Data Processing Agreement

Art. 28 GDPR · Art. 9 revFADP

Swiss Cybersecurity Management Center GmbH (SCMC)

Version 1.0 — Last updated: 19 April 2026

This Data Processing Agreement (DPA) pursuant to Art. 28 GDPR and Art. 9 revFADP governs the processing of personal data by SCMC on behalf of customers (controllers).

1. Subject Matter and Duration

1.1 Subject Matter

SCMC acts as a data processor providing information security management (ISMS) services, including the operation of the SCMC platform and related advisory services.

In the course of these services, SCMC processes personal data exclusively on behalf of and in accordance with the instructions of the controller.

1.2 Duration

This agreement applies for the duration of the main contract between SCMC and the controller.

2. Nature and Purpose of Processing

Personal data is processed for the purpose of:

  • Providing the SCMC platform and related features
  • Managing user accounts on behalf of the controller
  • Supporting the conduct of security assessments
  • Technical operation and maintenance of the platform

3. Types of Personal Data

The following categories of data may be processed under this agreement:

  • Name and contact details of the controller's employees
  • Access credentials (username, encrypted passwords)
  • Usage data and log data
  • Content and responses entered during security assessments

4. Categories of Data Subjects

  • Employees of the controller
  • Users registered on the SCMC platform by the controller

5. Obligations of SCMC as Data Processor

SCMC undertakes to:

  • Process personal data only on documented instructions from the controller
  • Maintain confidentiality regarding all personal data processed
  • Implement all required technical and organizational measures in accordance with Art. 32 GDPR / revFADP
  • Inform the controller without delay if an instruction violates applicable data protection law
  • Assist the controller in fulfilling data subject rights requests
  • Support the controller in notifying supervisory authorities of data breaches
  • Assist the controller in carrying out Data Protection Impact Assessments (DPIAs) where required in relation to the data processed (Art. 28(3)(f) GDPR)
  • Delete or return all data upon termination of the contractual relationship and, upon request, provide the controller with written confirmation of complete deletion
  • Make available to the controller all information necessary to demonstrate compliance with this agreement (Art. 28(3)(h) GDPR)

6. Technical and Organizational Measures (TOMs)

SCMC has implemented the following measures:

  • Data stored exclusively in Switzerland (AWS Swiss data centers)
  • Encryption of data at rest and in transit (TLS, AES-256)
  • Access controls based on the need-to-know principle
  • Multi-factor authentication for privileged access
  • Regular backups and disaster recovery procedures
  • Security monitoring and audit logging
  • Certifications: AWS infrastructure is ISO 27001, SOC 2, and PCI DSS certified

7. Sub-processors

SCMC engages the following sub-processors:

Provider Purpose Location
Amazon Web Services (AWS) Hosting, infrastructure, data storage Switzerland
Stripe Payment processing Ireland / USA

For transfers of personal data to Stripe's US infrastructure, SCMC relies on Standard Contractual Clauses (EU Commission Decision 2021/914) and the Swiss-U.S. Data Privacy Framework, supplemented by Stripe's data processing addendum (available at stripe.com/legal/dpa).

The controller hereby grants general authorization for the use of these sub-processors. SCMC will inform the controller of any planned changes and provide the opportunity to object.

8. Controller Rights

The controller has the right to:

  • Issue binding instructions regarding data processing
  • Conduct or commission audits and inspections
  • Request complete deletion or return of all personal data upon contract termination

9. Data Breaches

SCMC will notify the controller of any personal data breach without undue delay, and no later than 72 hours after becoming aware, providing all available information in accordance with Art. 33 GDPR.

10. Contact and Execution

This DPA applies to all SCMC customers who process personal data via the SCMC platform. To enter into an individualized Data Processing Agreement or for any questions, please contact:

Swiss Cybersecurity Management Center GmbH (SCMC)
Tiefenhöfe 10
8001 Zürich
Switzerland
📧 Email: info@scmc.ch

Further legal information:
Legal Notice · Privacy Policy · Terms & Conditions