Data Processing Agreement
Preamble and Relationship to Terms of Service
This Data Processing Agreement ("DPA") forms part of and is subject to the Phoenix Terms of Service ("ToS") and any applicable Order Form or Statement of Work between Phoenix Technologies AG ("Phoenix", "Processor") and the customer identified in the applicable Order Form or SOW ("Customer", "Controller"). Capitalised terms used but not defined herein have the meanings in the ToS or, if not defined there, the meanings set out in the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR), to the extent applicable. For the avoidance of doubt, the order of precedence stated in the ToS applies: this DPA governs the Parties’ respective data-protection obligations for the Services; the ToS governs all other matters (including fees, scope of Services, limitations of liability, and governing law).
1. Subject Matter, Purpose, and Duration
1.1 Subject & Purpose. Phoenix will process Personal Data solely to provide, secure, and support the Services as described in the ToS and the applicable Order Form, and strictly in accordance with Customer’s documented instructions (as further described in Section 3).
1.2 Duration. Processing under this DPA continues for the subscription term (including any renewals) and for a reasonable period thereafter to effect return or deletion under Section 7 and comply with legal obligations.
2. Categories of Personal Data and Data Subjects
2.1 Categories. The types of Personal Data processed depend on Customer’s use of the Services and may include identifiers (e.g., names, business emails), account and usage data, support communications, prompts/inputs, and model outputs where such data relate to an identified or identifiable natural person.
2.2 Data Subjects. Data subjects may include Customer’s employees, contractors, consultants, and end users.
2.3 Special Categories. Customer will not submit special categories of Personal Data (e.g., health, biometric, or government ID numbers) unless expressly permitted in an Order Form and governed by the DPA and applicable law.
3. Documented Instructions and Processing Restrictions
3.1 Instructions. Phoenix shall process Personal Data only on documented, lawful instructions from Customer, including those set out in the ToS, applicable Order Forms, and this DPA. If Phoenix is required by applicable law to process Personal Data beyond Customer’s instructions, Phoenix will (where legally permitted) inform Customer before such processing.
3.2 Training & Product Improvement. Unless expressly agreed in writing (e.g., via a Sub‑Annex), Phoenix will not use Customer Content, including Personal Data, to train, fine‑tune, or otherwise improve models for the benefit of Phoenix or third parties. Customer Content excludes aggregated, de-identified usage metrics and performance data that cannot reasonably identify Customer or its users.
3.3 No Independent Determination. Phoenix will not determine the purposes or means of processing and will not combine Customer Personal Data with data obtained from other customers except as necessary for the provision and security of the Services.
4. Confidentiality and Personnel
4.1 Confidentiality. Phoenix will ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations and receive data protection training appropriate to their roles.
4.2 Access Control. Access to Personal Data is role‑based and limited to the minimum necessary to perform the Services.
4.3 Phoenix may update organizational measures without Customer consent, provided overall protection is not reduced.
5. Security Measures
5.1 ISMS & Controls. Phoenix maintains an ISO 27001‑aligned information security management system (ISMS) and implements technical and organisational measures (TOMs) appropriate to the risk, including encryption in transit (TLS 1.3) and at rest (AES‑256), logical separation, access controls, logging, and monitoring. Where selected by Customer, Phoenix provides confidential computing capabilities to protect data in use within attested enclaves and supports client‑controlled key management (BYOK/KYOK).
5.2 Evolution. Phoenix may update TOMs to maintain or improve security; such changes will not materially diminish the overall level of protection. Phoenix may implement enhanced security measures without prior notice to Customer.
5.3 Reference to ToS. Additional security details and operational commitments are set out in the ToS and the Security Documentation referenced therein.
6. Sub‑Processors
6.1 Authorisation. Customer grants Phoenix a general written authorisation to engage sub‑processors to support the Services. Phoenix will impose data‑protection obligations on sub‑processors that are no less protective than those set out in this DPA.
6.2 Notice & Objection. Phoenix will notify Customer of material changes to its sub‑processor list (e.g., via portal). Customer may object on reasonable, data‑protection grounds within twenty (20) calendar days of notice. If no mutually acceptable solution is found within thirty (30) days, Customer may terminate the affected Service with thirty (30) days’ notice. Phoenix shall not be liable for any costs or damages arising from such termination.
6.3 Responsibility. Phoenix remains responsible for sub‑processors’ performance to the extent they process Personal Data for Phoenix.
7. Return or Erasure of Personal Data
7.1 No Unilateral Deletion. Phoenix does not initiate unilateral erasure of Customer Personal Data in the ordinary course.
7.2 Return/Deletion on Exit. Upon request or termination/expiry of the applicable Services, Phoenix will, at Customer’s choice and subject to applicable law, either return Personal Data to Customer or securely delete it. Phoenix will provide confirmation of deletion on request. Where continued retention is required by law, Phoenix will isolate and protect the data from further processing. Customer bears the costs for extraordinary data return requests beyond standard automated processes.
7.3 Retention Schedules & Secure Disposal. Phoenix adheres to documented retention and disposal schedules consistent with legal, regulatory, and business requirements. Records reaching the end of their retention period are disposed of using secure methods to ensure irretrievable destruction.
7.4 Flexibility. Phoenix will consider reasonable, client‑specific retention or disposal requirements documented in an Order Form or Sub‑Annex.
8. Data Subject Requests
8.1 Assistance. Taking into account the nature of the processing, Phoenix will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer’s obligation to respond to requests to exercise Data Subject rights under applicable law.
8.2 Routing. If Phoenix receives a request directly from a Data Subject and can identify the relevant Customer, Phoenix will forward the request to Customer without undue delay and will not respond to the request except on documented instructions from Customer or as required by law.
9. Security Incidents
9.1 Notification. Phoenix will notify Customer within 48 hours upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing information available at the time to assist Customer in meeting its reporting obligations. Phoenix will provide updates as more information becomes available.
9.2 Mitigation. Phoenix will promptly take reasonable steps to contain, investigate, and remediate the incident.
10. International Processing and Data Transfers
10.1 Switzerland‑Only. All processing of Customer Personal Data under this DPA occurs exclusively in Switzerland. Phoenix does not transfer Customer Personal Data outside Switzerland without prior written agreement.
10.2 Safeguards if Enabled. If the Parties later agree to processing outside Switzerland, Phoenix will implement appropriate transfer safeguards such as the EU Standard Contractual Clauses (to the extent applicable) adapted for Switzerland and any required supplementary measures. If Customer initiates transfer outside Switzerland, Phoenix is indemnified for any resulting compliance failures.
11. DPIA, Records, and Regulatory Cooperation
11.1 DPIA Support. Phoenix’s processes and controls align to GDPR and ISO 27001. Phoenix will provide reasonable assistance to Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities, insofar as they relate to Phoenix’s processing, within reasonable resource and operational limits.
11.2 Records. Each Party is responsible for maintaining records of processing activities required by law for its respective role.
11.3 Cooperation. Phoenix will cooperate with competent supervisory authorities, upon lawful request, in relation to the Services.
12. Audits and Information
12.1 Reports & Certifications. Upon request and subject to confidentiality, Phoenix will make available information reasonably necessary to demonstrate compliance with this DPA, which may include ISO 27001 certificates or third‑party assessment summaries.
12.2 Audit. Where such documentation is insufficient, Customer may conduct an on‑site or remote audit of Phoenix’s processing of Customer Personal Data no more than once per twelve (12) months, or more frequently following a material Personal Data Breach, subject to at least fifteen (15) business days’ prior written notice, reasonable scope, and security requirements. Audits must not unreasonably disrupt operations and may not be performed by a direct competitor. Each Party bears its own costs; Phoenix may charge reasonable fees for support beyond standard assistance.
13. Sub‑Annexes and Tailored Provisions
13.1 Sub‑Annexes. Client‑specific terms (e.g., bespoke retention, additional redaction, telemetry sinks, or transfer mechanisms) may be documented in Sub‑Annexes. Where a Sub‑Annex conflicts with this DPA, the most recent Sub‑Annex prevails for the conflicting subject matter.
14. Liability; Order of Precedence
14.1 Liability. The liability limitations and exclusions in the ToS apply to this DPA and all processing performed hereunder. This DPA does not expand Phoenix’s liability beyond that stated in the ToS.
14.2 Precedence. For data‑protection subject matter, this DPA prevails over the ToS to the extent of any direct conflict. For all other matters, the ToS governs.
15. Governing Law, Venue
15.1 Governing Law. This DPA shall be governed by and construed in accordance with the substantive laws of Switzerland (to the exclusion of the conflict of law principles).
15.2 Venue. Any dispute arising out of or in connection with this DPA shall exclusively be referred to the courts competent for Basel‑Stadt, Switzerland.
Annex A – Details of Processing
A1. Nature and Purpose: Provision, security, and support of the Services under the ToS (including AI inference, model hosting, and related platform features).
A2. Categories of Personal Data: As provided by Customer via the Services; typically identification data (name, business email), usage and telemetry metadata, prompts/inputs, and outputs where they contain Personal Data.
A3. Categories of Data Subjects: Customer personnel and end users.
A4. Retention: As described in Section 7 and in applicable Order Forms/Sub‑Annexes; in all cases consistent with Phoenix’s retention schedules.
Annex B – Technical and Organisational Measures (Summary)
B1. Governance: ISO 27001‑aligned ISMS; policies for access control, asset management, vulnerability management, logging/monitoring, and incident response.
B2. Access Controls: Role‑based access, least privilege, MFA for admins, key and secret management, session management, and periodic access reviews.
B3. Encryption: TLS 1.3 for data in transit; AES‑256 for data at rest; HSM‑backed keys with BYOK/KYOK options; key rotation policies.
B4. Confidential Computing (where enabled): Attested enclaves protecting data and model weights in use; zero‑access operations; no external secret injection.
B5. Infrastructure Security: Segmentation, hardening, baseline configuration, patching cadence, vulnerability scanning, and anti‑malware where applicable.
B6. Operational Security: Change management, backups (encrypted), disaster recovery planning, availability controls, and supplier management.
B7. Logging & Monitoring: Centralised logging, security event monitoring, and alerting; retention per policy.
B8. Personnel Security: Confidentiality obligations, security awareness training, and onboarding/offboarding procedures.
B9. Customer Controls: Customer‑configurable retention, logging preferences, and key management as set out in Order Forms/Sub‑Annexes.
Note: TOMs are subject to continuous improvement and may be updated provided the level of protection is not reduced.
Annex C – Sub‑Processors
Phoenix maintains an up‑to‑date list of authorised sub‑processors for the Services, available via the customer portal or on request. Notifications of material changes will be provided in accordance with Section 6.2.
Annex D – Contacts and Notices
Customer DPO / Contact for Privacy Matters: As specified in the applicable Order Form.
Phoenix Privacy Contact: legal@phoenix-technologies.ch