents containing special categories of data, it shall:
a) Inform the Processor in writing beforehand
b) Ensure it has a valid legal basis (Art. 9(2) GDPR)
c) Assume full responsibility for the lawfulness of the processing
d) Implement the required additional security measures
Enhanced measures: In this case, the Processor shall apply:
- Enhanced encryption
- Access limited to strictly necessary personnel
- Enhanced access logging
- Pseudonymisation if technically possible
2.6 - Duration of Processing
The processing begins on the date of entry into force of the Contract and continues for its entire duration, plus the data restitution period (90 days).
3. Obligations of the Processor (Article 28 GDPR)
3.1 - Documented Instructions (Article 28(3)(a) GDPR)
The Processor shall process personal data only on documented instruction from the Controller, including with regard to transfers to a third country or an international organisation.
Accepted forms of instructions:
- Written instructions (email, letter, support ticket)
- Configuration via the Software's administration interface
- Annexes to this DPA
Instruction contrary to law:
If the Processor considers that an instruction constitutes a violation of the GDPR or other provisions of Union or Member State law relating to data protection, it shall immediately inform the Controller.
The Processor may suspend the execution of the contested instruction until written confirmation from the Controller assuming responsibility for the instruction.
3.2 - Confidentiality of Personnel (Article 28(3)(b) GDPR)
The Processor shall ensure that persons authorised to process personal data:
a) Commit to respecting confidentiality through a written commitment or are subject to an appropriate legal obligation of confidentiality
b) Receive the necessary training on data protection, including:
- GDPR principles
- Rights of data subjects
- Security obligations
- Internal procedures
- Incident management
c) Are identified and authorised: The Processor maintains a register of persons authorised to access data, available upon request from the Controller
d) Apply the need-to-know principle: Only persons whose functions require it have access to data
3.3 - Security Measures (Article 28(3)(c) and Article 32 GDPR)
The Processor implements the appropriate technical and organisational measures to ensure a level of security adapted to the risk, taking into account:
- The state of the art
- The costs of implementation
- The nature, scope, context and purposes of the processing
- The risks to the rights and freedoms of individuals
3.3.1 - Technical Measures
| Domain | Measures implemented |
|---|---|
| Pseudonymisation | Technical identifiers, tokenisation if applicable |
| Encryption | AES-256 at rest, TLS 1.2 minimum (TLS 1.3 negotiated by default) in transit, secure key management |
| Confidentiality | RBAC access control, mandatory MFA, secure sessions |
| Integrity | Integrity checks, digital signatures, versioning |
| Availability | Redundancy, replication, BCP/DRP |
| Resilience | High availability architecture, load tests |
| Restoration | Daily backups, monthly tests, RTO 4h / RPO 1h |
| Regular testing | Monthly vulnerability scans, annual pentests, audits |
3.3.2 - Organisational Measures
| Domain | Measures implemented |
|---|---|
| Governance | Designated CISO, security committee, documented policies |
| Personnel | Initial and ongoing training, awareness, NDA |
| Access | Authorisation process, semi-annual reviews, least privilege |
| Suppliers | Security assessment, contractual clauses, monitoring |
| Incidents | Response procedure, dedicated team, annual tests |
| Continuity | Documented and tested BCP/DRP |
3.4 - Sub-processing (Article 28(2) and 28(4) GDPR)
3.4.1 - General Authorisation
The Controller gives its written general authorisation to the Processor to engage other sub-processors, subject to compliance with the conditions below.
3.4.2 - List of Current Sub-processors
The list of authorised sub-processors at the date of signature of the Contract is available on: Sub-processors
This list includes for each sub-processor:
- Company name and contact details
- Processing location
- Nature of the services provided
- Data protection guarantees
3.4.3 - Modification Procedure
a) The Processor shall inform the Controller in writing of any plan to add or replace sub-processors at least 30 days before implementation
b) The notification shall include:
- Full identity of the new sub-processor
- Geographic location of the processing
- Detailed description of the services
- Data protection guarantees (DPA, certifications)
- Justification for the engagement
c) The Controller shall have 15 business days to issue reasoned objections
d) In the event of an objection:
- The parties shall consult in good faith to find a solution
- The Processor may propose an alternative sub-processor
- If no agreement is reached within 30 days, the Controller may terminate without charge the affected part of the Contract
3.4.4 - Obligations Imposed on Sub-processors
The Processor imposes on its sub-processors, by contract:
- The same data protection obligations as those of this DPA
- Sufficient guarantees for the implementation of technical and organisational measures
- The Controller's audit right (direct or via the Processor)
3.4.5 - Liability
The Processor remains fully liable to the Controller for the performance by its sub-processors of their obligations.
3.5 - Assistance to the Controller (Article 28(3)(e) and (f) GDPR)
3.5.1 - Rights of Data Subjects
The Processor assists the Controller in responding to requests to exercise the rights provided for in Chapter III of the GDPR:
| Right | GDPR Article | Assistance Deadline | Services |
|---|---|---|---|
| Access | Art. 15 | 5 business days | Data export, report |
| Rectification | Art. 16 | 3 business days | Modification in the system |
| Erasure | Art. 17 | 5 business days | Deletion + certificate |
| Restriction | Art. 18 | 3 business days | Data marking |
| Portability | Art. 20 | 10 business days | Structured format export |
| Objection | Art. 21 | 5 business days | Analysis and implementation |
3.5.2 - Security Obligations (Articles 32-36 GDPR)
The Processor assists the Controller in ensuring compliance with the obligations provided for in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information at its disposal:
a) Security of processing (Art. 32): Provision of information on security measures
b) Notification to the supervisory authority (Art. 33): Assistance in preparing the notification
c) Communication to the data subject (Art. 34): Provision of necessary information
d) Data protection impact assessment (Art. 35):
- Provision of technical information
- Description of security measures
- Participation in the risk assessment
- Deadline: 15 business days after the request
e) Prior consultation (Art. 36): Cooperation in the event of consultation of the supervisory authority
3.6 - Deletion or Restitution (Article 28(3)(g) GDPR)
3.6.1 - Controller's Choice
At the end of the provision of services, at the Controller's choice:
a) Restitution: The Processor returns all data in a structured, commonly used and machine-readable format
b) Deletion: The Processor deletes all personal data
Unless a legal obligation to retain is imposed on the Processor.
3.6.2 - Deadlines and Procedures
- Restitution period: 90 days after the end of the Contract
- Available formats: JSON, CSV, PDF, original native format
- Documentation: Data schema, field dictionary
- Deletion: Occurs within the 30 days following the end of the restitution period or upon early request
3.6.3 - Destruction Certificate
Upon request, the Processor provides a certificate attesting:
- The date of deletion
- The scope of deleted data
- The deletion method used
- Confirmation of deletion by sub-processors
3.7 - Provision of Information and Audits (Article 28(3)(h) GDPR)
3.7.1 - Provision of Information
The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations provided for in Article 28 GDPR.
3.7.2 - Audits and Inspections
The Processor allows the conduct of audits, including inspections, by the Controller or another auditor mandated by the Controller, and contributes to these audits.
Procedures:
a) Request: Written, 30 calendar days in advance, defined scope
b) Frequency: One audit per year included; additional audits invoiced
c) Conduct:
- During business hours
- Maximum duration: 3 days
- Auditor subject to confidentiality
- Access to relevant premises, systems, documentation
d) Limitations:
- No significant disruption to operations
- Protection of trade secrets
- No access to other clients' data
- No access to proprietary source code
e) Report: Submitted to both parties, Processor response within 30 days
3.7.3 - Alternatives to On-site Audit
The Controller may accept the following in lieu of an on-site audit:
- Penetration test report by an independent third party (redacted version)
- Compliance attestation signed by management
- Documentation of technical and organisational security measures
- SOC 2 Type II report (target: 2027)
- ISO 27001 certificate (target: 2027)
4. Notification of Data Breaches (Articles 33-34 GDPR)
4.1 - Notification Deadline to the Controller
The Processor shall notify the Controller of any personal data breach:
- Critical violations (data exfiltration, ransomware, malicious access): Within 24 hours
- Other violations: Within 48 hours maximum
The deadline runs from the moment the Processor becomes aware of the violation.
4.2 - Content of the Notification (Article 33(3) GDPR)
The notification shall contain at minimum:
a) The nature of the violation, including, if possible:
- The categories and approximate number of data subjects concerned
- The categories and approximate number of records concerned
b) The name and contact details of the DPO or other point of contact
c) The likely consequences of the violation
d) The measures taken or proposed to:
- Remedy the violation
- Mitigate its potential adverse effects
4.3 - Supplementary Notification
Within 72 hours of the initial notification, the Processor shall provide:
a) Detailed root cause analysis
b) Precise timeline of events
c) Exhaustive list of affected data and systems
d) Assessment of the impact on data subjects
e) Corrective measures implemented
f) Recommendations for notification to data subjects
4.4 - Assistance for Notification
The Processor assists the Controller for:
a) Notification to the supervisory authority (Art. 33):
- Provision of required information
- Preparation of the notification form
- Participation in exchanges with the authority if requested
b) Communication to data subjects (Art. 34):
- Identification of persons to notify
- Preparation of the communication content
- Technical implementation of the communication if possible
4.5 - Documentation of Violations
The Processor documents any data breach, indicating:
- The facts concerning the violation
- Its effects
- The measures taken to remedy it
This documentation is made available to the Controller and the supervisory authority.
5. Transfers to Third Countries (Chapter V GDPR)
5.1 - Localisation Principle
Personal data is hosted in the European Economic Area (EEA) or in Switzerland (a country recognised as providing an adequate level of protection by the European Commission).
5.2 - Guarantees for Transfers
In the event of a transfer to a third country not benefiting from an adequacy decision, the Processor implements appropriate safeguards in accordance with Article 46 GDPR:
5.2.1 - Standard Contractual Clauses (SCC)
The Standard Contractual Clauses of the European Commission (Implementing Decision 2021/914) are incorporated by reference into this DPA.
Applicable module: Module 2 (Controller to Processor)
Annexes to the SCC:
- Annex I: Parties, description of the transfer, supervisory authority
- Annex II: Technical and organisational measures
- Annex III: List of sub-processors
5.2.2 - Transfer Impact Assessment (TIA)
The Processor carries out and documents a transfer impact assessment for each third country concerned, including:
- Analysis of the legal framework of the third country
- Assessment of the risks of access by public authorities
- Additional measures implemented
This assessment is available upon request from the Controller.
5.2.3 - Supplementary Measures
If necessary in view of the impact assessment, the Processor implements supplementary measures:
- Encryption with keys controlled by the Controller
- Enhanced pseudonymisation
- Fractionated processing
5.3 - Transfers Specific to AI Services
For AI services involving data transit to third countries:
a) Ephemeral processing: No data is retained by the AI provider beyond the time necessary to process the request
b) Contractual guarantees:
- SCCs signed with each AI provider
- Contractual prohibition of use for training
- Audit right
c) Technical measures:
- Encryption in transit (TLS 1.3)
- Minimisation of data transmitted
- No storage of processed data
5.4 - Notification of Government Access Requests
In the event of a request for access to data by a public authority of a third country:
a) The Processor shall immediately inform the Controller (unless legally prohibited)
b) The Processor shall challenge the request if it is manifestly unfounded or excessive
c) The Processor shall disclose only the minimum necessary data
d) The Processor shall document any disclosure made
6. Rights of Data Subjects (Articles 15-22 GDPR)
6.1 - Assistance to the Controller
The Processor assists the Controller, through appropriate technical and organisational measures, in fulfilling its obligation to respond to requests to exercise the rights of data subjects.
6.2 - Rights Supported
| Right | Article | Description | Assistance Deadline |
|---|---|---|---|
| Information | Art. 13-14 | Provision of information on the processing | Upon request |
| Access | Art. 15 | Copy of data and information | 5 business days |
| Rectification | Art. 16 | Correction of inaccurate data | 3 business days |
| Erasure | Art. 17 | Deletion of data | 5 business days |
| Restriction | Art. 18 | Restriction of processing | 3 business days |
| Notification | Art. 19 | Information of recipients | 5 business days |
| Portability | Art. 20 | Export in a structured format | 10 business days |
| Objection | Art. 21 | Cessation of processing | 5 business days |
| Automated decision | Art. 22 | Not applicable (no automated decision-making) | N/A |
6.3 - Procedure
a) The Controller transmits the request to the Processor in writing (email accepted)
b) The Processor acknowledges receipt within 24 business hours
c) The Processor implements the request within the indicated deadlines
d) The Processor confirms execution in writing, with as applicable:
- Export of requested data
- Erasure certificate
- Confirmation of notification to recipients
6.4 - Requests Received Directly
If a data subject addresses a request directly to the Processor:
a) The Processor shall inform the Controller within 48 hours
b) The Processor shall not respond directly to the data subject, unless instructed otherwise by the Controller
c) The Processor may inform the data subject of the identity of the Controller, if this information is not confidential
7. Guarantees Specific to Artificial Intelligence
7.1 - Non-Training Commitment
The Processor formally guarantees that the Controller's data is never used to:
- Train artificial intelligence models
- Fine-tune or adapt existing models
- Improve machine learning algorithms
- Constitute training or validation datasets
- Any other form of automated learning
This guarantee applies to the Processor and all its sub-processors, including AI providers.
7.2 - Algorithmic Transparency
The Processor provides the Controller, upon request:
a) The list of AI models used in the Software
b) The description of functionalities using AI
c) The information necessary for informing data subjects
d) The risk assessment related to the use of AI
7.3 - Contracts with AI Providers
All AI providers are bound by Enterprise-level agreements including:
- Explicit exclusion of training on client data
- Non-retention commitment beyond the processing session
- Audit right exercised by the Processor or the Controller
- Notification of any policy change
- SCCs or other appropriate safeguards for transfers
7.4 - Modification of AI Provider Policies
In the event of a modification of the terms of service of an AI provider incompatible with the guarantees of this DPA:
a) The Processor shall immediately cease using that provider for the Controller's data
b) The Controller shall be informed within 48 hours of becoming aware of the modification
c) The Processor shall put in place an alternative provider offering equivalent guarantees within a period of 30 days
d) If no alternative is available, the Controller may terminate the Contract without charge or penalty, it being understood that any amounts owed by the Controller to the Processor as at the date of termination shall remain due.
7.5 - Compliance with the European AI Regulation
The Processor undertakes to:
a) Follow the evolution of Regulation (EU) 2024/1689 on artificial intelligence
b) Classify the AI systems used according to the risk categories provided
c) Implement the obligations applicable to the AI systems used
d) Provide the Controller with the information necessary for its own compliance
8. Register of Processing Activities (Article 30 GDPR)
8.1 - Processor's Register
The Processor maintains a register of all categories of processing activities carried out on behalf of the Controller, containing:
a) The name and contact details of the Processor and the Controller
b) The categories of processing carried out on behalf of the Controller
c) Data transfers to third countries and their documentation
d) A general description of the technical and organisational security measures
8.2 - Availability
An extract of the register concerning the processing carried out for the Controller is available upon request within 10 business days.
9. Data Protection Officer
9.1 - Processor's DPO
The Processor has designated a Data Protection Officer:
- Email: dpo@whisperit.ai
- Postal address: Whisperit SA, Prilly, Switzerland
9.2 - DPO's Missions
The Processor's DPO:
a) Ensures the Processor's compliance with the GDPR
b) Advises the Processor on its obligations
c) Cooperates with supervisory authorities
d) Serves as a point of contact for the Controller on data protection matters
9.3 - Representative in the European Union
In accordance with Article 27 GDPR, Whisperit SA has designated the following representative in the European Union:
- Name: Sebastien Bellon
- Address: Whisperit SA, Unlimitrust Campus, Route des Flumeaux 46, 1008 Prilly, Switzerland
- Email: eu-representative@whisperit.ai
The EU representative serves as a contact point for supervisory authorities and data subjects in the European Union.
10. Cooperation with Supervisory Authorities
10.1 - Principle
The Processor shall cooperate, upon request, with the supervisory authority in the performance of its tasks.
10.2 - Notification to the Controller
In the event of a request or investigation by a supervisory authority concerning the processing carried out on behalf of the Controller:
a) The Processor shall immediately inform the Controller (unless legally prohibited)
b) The parties shall consult on the response to be provided
c) The Processor shall disclose only strictly necessary information
d) The Controller shall be kept informed of the progress and outcome of the proceedings
11. Liability and Indemnification
11.1 - Joint Liability (Article 82 GDPR)
In accordance with Article 82(4) GDPR, where the Processor and the Controller are involved in the same processing and are responsible for damage, each may be held liable for the entire damage.
11.2 - Internal Apportionment
In the relations between the parties:
a) The Processor is liable for damages caused by processing:
- Not compliant with this DPA
- Contrary to the Controller's lawful instructions
- In breach of its own obligations under the GDPR
b) The Controller is liable for damages caused by:
- Its own GDPR non-compliance
- Instructions contrary to the GDPR despite the Processor's warning
11.3 - Indemnification
a) The Processor indemnifies the Controller against any administrative fine imposed by a supervisory authority resulting directly from a violation of this DPA attributable to the Processor
b) This indemnification is subject to the liability caps provided in the General Terms
c) Any indemnification is excluded where a fine results from the Controller's instructions or its own failings
11.4 - Exclusions
The limitation of liability provided in the General Terms does not apply in the event of:
- Intentional or grossly negligent violation
- Violation of essential data protection obligations
- Unlawful processing of special categories of data
12. Duration and Termination
12.1 - Duration
This DPA enters into force on the date of signature of the main Contract and remains in force for the entire duration of the Contract.
12.2 - Survival
The following obligations survive the end of the DPA:
- Confidentiality: without limitation of time
- Retention of security logs: 1 year after the deletion of data
- Availability for post-contractual audit: 1 year after the end of the Contract
- Data restitution/deletion: until complete execution
13. Final Provisions
13.1 - Hierarchy of Documents
In the event of a conflict between contractual documents:
- This DPA prevails over the General Terms for data protection matters
- The SCCs prevail over this DPA for international transfers
- The annexes supplement the body of the DPA
13.2 - Modifications
Any modification of this DPA requires written form and the signature of both parties.
13.3 - Applicable Law
This DPA is governed by the GDPR and, for matters not covered by the GDPR, by Swiss law.
13.4 - Jurisdiction
Any dispute relating to this DPA shall be submitted to the courts of Prilly, Switzerland, subject to the mandatory provisions of the GDPR relating to jurisdiction.
13.5 - Severability
If a provision of this DPA is declared invalid or unenforceable, the other provisions shall remain in force. The parties undertake to replace the invalid provision with a valid provision most closely approximating the intended economic and legal effect.
Annex 1: Standard Contractual Clauses (Module 2)
The Standard Contractual Clauses of the European Commission adopted by Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this DPA.
Applicable module: Module 2 (Controller to Processor)
Options selected:
| Clause | Option chosen |
|---|---|
| Clause 7 (Accession) | Applicable |
| Clause 9(a) (Sub-processors) | Option 2: Written general authorisation |
| Clause 11 (Remedies) | Applicable option (optional not retained) |
| Clause 17 (Applicable law) | Option 1: Law of an EU Member State (Ireland) |
| Clause 18(b) (Jurisdiction) | Courts of Ireland |
Annex I.A - List of Parties: See contact details in the main Contract
Annex I.B - Description of the Transfer: See Section 2 of this DPA
Annex I.C - Competent Supervisory Authority: The supervisory authority of the Member State where the Controller is established
Annex II - Technical and Organisational Measures: See Annex 2 of this DPA
Annex III - List of Sub-processors: See Sub-processors
Annex 2: Technical and Organisational Measures (Article 32 GDPR)
Physical Security
| Measure | Description |
|---|---|
| Location | EEA or Switzerland |
| Datacentre certification | ISO 27001, SOC 2 Type II |
| Physical access control | Biometrics + badge + PIN code |
| Surveillance | 24/7, video surveillance, security personnel |
| Environmental protection | Fire detection, automatic extinguishing, redundant climate control |
| Power supply | Dual power supply, diesel generators, UPS |
Logical Security
| Measure | Description |
|---|---|
| Encryption at rest | AES-256, centralised key management |
| Encryption in transit | TLS 1.2 minimum, TLS 1.3 negotiated by default, Perfect Forward Secrecy |
| Authentication | Mandatory MFA, robust password policy |
| Access control | RBAC, principle of least privilege, semi-annual review |
| Network protection | Segmentation, firewall, IDS/IPS, DDoS protection |
| Application protection | WAF, OWASP Top 10 protection, CSP |
| Endpoint protection | EDR, antimalware, disk encryption |
| Logging | Centralised logs, guaranteed integrity, retention per system schedule (see Section 3.3) |
Organisational Security
| Measure | Description |
|---|---|
| Governance | Designated CISO, quarterly security committee |
| Policies | Documented and communicated security policy |
| Training | Initial and annual, phishing awareness |
| Access management | Formalised authorisation process, immediate revocation upon departure |
| Supplier management | Security assessment, contractual clauses, monitoring |
| Incident management | Documented procedure, designated team, annual tests |
Vulnerability Management
| Activity | Frequency |
|---|---|
| Vulnerability scanning | Monthly |
| Penetration tests | Annual (independent third party) |
| Code review | Continuous (SAST/DAST) |
| Patch management | Critical: 24h / High: 7d / Medium: 30d |
Continuity and Recovery
| Indicator | Value |
|---|---|
| RTO (Recovery Time Objective) | 4 hours |
| RPO (Recovery Point Objective) | 1 hour |
| Target availability | 99.5% |
| Backups | Daily full, incremental every 4h |
| Replication | Geographic within the same region |
| Restoration tests | Monthly, documented |
| BCP/DRP test | Annual |
Certifications
| Certification | Status |
|---|---|
| ISO 27001 | Target: 2027 (process not yet initiated) |
| SOC 2 Type II | Target: 2027 (process not yet initiated) |
The Processor shall inform the Controller of any significant progress towards obtaining these certifications.
Annex 3: Authorised Sub-processors
See the complete and up-to-date list on: Sub-processors
The list includes for each sub-processor:
- Company name and registered office address
- Data processing location
- Nature of the services provided
- Data protection guarantees (DPA, certifications)
- Date of authorisation
Annex 4: Points of Contact
Data protection (DPO):
- Email: dpo@whisperit.ai
- Address: Whisperit SA, Prilly, Switzerland
EU representative (Art. 27 GDPR):
- Email: eu-representative@whisperit.ai
- Address: Whisperit SA, Unlimitrust Campus, Route des Flumeaux 46, 1008 Prilly, Switzerland
Security incidents:
- Email: security@whisperit.ai
- Telephone: +41 21 539 46 60 (24/7 emergency line)
Requests to exercise rights:
- Email: privacy@whisperit.ai
Technical support:
- Email: support@whisperit.ai
- Portal: Support
Whisperit SA — Prilly, Switzerland
| Related document | Link |
|---|---|
| General Terms and Conditions | Terms |
| Privacy Policy | Privacy Policy |
| DPA Switzerland (FADP) | DPA Switzerland |
| Sub-processor List | Sub-processors |
| Technical Data Flow Documentation | Data Flow |