Order data processing agreement (ADV)

Status: 01.08.2025

initiation

The present contract data processing agreement (“Agreement”) specifies the obligations of the parties with regard to the requirements of the Swiss Data Protection Act (“DSG”) and the General Data Protection Regulation of the European Union (“EU GDPR”). In this regard, it supplements the contractual agreements (“contract”) between aumico AG, Hardturmstrasse 161, 8005 Zurich, Switzerland (“aumico”) and the customer, in which aumico acts as a service provider to the customer, and forms an integrated part of the contract.
The present agreement is valid only insofar and to the extent that the following requirements are met:
● The customer is either the responsible person or a contract processor within the scope of the DSG and/or the EU GDPR and
● As part of the contract, the customer uses aumico as an order processor or sub-processor for the processing of personal data or personal data covered by the scope of the DSG and/or the EU GDPR (“personal data”).
The parties shall make the following agreements for this purpose.

1. Subject, duration and type of data processing

The subject matter, duration, type and purpose of the processing result from the contract. The categories of personal data processed, the categories of data subjects and the technical and organizational measures to be taken (“TOM”) are listed either in the contract or in one or more appendices to this agreement.

2. Scope and Responsibility

aumico processes personal data exclusively for the purpose of fulfilling the contract or for the purposes stated in the contract. The customer is responsible for the lawfulness of data processing per se, including the admissibility of order/sub-order processing.
The customer's instructions are documented in this agreement and in the contract. The customer has the right to provide aumico with additional instructions in writing regarding the processing of personal data at any time. Aumico complies with these instructions insofar as these can be implemented by aumico as part of the contractually agreed services and are objectively reasonable. If such instructions result in additional costs from aumico or a change in the scope of services, such additional costs and contract changes must be agreed in writing.
aumico will immediately inform the customer if it believes that an instruction violates the DSG or the EU GDPR. In this case, aumico may suspend the implementation of the relevant instruction until it has been confirmed or amended by the customer. The above does not apply to instructions from the customer in connection with granting access rights or handing over personal data to the customer himself, and aumico may assume at any time that such instructions comply with the law. However, it is entitled to request appropriate written confirmation from the customer.

3. Aumico's obligations

aumico processes personal data exclusively in accordance with the terms of the contract and this agreement. Aumico reserves the right to comply with legal, regulatory or official obligations.
aumico undertakes to keep a record of processing activities with regard to personal data in accordance with Article 12 (1) DSG and Article 30 (2) EU GDPR. The current list at the time of conclusion of this agreement can be found in Appendix 1 to this agreement. aumico will provide the customer with the latest version at the customer's request.
aumico shall adopt the TOM defined in Appendix 2 to this agreement to protect personal data. aumico may adjust the agreed TOM at any time as long as the agreed level of protection does not fall below the agreed level of protection.
aumico ensures that employees and other aumico assistants involved in processing customer-related personal data are prohibited from processing personal data for purposes other than those specified in the contract and contrary to this agreement. In addition, aumico ensures that persons authorized to process personal data have committed themselves to confidentiality and/or are subject to an appropriate legal obligation of confidentiality. The duty of confidentiality/confidentiality continues even after termination of the contract.
aumico will immediately inform the customer if it becomes aware of breaches of personal data protection at aumico or one of its sub-processors (data breach). In addition, aumico will provide the customer with appropriate information in writing (email sufficient) about the nature and extent of the infringement and possible remedies. In such a case, the parties shall take the necessary measures to ensure the protection of personal data and to reduce possible adverse consequences for the persons concerned and the parties and shall immediately agree on this.
Aumico's point of contact for data protection issues arising under the contract and the data protection officer in cases where this is required in accordance with Article 37 EU GDPR are listed in Appendix 1 to this Agreement.
aumico undertakes, upon request and against previously agreed separate payment, to assist the customer within the scope of its capabilities in fulfilling the rights of data subjects vis-à-vis the customer in accordance with Chapter 4 of the DSG or Chapter III of the EU GDPR. In addition, aumico can offer the customer further support for separate payment (e.g. in connection with a data protection impact assessment, consultation with the supervisory authority, notifications to them, etc.).
After the end of the contract, personal data must be released or deleted/anonymized in accordance with the contractual provisions. aumico uses industry-standard procedures to delete/anonymize personal data.

4. Duties and obligations of the customer

In his area of responsibility (e.g. on his own systems, applications/environments under his operational responsibility), the customer independently takes appropriate technical and organizational measures to protect personal data.
The customer must inform aumico immediately if he discovers violations of data protection requirements in the provision of services provided by aumico.
The customer names aumico the contact person for data protection issues arising under the contract and, in cases where this is required in accordance with Article 37 EU GDPR, the data protection officer.

5. Requests from affected persons

If a data subject contacts aumico directly with a request for information, a request for correction or deletion or other requests/claims regarding personal data, aumico will refer the data subject to the customer, provided that an assignment to the customer is possible in accordance with the information provided by the data subject. Aumico's support to the customer with inquiries from affected persons is governed by Section 3.

6. Verification options, reports and audits

aumico is obliged to provide the customer with information upon request in order to document compliance with the obligations under this agreement.
The parties note that compliance with this obligation is generally proven by aumico being certified in accordance with ISO 27001 (as soon as this certification is available) or that aumico provides the customer with test or audit reports or confirmations of certifications specifically mentioned in the contract, etc. in certain areas. Mandatory testing rights of the customer or his supervisory authorities remain reserved. In any case, such audits must comply with the principle of proportionality and take due account of aumico's legitimate interests (in particular confidentiality). Subject to any other provision, the customer bears all costs of such audits (including proven reasonable internal costs of aumico arising from participating in the audit).
If, after presentation of evidence or reports or as part of an audit, violations of this agreement or deficiencies in the implementation of aumico's obligations are identified, aumico must implement appropriate corrective measures immediately and free of charge.

7. Invocation of sub-contractors

aumico is entitled to involve sub-contractors. The current list of sub-processors involved at the time of conclusion of this Agreement is set out in Annex 3 to this Agreement. Aumico must inform the customer in advance in text form (sufficient e-mail) if, after this agreement comes into force, it brings in new sub-processors or replaces existing sub-processors. The customer can object in writing within a period of 30 days to the involvement of a new sub-order processor or the replacement of an existing sub-processor for important data protection reasons. If there is an important reason under data protection law and if an amicable solution between the parties is not possible, the customer has granted a right of termination with regard to the service affected by this.
aumico will enter into agreements with its sub-processors to the extent necessary to ensure the obligations under this agreement.

8. Announcement abroad

The responsible and legally compliant handling of personal data is important to aumico. aumico complies with applicable law at all times, in particular the Swiss Federal Act on Data Protection (DSG) and the associated ordinance and, if and to the extent applicable, the European General Data Protection Regulation (EU GDPR).

Aumico's privacy policy applies (available at aumico.io/privacy). In addition, the parties have concluded an order data processing agreement (ADV), which forms an integral part of the contract.

9. Further provisions

The present agreement comes into force retroactively as of 01.09.2023 and is concluded for the duration of the contract, provided that no longer lasting obligations arise from the provisions of this agreement.
The agreement is concluded when ordering services via the aumico website or as part of the login to the AUMICO platform by a user of the customer. aumico may assume, irrespective of the customer's internal regulations or circumstances and commercial register entries and without further verification of authorization, that a user of the customer who is acting against aumico (e.g. by placing an order or by using the aumico MICO platform), is authorized to act (prima facie power of attorney), which also includes the acceptance and conclusion of this agreement.
In deviation from any written form reservations in the contract, the present agreement may also be amended electronically between the parties.
The obligations under this agreement are in addition to the obligations set out in the contract and do not restrict the latter. In all other respects, the provisions of the contract continue to apply unchanged.

Annex 1 — List of processing activities

Status: 01.09.2023

This Appendix 1 describes the data processing carried out by aumico under the Order Data Processing Agreement (ABV) under the contract.

1. Information about aumico

1.1

Contact details of aumico (responsible recipient of instructions):
aumico AG, Grubenstrase 6, 8045 Zurich, Switzerland
email: hello@aumico.ch

1.2

Contact details of aumico's data protection officer/data protection consultant:
aumico AG, Chris Zurbrügg, Grubenstrase 6, 8045 Zurich, Switzerland
email: privacy@aumico.ch

1.3

Contact details of aumico's data protection representative in the European Union, who can be contacted by supervisory authorities and data subjects for all questions relating to EU data protection law:
VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg
germany
email: info@datenschutzpartner.eu

2. Data processing

2.1 General

As part of the contract, the customer provides aumico with personal data and/or confidential data for processing at its own discretion and on its behalf.

2.2 Purpose of processing

The personal data entrusted to aumico by the customer and resulting from this is processed exclusively for the purpose of fulfilling the contract and related activities (including maintaining the customer relationship, invoicing, archiving).

2.3 Duration of processing

The personal data will be deleted or anonymized within 120 days after the end of the contract, provided that deleting/anonymization does not conflict with prolonged legal storage obligations or legitimate interests.

2.4 Affected persons

aumico processes personal data from internal or external employees of the customer and internal or external employees of the customer's end customers.

2.5 Categories of personal data

aumico processes the following categories of personal data:

● Contact and identification data as well as (work) organizational data such as first name, last name, business and/or private address, business and/or private telephone number, country, company, area, department, function, responsibility, signing authority and customer number;
● Personal information, such as language;
● User account information, such as username and password;
● Contract and financial data, such as contract type, contract content, type of services, applicable terms and conditions, contract start date, compensation claims, billing and payment data, and financial data, which are included in the annual invoices created via the AUMICO platform;
● Interaction and usage data, such as correspondence, customer preferences, type and scope of use of services, customer service information such as complaints and information from the assertion of rights, and feedback;
● Information about the use of online services, such as frequency of visits, date, time and duration of visits, pages visited, search terms, clicks on content, website of origin; information in forms, social media profiles; reviews and comments submitted, IP address; information about the devices used (device type, device ID, manufacturer, operating system, language, device settings, MAC address, etc.), cookie information and browser settings.

2.6 Special legal confidentiality obligations

As an assistant to the customer, aumico processes personal data that is subject to professional secrecy (e.g. trustees, tax experts) or, where applicable, other special secrecy obligations.

3. Place of data processing

3.1 Place of processing of personal data

Personal data is processed primarily in Switzerland and in the EU/EEA. All countries, including those outside the EU/EEA, are listed in Annex 3 (sub-processor).

3.2 Guarantees for processing outside the EU/EEA

aumico ensures adequate protection of personal data when processing outside the EU/EEA by concluding agreements for order data processing with the relevant sub-processors, in which these sub-processors are required to take sufficient technical and organizational measures to protect the processed personal data or to ensure data security appropriate to the risk and which include the EU Standard Contractual Clauses (SCC).

3.3 Disclosure of personal data to sub-processors

The third parties listed in Appendix 3 (sub-processors) have access to and process personal data as sub-processors or are made aware of personal data to these third parties.

4. Reporting data breaches

aumico will immediately notify the customer if aumico becomes aware of a breach of personal data protection that results in or threatens to result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data. The notification is sent by e-mail to the customer's known contact persons.

Annex 2 — Technical and Organizational Measures (TOM)

Status: 01.08.2025

This Appendix 2 describes the technical and organizational measures taken under the Order Data Processing Agreement (ADV) under the contract by aumico to protect the processed personal data and to ensure data security appropriate to the risk (Art. 8 DSG and Art. 3 DSV and Art. 32 para. 1 EU GDPR).
This Appendix 2 is limited to the description of the technical and organizational measures that aumico has taken itself. aumico has contractually committed its sub-contractors (including the operator of the servers on which the AUMICO platform is hosted and the service provider responsible for operating and developing the AUMICO platform) to take appropriate technical and organizational measures. The description of these technical and organizational measures can be found in the corresponding documentation from the sub-processors. On request, aumico will provide detailed information about this.

1. Access control

Measures that are suitable to prevent unauthorized persons from accessing facilities in which personal data is processed (processing plants).
aumico ensures this through the following measures:

Technical measures

● Magnetic or smart cards/transponder systems
● Manual locking system (key)
● Doors with knob on the outside

Organizational measures

● Accompaniment of visitors

2. Access control

Measures that are suitable to prevent the use of data processing systems (e.g. computers) by unauthorised persons.
aumico ensures this through the following measures:

Technical measures

● Login with passwords (e.g. user name and password)
● Login with biometric data
● Anti-virus software clients
● Anti-virus software mobile devices
● Firewall
● Automatic lock mechanisms (e.g. desktop lock)
● Encrypting notebooks/tablets
● Two-factor authentication

Organizational measures

● Managing user permissions
● Creating user profiles
● Password Policy (“Secure Password”)

3. Access control

Measures which are suitable to limit access by persons authorized to use a data processing system exclusively to the personal data subject to their access authorization and to prevent the reading, copying, alteration or removal of personal data by unauthorised persons (including unauthorised entry into the memory and unauthorised access, viewing, alteration or deletion of stored personal data):
aumico ensures this through the following measures:

Technical measures

● Paper shredder (at least level 3, cross cut)
● Standard authorization profiles based on “need to know”
● Data protection-compliant disposal of data carriers that are no longer required
● Safe storage of storage media
● Data protection-compliant reuse of storage media

Organizational measures

● Authorization concept
● Minimum number of administrators
● Administration of user rights by administrators
● Periodic review of assigned authorizations

4. Transfer and transfer control

Measures which are suitable to prevent unauthorised reading, copying, alteration or removal of personal data during electronic transmission or during transport (including using data carriers), as well as measures to check and determine to which points a transmission of personal data is intended or takes place using data transmission devices.
aumico ensures this through the following measures:

Technical measures

● Delivery via encrypted connections such as sftp, https
● Encrypting files

Organizational measures

● Disclosure in anonymized or pseudonymized form
● Careful selection of transport personnel and vehicles
● Documentation of data recipients

5. Input control

Measures that are suitable for verifying and determining whether, by whom and when which personal data was entered, changed or removed from data processing systems.
aumico ensures this through the following measures:

Organizational measures

● Traceability of entry, change, and deletion of data through individual user names (not user groups)
● Assignment of rights to enter, change and delete data based on an authorization concept
● Overview of which programs can be used to enter, change, or delete which data

6. Order control

Measures that are suitable to ensure that the processing of personal data by sub-processors is carried out only in accordance with the customer's instructions.
aumico ensures this through the following measures:

Organizational measures

● Preliminary review of the security measures taken by the sub-processor and their documentation (e.g. ISO certification, ISMS)
● Careful selection of the sub-processor (in terms of data protection and data security) and transfer of relevant responsibilities
● Conclusion of the necessary order processing agreement with the sub-processor (including in the form of EU standard contractual clauses, if necessary)
● In the case of long-term cooperation: Continuous review of the sub-processor and its level of protection
● Obligation to appoint a data protection officer by the sub-processor if the corresponding obligation exists
● Agreement on effective control and follow-up rights (e.g. audits) with the sub-processor
● Regulation on the involvement of further sub-processors
● Ensuring the destruction or return of data after completion of the order

7. Availability check

Measures that are suitable to protect personal data against accidental or deliberate destruction or loss.
The measures to ensure availability control are taken exclusively by the respective sub-processors.

8. Separability

Measures that are suitable to ensure the separate processing of personal data collected for different purposes.
aumico ensures this through the following measures:

Technical measures

● Separation of production and test environments
● Multi-client capability of relevant applications

Organizational measures

● Control via authorization concept
● Defining database rights

9. Review, Assessment and Evaluation

Establishment of procedures to regularly review, evaluate and evaluate the effectiveness of technical and organizational measures to ensure processing security.
aumico ensures this through the following measures:

Data protection management:

Technical measures

● Safety certification in accordance with ISO 27001 (during 2024)
● Regular review of the effectiveness of technical protective measures

Organizational measures

● Internal data protection officer or data protection consultant and external data protection representative (EU)
● Regular awareness raising among employees (at least once a year)
● Employee training in the area of data protection and security
● Formalized process for processing inquiries from data subjects
● Commitment of employees to confidentiality and data protection (including data secrecy)

Incident response management:

Technical measures

● Firewall (including regular updates)
● Spam filter (including regular updates)
● Virus protection (including regular updates)

Organizational measures

● Involving the data protection officer or data protection consultant and the data protection representative (EU) in security incidents and data breaches
● Process for identifying and reporting security incidents/data breaches (also with regard to reporting obligations to supervisory authorities)
● Documentation of security incidents and data breaches, e.g. via a ticket system
● Process and responsibilities for post-processing security incidents and data breaches

Data protection-friendly default settings (Privacy by Design/Privacy by Default):

Technical measures

● No collection of more personal data than required for the respective purpose

Organizational measures

● Definition of the role for Privacy/Security by Design or Privacy/Security by Default in projects
● Raising awareness of privacy/security by design and privacy/security by default among the employees concerned

Appendix 3 — Sub-processor

Status: 01.08.2025

This Appendix 3 lists the sub-processors brought in by aumico. The involvement of new sub-processors and the replacement of existing sub-processors is governed by the provisions of the Order Data Processing Agreement (ADV).

Modeso

Seestrasse 44, 8596 Scherzingen, Switzerland
(sister company of aumico)

activity

Operation (including maintenance, support and support) and development of the AUMICO software/platform

Processed personal data

First name/last name, business address, email, phone number, language, country

Guarantee under DSG and EU GDPR

Order data processing agreement

bexio

Alte Jonastrasse 24, 8640 Rapperswil SG, Switzerland

activity

invoicing

Processed personal data

First name/name, business address, e-mail, telephone number of the invoice recipients/main contact persons of the customer

Guarantee under DSG and EU GDPR

Order data processing agreement (“contract processing contract”)

Hubspot Germany GmbH

Am Postbahnhof 3, 10243 Berlin, Germany

activity

marketing emails (newsletters), CRM

Processed personal data

Contact and identification data as well as (work) organizational data and contract and financial data in accordance with Annex 1 (list of processing activities)

Guarantee under DSG and EU GDPR

Order data processing agreement (“Data Processing Addendum”)

Twilio Ireland Limited (Sendgrid)

3 Dublin Landings, North Wall Quay, Dublin 1, Ireland

activity

Sign up including sending an automated email

Processed personal data

First name/last name, email, customer country

Guarantee under DSG and EU GDPR

Order data processing agreement (“Data Protection Addendum”)

Google Cloud EMEA Limited

Velasco, Clanwilliam Place, Dublin 2, Ireland

activity

Cloud storage, customer data storage

Processed personal data

Contact and identification data as well as (work) organizational data and contract and financial data in accordance with Annex 1 (list of processing activities)

Guarantee under DSG and EU GDPR

Contract data processing agreement (“Cloud Data Processing Addendum”)

Mixpanel, Inc.

One Front Street, 28th Floor, San Francisco, CA 94111, United States of America

activity

Analysis of usage behavior on the AUMICO platform

Processed personal data

Information relating to the use of online services in accordance with Annex 1 (list of processing activities)

Guarantee under DSG and EU GDPR

Agreement on order data processing (“Data Processing Addendum”) including EU standard contract clauses

Hubspot Germany GmbH

Am Postbahnhof 3, 10243 Berlin, Germany

activity

Appointment for sales and support purposes

Processed personal data

First name/last name, business address, email, phone number, language, country

Guarantee under DSG and EU GDPR

Order data processing agreement (“Data Processing Addendum”)