General Terms and Conditions (GTC)

These General Terms and Conditions (GTC) apply to all services offered by Kuvvu GmbH, Trustlytics of Kuvvu (hereinafter “Trustlytics”). By using our services, you accept these terms and conditions without limitation or modification.

  • 1.

    Scope and conclusion of the contract

  • 1.1

    These General Terms and Conditions (GTC) govern the use of the services and products provided or offered by Trustlytics to its customers (hereinafter "customer").

  • 1.2

    Acceptance of these General Terms and Conditions (GTC) is affected by using the corresponding services and products.

  • 2.

    Services and rights of Trustlytics

  • 2.1

    General

  •  

    Trustlytics offers services that are subject to a fee. The customer selects the services to be provided by Trustlytics from the range of services available at the time of use. All services are subject to the terms and conditions published on the Trustlytics website or in the Trustlytics billing management. Trustlytics reserves the right to change the range of services at any time and to limit or discontinue individual services.

  • 2.2

    Analytics service

  • 2.2.1

    Trustlytics provides the customer with cloud-based analytics software (hereinafter “analytics service”) that enables the customer to analyze its website (hereinafter “customer website”).

  • 2.2.2

    The calculation of the analytics service is based on the average usage of Trustlytics' resources. The resources provided may only be used for the proper analysis of the customer's website. Subletting the analytics service to third parties is not permitted without prior written agreement with the customer. The analytics service is designed for use by individuals and small to medium-sized businesses. Trustlytics reserves the right to set limits or other restrictions on usage at any time. For larger businesses, beyond the normal use of individuals and small to medium-sized businesses, custom quotes can be provided upon request.

  • 2.2.3

    Trustlytics is entitled to set resource usage limits or other usage restrictions for certain customers or customer groups if they use the analytics service in a resource-intensive manner. This is done at Trustlytics' sole discretion and serves as a fair use policy. In this case, the provision of the analytics service to the customer may be restricted.

  • 2.2.4

    Trustlytics reserves the right to block the customer's account or the analytics service for the customer website if the behavior of the customer or the behavior of the users of the customer website interferes with the proper functioning of the analytics service. Trustlytics will inform the customer in advance or immediately afterward about the blocking if this is possible within the scope of the operational resources and the specific circumstances.

  • 2.2.5

    Trustlytics aims to provide the analytics service continuously and without interruptions. However, temporary service interruptions may be necessary, e.g., for maintenance, troubleshooting, expansion of the analytics service, and measures to protect Trustlytics' infrastructure. If possible, the customer will be informed about such interruptions in good time.

  • 2.3

    Additional services from third-party providers

  • 2.3.1

    Trustlytics makes additional third-party services available to customers. When the customer uses these additional services, the customer automatically accepts the corresponding license terms, terms of service, terms of use, and/or conditions described by the third-party provider on the offer page.

  • 2.3.2

    Trustlytics reserves the right to restrict the use of third-party ancillary services or to remove individual third-party ancillary services from the offer at any time and without notice. The customer also accepts that there are no support services provided by Trustlytics regarding the third-party ancillary services, and the customer is solely responsible for securing its data when using the third-party ancillary services (see Section 4.1).

  • 3.

    Rights and obligations of the customer

  • 3.1

    The customer is entitled to use the analytics service properly and lawfully and undertakes to comply with these General Terms and Conditions (GTC) and any instructions from Trustlytics.

  • 3.2

    When ordering, registering, and using the analytics service, the customer must provide honest and traceable information. Trustlytics may, at any time and without giving reasons, require the customer to provide additional documentation or information to verify the accuracy of the information provided. Trustlytics is entitled to postpone the order or registration, suspend the provision of analytics services, or terminate the contract with immediate effect if the customer fails to provide appropriate documentation or information within the period specified by Trustlytics.

  • 3.3

    It is the customer's responsibility to choose appropriate passwords, keep them secure, and protect them from unauthorized access. The customer is solely responsible for the use of its passwords. If the customer detects any misuse of his account, he must immediately inform Trustlytics in writing (exclusively by e-mail with confirmation of receipt from Trustlytics).

  • 3.4

    The customer is not permitted to transfer the analytics service purchased by the customer to third parties, either free of charge or for a fee. If Trustlytics determines that the analytics service purchased by the customer is not used by the customer itself but by a third party, Trustlytics shall have the right to suspend the provision of the relevant analytics service until such a deficiency is remedied. In such a case, the customer shall remain obligated to pay the full remuneration for such analytic services.

  • 3.5

    It is the customer's obligation to notify Trustlytics immediately of any malfunctions and interruptions in the analytics service used by the customer and to assist Trustlytics in remedying the malfunction to the extent possible. The customer shall be responsible for the costs incurred by Trustlytics in isolating and remedying any disruption if the customer has requested an investigation and the cause of the disruption is attributable to the conduct of the customer, the equipment used by the customer, or the conduct of users of the customer website.

  • 4.

    Data backup

  • 4.1

    It is the sole responsibility of the customer to take appropriate security measures to recover its information and data in the event of loss or unauthorized or accidental modification. The specific measures the customer should take will depend on the need for protection and the likelihood and severity of the risk. In general, Trustlytics recommends that its customers back up their data regularly. The customer can download the analysis data via links generated by Trustlytics in the analytics software, in particular to create their own backup.

  • 4.2

    Trustlytics takes responsibility for backing up all data on their infrastructure. The frequency of backups is determined by Trustlytics. Customers do not have access to these backups.

  • 4.3

    Trustlytics does not assume any responsibility for the completeness and correctness of the backup copies made by the customer (see Section 4.1).

  • 5.

    Invoicing and payment terms

  • 5.1

    The obligation to pay for paid analytics services begins with the conclusion of the contract.

  • 5.2

    The payment process is handled by our payment service provider Paddle. Paddle takes care of all customer inquiries regarding payments and invoices. All fees already include all country-specific taxes, levies, and duties imposed by the tax authorities. Paddle collects and forwards these taxes on behalf of the tax authority. For more information, please refer to Paddle's Terms of Use.

  • 5.3

    The customer will be automatically charged the corresponding amount in advance via his credit card or PayPal.

  • 5.4

    It is the customer's responsibility to ensure that their payment method is up-to-date.

  • 5.5

    If, for any reason, it is not possible to charge the customer's selected payment method, Paddle will notify the customer. If the customer does not pay within a reasonable time, the analytics service will be disabled, and no analysis data will be collected until payment is made. If the analytics service has been disabled for a period of 30 days, it will be deleted without notification to the customer.

  • 5.6

    There will be no refund of paid subscription fees unless required by law.

  • 5.7

    It is not possible to set off the mutual claims of the contracting parties against each other.

  • 6.

    Warranty

  • 6.1

    Trustlytics strives to provide the analytics service carefully and professionally. However, there is no guarantee that the analysis data from the customer website will be accurate. Trustlytics also cannot guarantee that the analytics service it provides and, if applicable, services provided by third parties will help the customer achieve its intended economic or other goals.

  • 6.2

    Notifications of defects in the analytics service by the customer shall contain a written notice of defects (exclusively by e-mail with acknowledgement of receipt by Trustlytics) with a clear and comprehensible description of the asserted defects. The customer must also give Trustlytics a reasonable period of at least 30 days to remedy the reported defects. If Trustlytics does not meet the deadline, the customer is entitled to terminate the contract immediately. In this case, Trustlytics will refund the customer pro rata compensation for the period during which the customer no longer uses the analytics service due to the termination. Any further compensation is excluded, subject to the provisions in Section 7 of these General Terms and Conditions (GTC).

  • 7.

    Liability of Trustlytics

  • 7.1

    Trustlytics shall be liable to the customer for direct and proven damages caused by intentional wrongdoing or gross negligence by Trustlytics.

  • 7.2

    Trustlytics' liability for average or normal negligence is limited to the amount of CHF 70 per calendar year.

  • 7.3

    Liability for slight negligence and for indirect damages or consequential damages is expressly excluded. Consequential damages include, but are not limited to, lost profits, loss of production, damage to reputation, and damage due to loss of data.

  • 7.4

    Furthermore, any liability for damages caused by the misuse or unauthorized access of third parties to the analytics service of Trustlytics or the customer website is excluded. This can occur, for example, but not exclusively, through computer viruses, DDoS attacks, or hacker attacks. The exclusion of liability also applies to damages incurred by the customer due to measures taken to protect the Trustlytics infrastructure, such as the blocking of access to the analytics service and/or the deactivation of the analytics service.

  • 7.5

    The above exclusions and limitations of Trustlytics' liability are not applicable in cases of injury to life, body and health, as well as in cases where mandatory statutory provisions apply, including the provisions of the Product Liability Act.

  • 8.

    Liability of the customer

  •  

    The customer is liable to Trustlytics without limitation for damages caused by unlawful intent or gross negligence. The customer's liability for slight negligence is expressly excluded.

  • 9.

    Confidentiality and data protection

  • 9.1

    Trustlytics and the customer are obliged to keep confidential all non-public information and data provided to them during the preparation and execution of the contract. This obligation remains in effect after termination of the contract as long as there is a legitimate interest in doing so.

  • 9.2

    Trustlytics and the customer shall ensure data protection and data security within their respective spheres of influence. Trustlytics also is entitled to inform customers about current developments and new services from itself and from partners. If the customer does not wish to receive such information, he can indicate this at any time via the link in the e-mail received. Trustlytics stores personal data only for as long and to the extent necessary for the provision of the analytics service or as required by law.

  • 9.3

    In connection with the provision of the analytics service, Trustlytics shall process the customer's data exclusively for the performance of the contract. To the extent Trustlytics processes personal data for the customer as a commissioned data processor within the meaning of applicable data protection law, it shall do so exclusively in the manner set forth in the commissioned data processing agreement (hereinafter “DPA Agreement”) as set forth in the Annex to these General Terms and Conditions (GTC) and exclusively for the customer's purposes. In such a case, the customer shall be solely responsible for determining the purpose and means of the processing or use of the personal data by Trustlytics under the agreement and for ensuring that such processing does not violate applicable data protection laws.

  • 10.

    Intellectual property

  • 10.1

    For the duration of the contract, customers shall have the non-transferable, non-exclusive right to use the analytics service.

  • 10.2

    All rights to existing intellectual property or intellectual property arising in the performance of the contract regarding the Trustlytics analytics service shall remain with Trustlytics or with the third parties used by Trustlytics.

  • 11.

    Contract duration and termination

  • 11.1

    Duration general

  •  

    These General Terms and Conditions (GTC) are valid for the entire period of use of the analytics service by the customer.

  • 11.2

    Analytics service contract

  • 11.2.1

    Upon conclusion of the order, the contract for the analytics service (cf. Section 2.2) between Trustlytics and the customer enters into force and is valid for the term selected by the customer (either 1 or 12 months). Either party is entitled to terminate the contract at any time at the end of the agreed-upon term. The termination must be made exclusively online via Trustlytics billing management. Trustlytics is also entitled to terminate the contract by email to the email address provided by the customer. If no notice of termination is given in due time, the contract will be automatically extended by the agreed term.

  • 11.2.2

    Cancellation policy: The customer has the option to cancel his order for the analytics service in writing (e.g., a letter or e-mail sent by post) within 14 days without giving any reason. The period begins as soon as the contract comes into force. To meet the deadline, it is sufficient to send the revocation in time. The cancellation must be sent to Paddle.com Market Ltd, Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom, help@paddle.com (see Paddle Checkout Buyer Terms and Conditions). The customer must use the email address reported to Paddle when doing so. The right of withdrawal only applies to orders placed through the Trustlytics website that are billed through Paddle and only for analytics services without customer specification.

  • 11.2.3

    If the customer violates the contractual provisions, misuses the analytics service or services of third parties for unlawful purposes, or if Trustlytics is threatened with reputational damage, Trustlytics has the right, at its own discretion, to immediately deactivate the analytics service and/or terminate the contract without notice. The customer is obliged to reimburse Trustlytics for the fees due up to the ordinary termination of the contract, as well as any additional costs due to the termination of the contract without notice.

  • 11.3

    If bankruptcy or insolvency proceedings have been initiated against the customer or it otherwise becomes apparent that the customer can no longer meet his payment obligations, Trustlytics reserves the right to terminate the contract with the customer without notice. Likewise, the contract may be terminated before the end of the contract period if the customer does not pay the costs for the next contract period in advance or provide adequate collateral.

  • 11.4

    After the expiration of the contract, Trustlytics is entitled to delete the customer's data. The customer is responsible for backing up its own data in a timely manner. The DPA Agreement shall remain in force until all personal data involved in the commissioned processing has been deleted by Trustlytics.

  • 12.

    Changes to the terms of the contract

  • 12.1

    Trustlytics attaches great importance to keeping its infrastructure up-to-date with the latest technology and thus meeting the security requirements as well as technical standards of its industry. The customer agrees that new developments in technology or security, as well as changes in the range of services offered by contractual partners or open-source software, may have an impact on the offer and prices.

  • 12.2

    Trustlytics therefore expressly reserves the right to change the contractual terms and conditions, including these General Terms and Conditions (GTC), at any time. Changes to the General Terms and Conditions (GTC) will be published on the website of Trustlytics and will become effective upon publication. If there are any price increases or service limitations during the current contract, the customer will be notified in writing by email. If the customer does not agree with the changes, he can terminate the contract at the end of its term. Without a timely termination, the contract will be automatically extended by the agreed duration, and the change will be considered accepted by the customer.

  • 13.

    Other provisions

  • 13.1

    Any form of abuse, whether verbal, physical, or written, towards any Trustlytics employee or officer will not be tolerated. If anyone at Trustlytics is confronted with the threat of abuse or retaliation from a customer, it may result in the immediate termination of the customer's account and analytics service.

  • 13.2

    To inform the customer of notifications relevant to the contract, such as price changes, an email will be sent to the email address provided by the customer in profile management and Paddle. The customer is responsible for ensuring that this email address is current and correct during the contract. Trustlytics and Paddle will not consider or independently check for updates to email addresses other than those stored in these systems. However, Trustlytics and Paddle have the right to correct or delete obvious errors or entries that violate third-party rights.

  • 13.3

    To transfer rights and obligations under the analytics service contract to a third party, the written consent of the other party is required. Unless Trustlytics transfers the contract to a legal successor or affiliated company.

  • 13.4

    These General Terms and Conditions (GTC) and any disputes arising out of or in connection with the contractual relationship between Trustlytics and the customer shall be governed exclusively by Swiss law, excluding the conflict of laws provisions and the provisions of the UN Convention on Contracts for the International Sale of Goods (CISG).

  • 13.5

    The exclusive place of jurisdiction shall be the ordinary courts at the domicile of Trustlytics. Alternatively, Trustlytics is entitled to sue the customer at his domicile.

  •  

    Rapperswil-Jona, November 2024

 

Annex 1: Commissioned Data Processing Agreement

Kuvvu GmbH, Trustlytics of Kuvvu (hereinafter “Trustlytics”) provides analytics services to the customer (hereinafter “customer”) in relation to one or more of the customer's websites (hereinafter “customer website”). In providing the analytics services, Trustlytics stores personal data on behalf of and for the purposes of the customer (hereinafter “order processing and DPA Agreement”).

  • 1.

    Subject and scope of application of the DPA Agreement

  •  

    This Commissioned Data Processing Agreement governs the duties, roles, and responsibilities of Trustlytics and the customer (hereinafter “contracting parties”) regarding the order processing.

  • 2.

    Relation to the analytics service contract

  •  

    The DPA Agreement supplements the analytics service contract without limiting the rights and obligations of the contracting parties regarding the provision or use of services. If there are no expressly deviating provisions in the analytics service contract, the provisions of this DPA Agreement shall take precedence over those of the analytics service contract.

  • 3.

    Scope of application of the DPA Agreement

  • 3.1

    The DPA Agreement relates to the order processing in connection with the analytics services provided by Trustlytics pursuant to the analytics services contract.

  • 3.2

    Trustlytics' DPA Agreement does not apply to the processing of personal data where Trustlytics itself decides which purposes and means are used. In such cases, Trustlytics is responsible for data security under the Swiss Federal Data Protection Act or other applicable data protection laws (in particular, the EU GDPR). Such processing of personal data that Trustlytics undertakes as a data controller (e.g., processing of personal data for purposes of service billing or communication with the customer) is undertaken by Trustlytics in accordance with its privacy policy and all applicable laws on the protection of personal information.

  • 4.

    Information on order processing

  • 4.1

    The object and purpose of order processing is the provision of analytics services by Trustlytics for the customer. The order processing consists of the storage, provision, transmission, and deletion of personal analysis data in accordance with the provisions of the analytics service contract.

  • 4.2

    Through order processing, data is collected from individuals to whom the customer grants access to its customer website. This is personal information that is usually collected when using a website, such as log data (IP address and operating system of the user's device, as well as the date and time of access of the browser, type of browser, etc.), data entered by the user, and analyzed user-related information (hereinafter “personal analysis data”).

  • 5.

    Roles and responsibilities

  • 5.1

    The customer acknowledges and Trustlytics recognizes that the customer is and remains responsible for the processing of the personal analysis data under applicable data protection laws. The customer thus holds the role of controller, unless the customer itself acts as processor regarding the personal analysis data (see Section 5.4).

  • 5.2

    Trustlytics acknowledges that the customer, in the role of the controller, is obligated to contractually bind Trustlytics to some of its obligations under the Swiss Federal Data Protection Act or other applicable data protection laws (in particular the EU GDPR) when using analytics services.

  • 5.3

    Trustlytics assumes the role of processor regarding the processing of the personal data concerned. To the extent Trustlytics is not also subject to the EU GDPR (or the other applicable data protection laws, if any) for such order processing, Trustlytics shall only assume such a role based on Trustlytics' contractual obligations under this DPA Agreement and shall not be bound to the EU GDPR (or the other applicable data protection laws, if any) solely for that reason.

  • 5.4

    If the customer, for its part, is a processor (i.e., if the customer is authorized under the analytics services contract to provide the analytics services to its customers), it confirms that its customer (i.e., the responsible person) has authorized it to sub-order process and issue any instructions to Trustlytics pursuant to a separate agreement.

  • 6.

    Obligations of Trustlytics

  • 6.1

    Trustlytics undertakes to process the personal analysis data only for the provision of the analytics services in accordance with the service description and contractual obligations, as well as in accordance with this DPA Agreement.

  • 6.2

    Trustlytics is entitled to process the personal analysis data of the customer in such a way as the fulfillment of the performance obligations under the analytics services contract as well as this DPA Agreement entails. Upon request, Trustlytics may receive and implement additional instructions regarding order processing from the customer. The customer must immediately confirm verbal instructions in writing (exclusively by email). If Trustlytics is convinced that such an instruction violates data protection regulations, Trustlytics will immediately inform the customer and suspend or refuse to implement it until it is confirmed or modified by the customer. Trustlytics may also refuse to implement the relevant instruction if it is not feasible or objectively unreasonable for Trustlytics within the scope of the contractually agreed analytics services, if it leads to additional costs or a changed scope of services, or if Trustlytics would not be able to fulfill its legal or regulatory obligations with the implementation.

  • 6.3

    Trustlytics ensures that the employees and other individuals who have access to the personal analysis data act in accordance with the DPA agreement. Furthermore, Trustlytics undertakes to oblige all individuals concerned to maintain confidentiality, even beyond their activities for Trustlytics.

  • 6.4

    Trustlytics undertakes to take appropriate technical and organizational measures in the interests of confidentiality, integrity, and contractual availability of the personal analysis data. Trustlytics implements, in particular, access controls and admission controls, as well as procedures for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures. Trustlytics considers the current state of the art, the implementation costs, the type, scope, and purposes of the processing of data, as well as the varying probability of occurrence and severity of the risk for data subjects. The respective applicable measures are listed in Annex 1a of this DPA Agreement.

  • 6.5

    Trustlytics undertakes to inform the customer immediately in writing if a data breach occurs and personal analysis data is affected. In doing so, Trustlytics must inform the customer of the nature and extent of the breach, as well as possible solutions. The contracting parties shall cooperate to ensure the protection of the personal analysis data and to mitigate any potential adverse effects for the affected individuals. Upon written request, Trustlytics shall provide the customer with sufficient information to enable the customer to comply with its obligations under applicable data protection laws regarding notification, investigation, and documentation of data security breaches.

  • 6.6

    Trustlytics undertakes to assist, upon written request of the customer and against reasonable compensation, and considering operational resources and capabilities, in the fulfillment of data subject rights (including rights of information, rectification, and combination) by the customer regarding personal analysis data in accordance with applicable data protection laws. This also includes Chapter III of the EU GDPR, as well as corresponding provisions of the Swiss Federal Data Protection Act.

  • 6.7

    If a data subject makes claims regarding his or her rights and contacts Trustlytics directly, Trustlytics will refer the data subject to the customer. If Trustlytics receives requests from a data subject regarding personal analysis data (such as requests for information or deletion), Trustlytics must promptly notify the customer in writing. However, this only applies if the customer can be identified based on the information received from the data subject.

  • 6.8

    Trustlytics offers support for data protection impact assessments and consultations with supervisory authorities upon written request and against payment. The corresponding remuneration is agreed separately, considering Trustlytics' operational resources and capabilities.

  • 6.9

    Upon expiration of the analytics services contract, Trustlytics will delete the personal analysis data in accordance with the terms of the analytics services contract.

  • 7.

    Involvement of sub-order processors

  • 7.1

    If a Trustlytics customer uses services that involve personal analysis data and are provided by a third party, Trustlytics remains the customer's processor and fulfills the related obligations under the DPA Agreement. The provider of the third-party service that is integrated into Trustlytics' analytics service is then a sub-order processor of Trustlytics. To be distinguished from this are cases in which Trustlytics mediates a direct contract with the third-party service provider for the customer, and the third-party service provider becomes the customer's processor directly. In these cases, the customer itself must take care to enter into any necessary agreements with the third-party service provider under applicable data protection laws.

  • 7.2

    Trustlytics maintains a list of sub-processors (Annex 1b) and may involve additional sub-order processors within the scope of its analytics services. If Trustlytics wishes to involve additional sub-order processors or replace sub-order processors involved in the future, Trustlytics shall notify the customer thereof in writing (exclusively by email) at least 60 days in advance. The customer may object to an extension or adjustment of the list within 30 days in writing (exclusively by email). The customer can do this only for data protection and justified reasons. If the contracting parties cannot reach an agreement within 30 days, the customer may terminate the order processing and the affected service of the analytics service contract extraordinarily if the customer can show that the objection is necessary under data protection law. Stricter regulations on the involvement of sub-order processors in favor of the customer in the analytic service contract remain reserved.

  • 7.3

    Trustlytics will only sub-order the processing of personal analysis data to sub-order processors that have committed to the order processing requirements under Article 28(3) of the GDPR.

  • 8.

    Disclosure of personal analysis data outside Switzerland and the EU

  • 8.1

    Trustlytics is obligated not to share or transmit any personal analysis data outside of Switzerland and the EU, unless

    • to the customer itself, its affiliates, or third parties in fulfillment of an instruction from the customer or as contemplated by the analytics services contract (this does not apply to transmission to Trustlytics' sub-order processors or other third parties engaged by Trustlytics).

    • otherwise agreed in the analytics service contract, transfers may be made to recipients in countries with an adequate level of data protection.

    • otherwise agreed in the analytics service contract, to a recipient that is not in a country with an adequate level of data protection, provided that the conditions required under the Swiss Federal Data Protection Act and the EU GDPR for the lawful disclosure or transfer of the personal data have been met.

    • unless this is agreed with the customer in the analytics service contract or otherwise.

  • 9.

    Obligations of the customer

  • 9.1

    The customer is responsible for the lawfulness of the processing of the personal analysis data, including the lawfulness of the order processing or sub-order processing.

  • 9.2

    It is the customer's responsibility to take appropriate technical and organizational measures to protect personal analysis data on its systems and applications.

  • 9.3

    The customer undertakes to inform Trustlytics without undue delay if the customer discovers any violations of applicable data protection laws in the provision of services by Trustlytics.

  • 10.

    Information and auditing rights

  • 10.1

    Trustlytics shall, upon written request, provide the customer with any information that the customer requires to demonstrate compliance with this DPA Agreement to data subjects, data protection authorities, or other supervisory authorities.

  • 10.2

    Trustlytics shall enable the customer or an auditor appointed by the customer and bound to confidentiality to audit Trustlytics' compliance with this DPA Agreement. If violations of the DPA Agreement are identified through Trustlytics after the submission of appropriate evidence, Trustlytics shall implement appropriate corrective measures without undue delay and free of charge.

  • 10.3

    The aforementioned information and auditing rights of the customer exist only to the extent that the analytics service contract does not grant the customer any other information and auditing rights that comply with the relevant requirements of the applicable data protection laws. Furthermore, these information and auditing rights are subject to the principle of proportionality and the protection of Trustlytics' interests worthy of protection (in particular security or confidentiality interests). Unless otherwise agreed between the contracting parties, the customer shall bear all costs of the information and auditing, including the proven internal costs of Trustlytics.

  • 11.

    General provisions

  •  

    The data protection terms used in this context have the same meaning as ascribed to them by the EU GDPR or the Swiss Federal Data Protection Act.

  •  

    Rapperswil-Jona, September 2023

 

Annex 1a: Technical and Organizational Measures (TOM)

The following describes the measures Trustlytics takes to ensure an appropriate level of security. In doing so, the nature and scope of the processing as well as the risks to the rights and freedoms of data subjects are considered. These are both technical and organizational steps to ensure a high level of data protection:

  • 1.

    Measures to ensure the ongoing confidentiality, integrity, availability, and stability of the systems and services

    • Aspects of data protection are important components of Trustlytics risk management.

    • The employees are qualified and are subject to the obligation of confidentiality of data.

    • Employees will receive education on the potential consequences of violating safety rules and procedures.

    • Employees receive clear instructions regarding access control, communication security, and operational security.

    • In the event of a failure of critical system components, these can be replaced within the shortest possible time, e.g., by backup components, redundant systems, or data mirroring.

  • 2.

    Measures for the anonymization and encryption of personal data

    • Where possible, when encrypting personal data, the algorithms and the length of the keys are adapted to the sensitivity level of the data.

    • The security of the encryption keys is ensured by sharing them only with a limited number of people and keeping them safe.

  • 3.

    Measures to ensure the rapid restoration of availability and access to personal data in the event of a physical or technical incident

    • A backup strategy is defined based on the type of data and the frequency of its changes.

    • The backup systems are subject to the same security measures as the production systems.

    • The employees responsible for data recovery have undergone special training and are therefore qualified for this task.

  • 4.

    Measures for user identification and user authorization

    • Access to systems is protected by industry-standard identification methods and authentication procedures.

    • User accounts and user authorizations are managed by the responsible employees.

    • The restrictive, needs-based authorization concept is managed by a minimum number of responsible employees.

    • Access to personal data is limited to employees who have a legitimate need to access that personal data as part of their respective function or role.

    • Multifactor authentication is used to access the systems wherever possible.

  • 5.

    Measures for the protection of data during data transmission

    • Remote access takes place exclusively via encrypted connections.

    • The electronic transmission of data and the transfer of personal data are carried out using industry-standard encryption methods.

  • 6.

    Measures for the protection of data storage

    • Access to personal data is limited to those who need to process it.

    • The data stored in the data center is protected from physical access (see Section 7) and is encrypted wherever possible.

    • The rights to enter, modify, and delete data are limited to those who need to process such data.

  • 7.

    Measures to ensure the physical security of the places where personal data are processed and to ensure event logging

    •  

      For systems that are housed and maintained by external service providers, agreements apply to corresponding measures that are to be implemented and guaranteed by these service providers. These are, among other things, but not exhaustive:

    • Electronic access control system with logging

    • High security fence around the entire data center park

    • Documented key allocation to employees

    • Guidelines for escorting and identifying guests in the building

    • 24/7 staffing of the data centers

    • Video surveillance at entrances and exits, security gates, and server rooms

    • Access to the premises for individuals outside the company (e.g., suppliers) is restricted as follows: only in the company of an employee

  • 8.

    Measures for the internal IT as well as the systems with personal data

    • All systems and software are regularly updated.

    • Security updates are installed in a timely manner.

    • Security advisories and vulnerabilities are monitored, assessed, and remediated.

    • Remote access by third parties is not permitted.

  • 9.

    Measures for the deletion of personal data

    • The stored personal data is reviewed at regular intervals and deleted when it is no longer required, and no legal or contractual provisions or technical restrictions prohibit the deletion of this personal data.

  • 10.

    Measures for data portability

    • Requests for data portability are immediately forwarded to the appropriate parties and processed in a timely manner so that the legal deadlines can always be met.

  • 11.

    Sub-order processors

    • All sub-order processors that Trustlytics has engaged have implemented appropriate technical and organizational measures (TOM) that are similar to those implemented by Trustlytics itself.

  •  

    Rapperswil-Jona, September 2023

 

Annex 1b: List of sub-order processors

  • Paddle.com Market Limited, United Kingdom, Payment Processing

  • Hetzner Online GmbH, Germany, Data Center Services

  •  

    Rapperswil-Jona, September 2023