Decentriq's Data Processing Agreement

Preamble

• This Data Processing Agreement (DPA) governs the processing of personal data by dq technologies AG, Josefstrasse 219, 8005 Zurich, Switzerland (Decentriq) on behalf of data controllers, as defined under applicable data protection laws, (each a Controller) using its data analytics service (Service) to process personal data.
• The purpose of this DPA is to ensure compliance with the relevant provisions on the relationship between controllers and processors contained in the applicable data protection legislation. Therefore, this DPA shall only apply if and to the extent Controller is using the Service to process personal data and any references to “Data” shall be read as references to personal data.
• Controller independently or jointly with others determines which data it will process through the Service (Data), the sources of such Data, how it will process such Data and the purposes for which it will process such Data through the Service.
• While Decentriq provides the Service used by Controller to process the Data, Decentriq does not determine (neither alone nor together with Controller or any third party) the purposes for which Controller is processing the Data through the Service. Decentriq has no access to the Data and no control over Controller’s processing thereof through the Service.

1. Instructions

1. Decentriq shall process the Data only on documented instructions from Controller, unless required to do so by applicable law to which Decentriq is subject. In this case, Decentriq shall inform Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.
2. Controller’s instructions pertaining to the processing of the Data will be given as follows:

1. prior to the use of the Service, Controller shall set up the Service according to its needs (in particular, configuration of the data clean rooms for Controller’s data structure and compute instruction) or provide its specifications to Decentriq to set up the Service on its behalf;
2. during use of the Service, Controller shall manage the permissions granted to (internal and, as the case may be, external) end users of the Service with respect to the Data; and
3. any use of the Service by Controller’s (internal and, as the case may be, external) users (e.g. data upload and execution of analyses) shall be deemed an instruction issued by Controller to Decentriq.

3. Decentriq shall inform Controller if, in its opinion, instructions given by Controller infringe applicable data protection laws. For the avoidance of doubt, Decentriq’s duty to inform Controller under this section shall not create any obligation to monitor and verify Controller’s compliance with applicable data protection laws in its use of the Service. In particular, Controller shall be solely responsible to determine whether the contemplated collection and analysis of the Data through the Service is in compliance with applicable data protection laws.

2. Purpose limitation

1. Decentriq shall process the Data only for the specific purpose of providing the Service, as further described in the relevant documentation provided by Decentriq.
2. Purpose limitation is built into the Service. The Service allows its end users to execute certain predefined analyses to process the Data in a confidential computing environment. Accordingly:

1. End users may only use the Service for processing the Data as dictated by the predefined analyses for which it is set-up by Controller, alone or upon alignment with others. The Service technically prevents end users from extracting the Data from the Service or accessing the Data inside the Service other than by executing such predefined analyses.
2. Decentriq may assist and support Controller in setting up the Service according to Controller’s needs (e.g. data structure and analyses) and it operates the Service. Except for the technical operation of the Service, Decentriq is not actively involved in the processing of the Data through the Service. From the moment of its upload to the Service through to its disposal from the Service, the Data remains encrypted on hardware-level at all times. Decentriq neither has access to the unencrypted Data nor to the encryption or decryption keys.

3. Duration of the processing

Processing by Decentriq shall only take place for the duration of Controller’s use of the Service.

4. Security of the processing

1. Decentriq shall at least implement the technical and organizational measures specified in the Annex to ensure the security of the Data. This includes protecting the Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the Data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
2. Decentriq warrants that it shall not, at any point in time, have access to the unencrypted Data or to the encryption or decryption keys. Decentriq shall not seek accessing the unencrypted Data by obtaining access to the encryption or decryption keys.
3. The Data may include personal data that require specific protection also referred to as sensitive or special categories of personal data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, as defined in applicable data protection laws.
4. Controller hereby acknowledges that it deems the specific restrictions and safeguards provided by the Service pursuant to Section 4.1 as sufficient to reduce the risks for the rights and freedoms of the data subjects resulting from a possible personal data breach to an acceptable level, including with respect to any sensitive or special categories of data. In particular, (i) encryption of the Data on hardware-level and (ii) – if so configured by Controller – the restriction of the Service to certain predefined queries that can only generate aggregated non-personal outputs reduce the risks of any unauthorised access to or disclosure of the Data, as well as malicious or accidental misuse of the Data to a minimum.

5. Documentation and compliance

1. The parties shall be able to demonstrate compliance with this DPA.
2. Decentriq shall deal promptly and adequately with inquiries from Controller about the processing of the Data in accordance with this DPA.
3. Decentriq shall make available to Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from applicable data protection laws. At Controller’s request, Decentriq shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. Unless there are indications of non-compliance reasonably substantiated by Controller, audits shall not be conducted more often than once every 12 months.
4. Decentriq shall satisfy its obligation to contribute to Controller audits by providing available documentation, including relevant certifications held by Decentriq and/or its sub-processors involved in the operation of the Service. Controller shall not have the right to conduct onsite audits, unless it is required to conduct such audit on the grounds of a binding order from a competent authority based on applicable law. If Controller receives such order, it shall inform Decentriq with no delay and agree on the modalities of such audit with Decentriq and its relevant sub-processor(s) in good faith.
5. Controller may choose to conduct the audit by itself or mandate an independent auditor, subject to appropriate confidentiality and non-disclosure agreements.
6. The parties shall make the information referred to in this Section 5, including the results of any audits, available to the competent supervisory authority/ies on their lawful request. Controller shall inform Decentriq of any such request with no delay and give Decentriq the opportunity to review the request and any information prior to disclosure to the requesting authority/ies.

6. Use of sub-processors

1. Decentriq has the Controller’s general authorisation for the engagement of sub-processors from an agreed list provided by Decentriq on its website. Decentriq shall specifically inform Controller of any intended changes of that list through the addition or replacement of sub-processors reasonably in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). Decentriq shall provide Controller with the information necessary to enable Controller to exercise the right to object.
2. Where Decentriq engages a sub-processor for carrying out specific processing activities (on behalf of Controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on Decentriq in accordance with this DPA. Decentriq shall ensure that the sub-processor complies with the obligations to which Decentriq itself is subject pursuant to this DPA and applicable data protection laws.
3. At Controller’s request, Decentriq shall provide a copy of such a sub-processor agreement and any subsequent amendments to Controller, or refer Controller to any public sources where such agreements are made available by the relevant sub-processor(s). To the extent necessary to protect business secret or other confidential information, including personal data, Decentriq may redact the text of the agreement prior to sharing the copy.
4. Decentriq shall remain fully responsible to Controller for the performance of the sub-processor’s data protection obligations in accordance with its contract with Decentriq. Decentriq shall notify Controller of any failure by the sub- processor to fulfil its contractual data protection obligations.

7. International transfers

1. Controller acknowledges and agrees that Decentriq may operate the Service on infrastructure outside of Controller’s and/or Decentriq’s jurisdiction and that Controller’s use of the Service may thus cause Data to be transferred to third countries, unless specifically agreed otherwise in writing between Controller and Decentriq. Any transfer of Data to a third country by Decentriq shall take place in compliance with the relevant requirements for cross-border transfers according to applicable data protection law.
2. Customer agrees that where Decentriq engages a sub-processor in accordance with Section 6 for carrying out specific processing activities (on behalf of Controller) and those processing activities involve a transfer of Data within the meaning of the relevant provisions of applicable data protection law, Decentriq and the sub-processor will implement adequate safeguards in the form of any transfer mechanism to ensure compliance with the requirements for cross-border transfers under applicable data protection laws. In particular, Decentriq and its sub-processors will include into the irrelevant agreements the standard contractual clauses adopted by the EU Commission and endorsed by the Federal Data Protection and Information Commissioner of Switzerland, provided the conditions for the use of those standard contractual clauses in the relevant jurisdiction are met.

8. Decentriq assistance to controller

1. Decentriq shall promptly notify Controller of any request it has received from any data subject affected by Controller use of the Service, provided that Decentriq is able to relate any such request to Controller. It shall not respond to the request itself, unless authorised to do so by Controller.
2. Decentriq shall assist Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with Sections 8.1 and 8.2, Decentriq shall comply with Controller’s reasonable instructions.
3. In addition to Decentriq’s obligation to assist Controller pursuant to Section 8.2, Decentriq shall furthermore assist Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to Decentriq:

1. The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of the Data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by Controller to mitigate the risk;
3. the obligations to take appropriate measures to ensure the security of the processing in accordance with applicable data protection laws.

4. The Parties shall set out in the Annex the appropriate technical and organisational measures by which Decentriq is required to assist Controller in the application of this Section 8 as well as the scope and the extent of the assistance required.
5. Controller acknowledges that as a result of the technical and organizational measures by which Decentriq protects the Data, Decentriq is prevented from providing certain types of assistance. In particular, Decentriq has no access to the unencrypted Data or the encryption and decryption keys. Therefore, Decentriq cannot provide any assistance that would require it to access the Data in the clear (e.g. to verify the legitimacy of a data subject request or relate any such request to the Data, to verify the accuracy or any Data, delete specific data points, etc.).

9. Data breach notifications

1. In the event of a personal data breach, Decentriq shall cooperate with and assist Controller for the latter to comply with its obligations pertaining to personal data breaches under applicable data protection laws, where applicable, taking into account the nature of processing and the information available to Decentriq.
2. Data breach concerning the Data by Controller:

In the event of a personal data breach concerning the Data processed by Controller, Decentriq shall assist Controller:

1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after Controller has become aware of it, where relevant, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
2. in obtaining the following information which shall be stated in the Controller’s notification, and must at least include:

1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. the likely consequences of the personal data breach;
3. the measures taken or proposed to be taken by Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

3. in complying with the obligation to communicate without undue delay the personal data breach to the affected data subjects, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

3. Data breach concerning Data processed by Decentriq:

In the event of a personal data breach concerning data processed by Decentriq, the latter shall notify Controller without undue delay after having become aware of the breach. Such notification shall contain, at least:

1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
2. the details of a contact point where more information concerning the personal data breach can be obtained;
3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The parties shall set out in the Annex all other elements to be provided by Decentriq, if any, when assisting Controller in the compliance with Controller’s data breach notification obligations under applicable data protection laws.

4. Controller acknowledges that (i) any personal data breach related to the Data is unlikely to result in a in a high risk or any risk at all to the rights and freedoms of the affected data subjects, since the Data is encrypted on hardware-level and can only be processed through the Service by authorized end users and (ii) Decentriq cannot provide any assistance that would require it to access or have accessed any unencrypted Data (e.g. to verify the types of data subjects, type of data or volumes of data affected by a data breach).

10. Non-compliance and termination

1. Without prejudice to any provisions of applicable data protection law, in the event that Decentriq is in breach of its obligations under this DPA, Controller may instruct Decentriq to suspend the processing of the Data until the latter complies with this DPA. Decentriq shall promptly inform Controller in case it is unable to comply with this DPA, for whatever reason.
2. Controller shall be entitled to terminate this DPA if:

1. The processing of the Data by Decentriq has been suspended by Controller pursuant to 10.1 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
2. Decentriq is in substantial or persistent breach of this DPA or its obligations under applicable data protection laws;
3. Decentriq fails to comply with a binding decision of a competent court or competent supervisory authority/ies regarding its obligations pursuant to this DPA or applicable data protection laws.

3. Decentriq shall be entitled to terminate this DPA where, after having informed Controller that its instructions infringe applicable legal requirements in accordance with Section 1.3, Customer insists on compliance with such instructions.
4. In case this DPA forms integral part of a commercial agreement between Controller and Decentriq, each party shall be entitled to terminate such agreement together with this DPA pursuant to Section 10.2 or Section 10.3, respectively.
5. Following termination, Decentriq shall delete all the Data provisioned to the Service by Controller and confirm deletion of such Data to Controller following the Decentriq offboarding process. Upon Controller's written request, Decentriq shall return to Controller an encrypted copy of all the Data provisioned to the Service by Controller. Controller acknowledges that, due to the encryption of the data on hardware-level, return of any unencrypted data to Controller is technically not feasible.
6. Until the Data is deleted, Decentriq shall continue to ensure compliance with this DPA by upholding the technical and organizational measures set forth in the Annex.

11. Final provisions

1. Terminology. Where this DPA uses the terms defined in applicable data protection laws, those terms shall have the same meaning as in those applicable laws.
2. Interpretation. This DPA shall be read and interpreted in the light of the provisions of applicable data protection laws and shall not be interpreted in a way that runs counter to the rights and obligations provided for in such laws or in a way that prejudices the fundamental rights or freedoms of the data subjects.
3. Hierarchy. In the event of a contradiction between this DPA and the provisions of related agreements between the parties existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail.

Annex I - Description of the processing

Categories of data subjects whose personal data is processed

1. Decentriq processes limited personal data about end users of the Service.
2. Further, processing of Data provisioned to the Service by Controller may affect any categories of data subjects determined by the Controller.
3. Personal data provisioned to the Service (at the exclusion of personal data about end users of the Service) is fully encrypted on hardware-level and Decentriq has access to neither any unencrypted data nor the encryption or decryption keys. For Decentriq as a processor the categories of such data subjects are thus inconsequential.

Categories of personal data processed

1. Decentriq processes names, Controller affiliation, business e-mail addresses and Service access and usage logs of end users using the Service on behalf of Controller.
2. Further, processing of data provisioned to the Service may be performed on any categories of personal data determined by the Controller, including sensitive or special categories of personal data.
3. The Service implements privacy by design principles and is designed to address the increased risk-level associated with the processing of sensitive or special categories of personal data. Accordingly, the restrictions and safeguards applied by Decentriq with respect to personal data provisioned to the Service (at the exclusion of personal data about end users of the Service) fully take into consideration the nature of the data and the risks associated with the processing of sensitive or special categories of personal data, including strict purpose limitation, access restrictions, access and usage logs, and additional security measures resulting from the use of Confidential Computing technology (in particular, hardware-level encryption).
4. Data is fully encrypted on hardware-level and Decentriq has access to neither any unencrypted data nor the encryption or decryption keys. For Decentriq as a processor the categories of personal data are thus inconsequential.

Nature of the processing

1. Decentriq provides a cloud-native data analytics service.

Purpose(s) for which the personal data is processed on behalf of the controller

1. Decentriq processes personal data of end users of the Service strictly for the purposes of providing the Service to Controller and to ensure its security and integrity. Such processing includes (i) end user authentication; (ii) automation of Service-related e-mail notifications to end users; and (iii) maintaining of access and usage logs for each individual end user.
2. Further, Controller determines the specific analytics purposes for personal data provisioned to and processed through the Service in accordance with Section 2.2 DPA.

Duration of the processing

1. See Section 3 DPA.

Annex II - Technical and Organizational Measures

This annex gives an overview of the technical and organisational measures Decentriq employs to ensure data protection. Decentriq distinguishes two types of personal data:

1. User Data - These are data that Decentriq collects to fulfill its obligations with its users and customers. This includes but is not limited to user names, email addresses, access logs, etc. The purposes and means for the processing of User Data are determined solely by Decentriq. Thus, Decentriq is the data controller and the DPA does not apply to the processing of such data. User Data is only collected to provide and improve the Service. It is only accessible on a need-to-know basis. Further measures employed by Decentriq to protect User Data are described in the Decentriq Privacy Policy.
2. Analysis Data - This is (possibly personal) data uploaded by Customer to the Decentriq Platform with the explicit purpose of analysing them therein. The DPA applies exclusively to Analysis Data and this annex deals exclusively with the technical and organizational measures implemented by Decentriq to protect Analysis Data.

Measures of pseudonymisation and encryption of personal data.

1. Decentriq uses latest security technology (trusted execution environments) to protect the Analysis Data. This technology together with architecture of the Service provides Decentriq's unique data protection guarantees: At no time is Decentriq able to access the unencrypted Analysis Data or the decryption keys thereof (this including Decentriq admins). In particular, the confidentiality of the Analysis Data is ensured by multiple levels of encryption. More specifically, data are encrypted:

1. Via Transport Layer Security (TLS) when in transit from Customer to Decentriq Service.
2. Via symmetric encryption when at rest in Decentriq Service persistent storage
3. Via mutually authenticated symmetric encryption when in transit between Decentriq Service servers
4. Via Intel Memory Encryption Engine when loaded into servers' memory prior to computations (a unique feature of the Intel SGX trusted execution environment)

Measures for ensuring integrity, availability and resilience of processing systems and services.

1. Data integrity is ensured by verifying data cryptographic hashes prior to computations. Reference for source data hashes are provided by Controller during source data upload. Reference hashes for any other data (e.g., computation’s intermediate results) are computed and checked by Decentriq Service during data processing.
2. Service availability and resilience is ensured by the following technical measures:

1. Distribution of Service workers among multiple servers to prevent Service discontinuities in case of hardware failure
2. Load balancing Service requests to multiple worker nodes, each providing equal functionalities
3. Gradual update rollouts to prevent Service disruptions during maintenance
4. Storage replication to prevent data loss in case of hardware failure
5. Use of a distributed encryption key management system (within the trusted execution environment - thus not accessible by Decentriq) to prevent data key loss in the event of hardware failure

Measures for ensuring the ability to restore the availability and access to personal data in atimely manner in the event of a physical or technical incident.

1. Deployments of Decentriq Service are structured to be resilient to limited hardware failures. In case of a physical event, as long as at a minimal portion of Decentriq systems are correctly functioning and reachable, the service will continue to be available. In case of a technical incident, as long as a minimal portion of Decentriq systems (specifically data storage and data key management) are not compromised the Service and the data provisioned to it can be restored.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

1. Security of technical measures is periodically tested from external auditors (penetration tests). Audit reports are available on request.
2. Internal testing, assessment and evaluation of security measures is continually performed during the development lifecycle. Technical security documentation is available and updated. Discussion of security relevant choices (e.g. encryption algorithm, authentication protocols, data key distribution) are recorded.

Measures for user identification and authorisation

1. Decentriq Service integrates multiple levels of identification, authentication and authorisation. Users access the Service either through:

1. Verified email and password
2. Single Sign-On authentication (e.g., SAML, Azure AD)

1. During Service usage customers may be required to further authenticate through:

1. Email-provided One-Time Password (OTP)
2. Public Key authentication
3. Password
4. Data encryption key

1. During Service usage customers authorizations are checked before performing any sensitive action. Authorizations are handled according to both Service-defined and user-defined Mandatory Access Control policies.

Measures for ensuring physical security of locations at which personal data are processed

1. Physical security of locations where personal data are processed is under the responsibility of the infrastructure provider. Decentriq selects infrastructure provider that can provide industry standard security assurances and certifications such as ISO 27001, ISAE 3000/SOC 2 Type II.

Measures for ensuring events logging

1. Events are classified and logged. According to their classification logs are forwarded to different destinations for further inspection. All logs are preserved for at least 90 days.

Measures for ensuring system configuration, including default configuration

1. System configuration are validated and updated during Service deployments and updates.

Measures for ensuring data minimisation

1. Data minimization is ensured by design by keeping Analysis Data inaccessible to Decentriq

Measures for ensuring data quality

1. Although data quality verification procedures can be performed by Decentriq Service, Controller’s are ultimately responsible for ensuring the quality of data uploaded and elaborated in the Service.

Annex III - List of sub-processors

See List of Sub-Processors