Last updated: October 2025
1. Introduction
This Data Processing Agreement (“DPA”) forms part of any contract or service agreement between Quaicy (“Processor”) and the Client (“Controller”) where Quaicy processes personal data on behalf of the Client.
The DPA ensures compliance with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and other applicable global data protection laws.
2. Roles and Definitions
- Controller: The Client who determines the purposes and means of processing personal data.
- Processor: Quaicy, which processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable individual.
- Processing: Any operation performed on personal data, including storage, collection, or transfer.
3. Subject Matter and Duration
Quaicy processes personal data solely for the purposes defined in the main service agreement, and only for the duration necessary to fulfill contractual obligations or as required by law.
4. Nature and Purpose of Processing
Processing activities may include:
- Hosting, storage, or IT infrastructure management
- Data analytics and reporting
- Support and maintenance services
- Communication management and workflow automation
5. Categories of Data and Data Subjects
- Data subjects: Client employees, customers, partners, or users
- Data categories: Contact details, identifiers, usage data, and other data necessary for service provision
6. Controller Responsibilities
The Client ensures that all personal data provided to Quaicy is lawfully collected and that data subjects have been properly informed under applicable data protection laws.
7. Processor Obligations
Quaicy agrees to:
- Process personal data only on documented instructions from the Client
- Maintain confidentiality and ensure personnel are bound by data protection obligations
- Implement appropriate technical and organizational measures (TOMs)
- Notify the Client of any personal data breach without undue delay
- Assist the Client with data subject requests and impact assessments
8. Subprocessors
Quaicy may engage subprocessors to support service delivery. A current list of subprocessors is available upon request.
Quaicy ensures that subprocessors are bound by data protection terms equivalent to this DPA.
9. International Data Transfers
Where data is transferred outside Switzerland or the EU/EEA, Quaicy ensures appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions are in place.
10. Security Measures
Quaicy implements and maintains industry-standard security controls, including encryption, access controls, data minimization, and regular security audits.
11. Data Breach Notification
In case of a data breach, Quaicy will promptly inform the Client, providing details about the nature of the breach, affected data, and remediation measures.
12. Data Subject Rights
Quaicy assists the Client in fulfilling data subjects’ rights requests (access, rectification, deletion, portability, restriction) as required by GDPR and FADP.
13. Data Return and Deletion
Upon termination of the service agreement, Quaicy will, at the Client’s choice, return or securely delete all personal data unless legal obligations require retention.
14. Audit Rights
The Client has the right to verify Quaicy’s compliance with this DPA through audits or certifications. Quaicy will provide reasonable assistance and documentation.
15. Liability and Indemnity
Each party is liable for damages resulting from its own breach of this DPA or applicable data protection law. Quaicy’s liability is limited to the scope defined in the main service agreement.
16. Governing Law and Jurisdiction
This DPA is governed by the laws of Switzerland. Any disputes shall be subject to the exclusive jurisdiction of the courts of Zurich, Switzerland.
17. Contact
For data protection inquiries or to request a copy of this agreement, contact: privacy@quaicy.ch
