Last update: 25.10.2025
1. introduction
The order processing agreement is part of the license agreement.
2. general
The parties undertake to comply with the relevant data protection legislation in accordance with the Swiss Data Protection Act. Personal data may only be processed for the purpose and to the extent necessary for the fulfillment and execution of the contract. The parties shall observe the principles of lawfulness, proportionality, purpose limitation, transparency and good faith.
The transfer of data abroad is only possible under the conditions of Art. 16 FADP and requires the consent of the other party.
Exception: Access to the Ayyah app databases by Vaadin developers is permitted for maintenance and development purposes. These accesses take place from the Czech Republic and Finland. However, the developers are not authorized to store Ayyah data locally or on their servers.
3. personal data
Personal data means all information defined under Art. 5 lit. a FADP. The subject matter of the contract and the nature and purpose of the data processing are set out in the contract on which the order data processing contract is based.
4 Technical and organizational measures (TOM)
The parties undertake to take all reasonable, necessary technical and organizational measures to protect the personal data, in particular to prevent unauthorized access by third parties, unauthorized disclosure, loss, damage, deletion or destruction of the data.
The technical and organizational measures must ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. In addition to digitalized information and data security, the premises in which the data is processed must be access-protected.
The security precautions must correspond to the current state of the art and be economically reasonable.
The processor shall take technical and organizational measures to adequately protect the client's data that meet the requirements of Art. 8 FADP and Art. 1 et seq. GDPR.
The Client is aware of the technical and organizational measures taken by the Processor and is responsible for ensuring that these offer a risk-based, sufficient level of protection. To this end, the processor shall inform the client of the measures taken in a suitable TOM document.
5 Contract fulfillment (order processing) and involvement of third parties
The processor shall only process data on behalf of and under the instruction of the client and only in the same way as the client would be permitted to process the data itself. Any use for the processor's own purposes is expressly prohibited. The activities and service descriptions permitted by the Client are set out in the contract between the parties. Changes to the performance obligations and instructions must be made in writing.
The Processor shall inform the Client immediately if it is of the opinion that an instruction from the Client violates applicable laws. It may suspend the implementation of the instruction until the legality of the instruction is confirmed by the Client or the instruction is amended.
The parties, in particular the Processor, shall ensure that the employees involved in the processing of the Client's data and other persons working for the Processor are prohibited from processing the data outside of the provisions in the contract or outside of the Client's instructions. It is guaranteed that the employees are subject to an appropriate duty of confidentiality and secrecy, which shall continue even after the end of the order.
The client guarantees that the processor may lawfully process the data in accordance with the contract without restriction and that the client is authorized to forward the data to the processor for processing.
The Client guarantees that all necessary prerequisites or justifications for the contractually owed data processing (consent, etc.) exist. It is obliged to inform the processor immediately of any changes (e.g. revocation of consent by data subjects).
The involvement of third parties as subcontractors with access to personal data is only permitted if the client has given prior written consent. The following subcontractors are currently involved:
- Vaadin Ltd, Turku, Finland, software development
- Nine Internet Solutions AG, Zurich, Switzerland, system operator and hosting
- Intuit Inc (Mailchimp), Mountain View, USA, e-mail newsletter to customer contact
- Cloudflare, Inc, San Francisco, USA, web security, CDN, DDoS protection
Third parties involved in the provision of services are subject to the same obligations as the parties. The client and the processor guarantee to impose their obligations on any third parties. They shall remain responsible for compliance with the obligations.
Insofar as the use of subcontractors results in the disclosure of personal data to a country without adequate data protection, the Processor shall ensure that data protection is guaranteed by means of suitable guarantees, in particular European standard data protection clauses, including the adjustments required under Swiss data protection law. The processor shall ensure compliance with these provisions and data security by the subcontractors.
6 Data subject rights
The parties undertake to safeguard and guarantee the rights of data subjects. The Client is obliged to inform the data subjects about the data processing within the meaning of Art. 6 para. 3 FADP.
In particular, the data subject has the right to information, deletion, correction, restriction of processing, blocking and portability of the data (Art. 25 ff. and 32 FADP).
If data cannot be deleted due to legal or business obligations, it will be blocked. If the accuracy or inaccuracy of data cannot be proven, it will be marked as disputed.
The parties undertake to provide the data that the data subjects have made available for processing in a commonly used, machine-readable format at the request of the data subject. If a data subject contacts the Processor with requests for rectification, erasure or access, the Processor shall forward the data subject's request to the Client. The parties shall support each other in processing the data subject's requests to the extent agreed. The Processor shall not be liable if the Data Subject's request is not answered, not answered correctly or not answered on time by the Principal, provided that the Processor has immediately forwarded such requests to the Principal.
7. data protection officer
The parties shall mutually name a contact person for data protection issues arising under the contract.
Processor: Ayyah AG, Julian Karrer (julian.karrer@ayyah.com)
8 Notification obligations and control rights
The processor shall inform the client immediately if it becomes aware of any breaches of personal data protection.
The Client has the right to carry out an audit of the Processor itself or through an independent, appointed auditing company, in particular but not exclusively in order to be able to audit compliance with the obligations defined in this Agreement. An audit must be announced to the Processor in writing (e-mail is sufficient) at least 5 working days in advance. Before asserting its right to audit, the Client shall take into account existing, valid and applicable audit results in order to avoid redundant audits. The provisions of the contract, if any, shall apply to the formal conditions.
9 Deletion of data and return
After fulfillment of the purpose, but in any case after termination, expiry or cancellation of the contract, the Processor shall return all data to the Principal or delete it with the Principal's permission. Any copies shall be deleted. Any statutory retention obligations shall remain reserved.
10. written form
Amendments to this Annex must be made in writing. The same applies to changes to the written form clause.
11 Entry into force and duration
This Data Processing Agreement shall apply for the entire duration of the contractual relationship between the parties.
12 Place of jurisdiction
The exclusive place of jurisdiction for disputes arising from the data processing agreement is Zurich, Switzerland.
Ayyah AG
Merkurstrasse 51
8032 Zurich, Switzerland
datenschutz@ayyah.com
