Skip to content
Get a Demo

Version 02 January 2026

DATA PROCESSING AGREEMENT (GDPR)

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions or other service agreement (the "Agreement") between Prodeen ("Processor") and the customer entity identified in the Agreement ("Controller").

 

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") and the Swiss Federal Act on Data Protection (nFADP).

 

 

  1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning set out in the GDPR and the nFADP. Any references to Supervisory Authorities shall include the Swiss Federal Data Protection and Information Commissioner (FDPIC).

 

 

  1. Roles of the Parties
  2. The Controller determines the purposes and means of the processing of Personal Data.
  3. Prodeen processes Personal Data solely on behalf of and under the instructions of the Controller and acts as a Data Processor.

 

 

  1. Subject Matter and Duration of Processing
  2. Subject matter: Provision of the Prodeen platform and related services.
  3. Duration: For the term of the Agreement and until deletion or return of Personal Data in accordance with Section 11.

 

 

  1. Nature and Purpose of Processing

Processing activities may include collection, storage, structuring, consultation, analysis, transmission, and deletion of Personal Data for the purpose of providing the Prodeen services.

 

 

  1. Categories of Data Subjects and Personal Data

Data Subjects may include:

  1. Customer users
  2. Supplier contacts
  3. Business partners and third parties uploaded by the Controller

Types of Personal Data may include:

  1. Names
  2. Email addresses
  3. Professional contact details
  4. Communications shared through the platform (including chat functionalities)

 

Special categories of personal data are not intended to be processed.

 

 

  1. Processor Obligations

Prodeen shall:

 

  1. Process Personal Data only on documented instructions from the Controller.
  2. Ensure persons authorized to process Personal Data are bound by confidentiality.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  4. Not engage another processor without authorization in accordance with Section 7.
  5. The Processor shall process personal data lawfully, in good faith and solely on documented instructions of the Controller and shall implement appropriate technical and organisational measures to ensure full compliance with the applicable laws.

 

 

  1. Sub-processors
  2. The Controller authorizes Prodeen to engage sub-processors as necessary to provide the services.
  3. Prodeen shall ensure sub-processors are bound by data protection obligations no less protective than this DPA.
  4. Prodeen shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object.

 

Current authorized sub-processors include:

 

  1. Clerk, Inc. – Authentication and user management (may process user email addresses and identifiers). Data processing governed by Clerk DPA.
  2. HubSpot, Inc. – Customer relationship management and communications (may process user contact details). Data processing governed by HubSpot DPA.

 

An up-to-date list of sub-processors shall be made available upon request.

 

 

  1. Data Subject Rights

Prodeen shall assist the Controller, insofar as possible, in fulfilling its obligations to respond to requests for exercising data subject rights under the GDPR and nFADP.

 

 

  1. Personal Data Breach

Prodeen shall notify the Controller within 24 hours after becoming aware of a Personal Data Breach and provide relevant information as required by Article 33 GDPR and the corresponding provison under the nFADP.

 

 

  1. Audits

Prodeen shall make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor, subject to reasonable notice and confidentiality.

 

 

  1. Deletion or Return of Personal Data

Upon termination of the Agreement, Prodeen shall, at the choice of the Controller, delete or return all Personal Data, unless EU law requires storage.

 

 

  1. Data Location and Transfers
  2. Primary hosting and processing of Personal Data by Prodeen occurs within the European Union.
  3. Certain sub-processors (including Clerk and HubSpot) may process limited categories of Personal Data outside the EU, including in the United States.
  4. Where Personal Data is transferred outside the EU, such transfers are conducted in compliance with Chapter V of the GDPR and are subject to appropriate safeguards, including Standard Contractual Clauses or equivalent mechanisms as declared by the relevant sub-processor.
  5. Cross-Border Transfers outside of Siwtzerland shall be subject to Swiss-reconised Standard Contractual Clauses and Transfer Impact Assessments where ever required.

 

 

  1. Liability

Liability arising from data protection obligations shall be governed by the Agreement, subject to mandatory GDPR provisions.

 

 

  1. Governing Law

This DPA shall be governed by the laws specified in the Agreement, subject to appliacbale provisons of the GDPR and nFADP. Nothing shall limit mandatory provisions under Swiss Law.

 

 

 

ANNEX 1 – Technical and Organizational Measures

 

Prodeen implements appropriate measures including access controls, encryption in transit, logical segregation, monitoring, and regular security reviews.