Annex to the General Terms and Conditions for Systemorph Cloud

Data Processing Agreement (DPA)

Version:2023 August 1st


This Annex forms an integral part of theGeneral Terms and Conditionsfor the Systemorph Cloud (the “Agreement”) closed between Systemorph AG, a corporation organized and existing under the laws of Switzerland (Canton of Zurich), having the company identification number CHE-282.912.173 (hereinafter “Systemorph” or “Processor”) and the Customer (hereinafter “Customer” or “Controller”). Systemorph and Customer are hereinafter jointly referred to as the “Parties”.

The Parties have concluded the Agreement in which Systemorph acts as service provider to the Customer regarding the SMC Service. The provision of said SMC Service by Systemorph in accordance with terms and conditions of the Agreement, may qualify as processing of personal data of Customer (“Personal Data”) within the meaning of the Applicable Data Protection Law. Insofar as Systemorph processes Personal Data under the control of the Customer within the scope of the collaboration as processor in compliance with the respective applicable data protection law, this Data Processing Agreement (“DPA”) shall supplement the Agreement and concretize the data protection obligations of the Parties. Applicable data protection law ("Applicable Data Protection Law") shall be the Swiss Data Protection Act and the European Basic Data Protection Regulation (GDPR), if and insofar as these are applicable. To the extent that Account Data or Technical Information contains Personal Data, it is excluded from the scope of this DPA, but the terms and conditions agreed in the Agreement with regards to such Personal Data of Customer shall apply exclusively.

Subject, Term, Type and Purpose of the DPA

The subject of the DPA as well as the type and purpose of the processing derives from the Agreement.

This DPA shall come into force once the Parties have concluded the Agreement. The term of this DPA shall conform with the term of the Agreement between the Customer and Systemorph. In addition, the DPA shall automatically terminate as soon as the Systemorph no longer processes any Personal Data for the Customer in accordance with the Agreement.

If the type of processed Personal Data, the type and the purpose of the Personal Data processing as well as the categories of Personal Data subjects affected by the processing are not already derived from the Agreement, they shall be listed in Appendix 1 to this DPA.

Scope, Responsibilities, Restrictions, Instructions

Systemorph shall process Personal Data solely for specific purposes known by, and in the responsibility of the Customer, as well as in accordance with the respective Agreement and this DPA.

The Customer as controller shall bear responsibility for the conduct of lawful data processing as such, including the lawful status of contracted (sub-contracted) processing. Any deviating obligations of applicable law (e.g., binding decrees of competent authorities) shall remain reserved.

Customer agrees explicitly to never store Personal Data within the SMC Service at rest. Customer and Systemorph will only ever process Personal Data inside the SMC Service in memory, which is transient and not persisted. Personal Data therefore will never be at rest and never be stored in a SMC database or file server or made accessible in any way due to the Customer’s obligation not to store Personal Data within the SMC Service. Further on, Customer is obliged to process Personal Data within the SMC Service only in available data centers (as provided according to Agreement) located within the European Union or Switzerland.

Customer shall be entitled to issue further written instructions to Systemorph concerning the processing of the Personal Data. Systemorph shall comply with these instructions, provided however that they are feasible and objectively reasonable with regards to the SMC Service agreed to under the Agreement and the type and purpose of processing Personal Data under this DPA. If such reasonable instructions result in Systemorph incurring additional costs or lead to a change in the scope of the SMC Service, the contractually agreed contract change procedure shall apply.

Protection of Personal Data

Systemorph shall take suitable technical, operational and organizational measures (TOM) in accordance with Appendix 2 to shape, check and adjust the in-house organization on an on-going basis in its area of responsibility so that it can provide an appropriate level of data protection in accordance with Applicable Data Protection Law, including – if applicable – Art. 32 GDPR to protect Personal Data from accidental or unlawful destruction, loss, amendment, forwarding, etc. In the process, Systemorph shall take account of the state of the art, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the severity of the risk for the rights and freedoms of the data subjects.

The measures are subject to change in the technology and services of the sub-processors used, especially Microsoft (for the Azure service), technical progress and further development.


Systemorph undertakes to treat Personal Data confidentially and to make it accessible only to persons who need access for the purpose of the Agreement. The Processor shall ensure that the persons authorized to process the Personal Data are obligated to maintain privacy/confidentiality regarding said Personal Data unless they are subject to a statutory duty of confidentiality.

Contact Person

Systemorph shall provide the name of a contact person for all data protection matters; a data protection officer shall also be identified in cases where this is mandatory.

Rights of the Data Subjects, Cooperation

If a data subject contacts Systemorph directly with requests for correction, deletion, information or other claims concerning Personal Data of Customer, Systemorph shall inform the data subject if assignment to the Customer is possible based on the information provided by the data subject.

Systemorph shall reasonably support the Customer, while taking into account that Systemorph’s support is limited by the fact that the Customer is prohibited from storing Personal Data at rest within the SMC Services in accordance with the Agreement and that Personal Data must only ever be processed by the Customer in memory of the SMC Service, which leads to a very limited availability of Personal Data within the SMC Service (time and extent) and a general inaccessibility of these Personal Data by Systemorph.

Systemorph will inform the Customer without undue delay, as permitted under applicable law, where a supervisory authority contacts Systemorph directly in relation to the processing of Personal Data of Customer. To the extent Systemorph has any Personal Data of the Customer at all, Systemorph will disclose such Personal Data of Customer to public authorities (including courts, administrative and law enforcement authorities) only with the prior written consent of the Customer or where it is legally compelled to do so. If Systemorph is requested to make such a disclosure, it will inform the Customer without undue delay, unless it is legally prohibited from doing so.

Personal Data Breaches

Systemorph will notify Customer without undue delay, but not later than within 72 hours, if Systemorph or a sub-processor determines that a data protection breach with relevance for the Personal Data of Customer has occurred.

Systemorph will provide to the Customer with information as required by the Applicable Data Protection Law to enable Customer to comply with its obligations to notify the personal data breach to a supervisory authority and/or to data subjects in accordance with Applicable Data Protection Law.

Notification and information to the Customer will be done to the email address specified in the Customer Account Data.

Publication and Erasure of Personal Data

All Personal Data of Customer is erased automatically and immediately after process in memory within the SMC Service in accordance with the Agreement and this DPA. Therefore, no return, transfer and / or disposal of Personal Data of Customer by Systemorph is relevant.

Any publication of Personal Data as part of a SMC Project by the Customer is a Customer’s breach of the Agreement and this DPA, and the Systemorph cannot be held accountable for such publication of its Personal Data.

Involvement of Sub-Processors

Systemorph shall herewith obtain prior general written consent for processing Personal Data by sub-processors. If the legitimate sub-processors are not already derived from the Agreement, they are listed in Appendix 1. The list of sub-processors is to be continuously updated and kept up to date.

Systemorph may add or replace sub-processors at its discretion. The Customer shall be informed in advance of any planned amendment to the list of sub-processors with a reasonable notice period. If the Customer has an objectively compelling reason in accordance with Applicable Data Protection Law, the Customer may within a period of 30 days file a written objection against the engagement of a new or the change of an existing contracted sub-processor. If there is an objectively compelling reason un-der Applicable Data Protection Law, and where the Parties cannot agree on an amicable solution, the Customer shall be granted a termination right in relation to the SMC Service affected hereby.

Systemorph shall reach agreements with its sub-processors as necessary to ensure that the obligations specified in this DPA are complied with.

Documentation, Processing Inventory

Since processing of Personal Data is controlled by the Customer, Systemorph has no means to document processing of Customer Personal Data inside the SMC Service. All documentation obligations have to be observed by the Customer, insofar as this is required by Applicable Data Protection Law. Systemorph provides necessary technical tooling to the Customer to do so, as far as this included in the SMC Service.

Verification Obligations and Audit Rights

Systemorph will provide the Customer upon request with information to document compliance with the duties set forth in this DPA by suitable means (e.g., certifications, attestations, independent audits).

The Parties agree that compliance with this obligation shall be evidenced by the fact that Systemorph has ISO 27001 certification or is able to provide further ISO certifications such as the ISO 27017 and ISO 27018 certifications or an ISAE 3402 Type II attestation. These audit reports are prepared by an independent third party or confirmations concerning certifications etc. that are specially referred to in the Agreement.

The above shall not exclude any further audit rights of the Customer or its supervisory authorities which are mandatory given by the Applicable Data Protection Law, if

(i) such an audit is officially requested by a supervisory authority of the Customer based on mandatory rights of such authority; or

(ii) the Customer has a direct audit right in accordance with mandatory, Applicable Data Protection Law.

Such audits shall be carried out during usual hours of business, where possible without disrupting business operations, after reasonable prior notice of at least thirty days, unless mandatory provisions of Applicable Data Protection Law or a data protection authority stipulate shorter notice period. The principle of proportionality shall be adhered to in all cases in such audits and reasonable account must be taken of the legitimate interests of Systemorph and its sub-processors (namely to confidentiality). Unless otherwise provided, the Customer shall be responsible for all costs of such audits (including proven internal costs incurred by Swisscom in cooperating in the audit).

If significant breaches of this DPA or shortcomings are detected while Systemorph is fulfilling its obligations within the scope of an audit or after presenting proof or reports, Systemorph shall take suitable corrective measures at no extra cost.

Data Processing in Third Countries

Any disclosure of Personal Data of Customer by Systemorph to a third country which is neither a member state of the EU nor of the EEA or Switzerland shall only be permitted if Systemorph complies with the provisions of Applicable Data Protection Law. Where, on the other hand, such a disclosure of Personal Data is desired by the Customer or occurs on his/her behalf, the Customer alone shall be responsible for compliance with the corresponding provisions.


The liability of the Parties under this Agreement shall be subject to the limitation of liability set forth in the applicable Agreement.

Final Provisions

By way of derogation from any written form requirements in the Agreement, the present DPA may also be agreed or amended electronically between the Parties.

The obligations under this DPA shall apply by way of supplementing, rather than limiting, the obligations stipulated in the Agreement. The Agreement provisions shall continue to apply unchanged in all other respects.

Appendix 1 to the DPA — Details

Possible Processing Activities by Systemorph:
Activity Yes/No
Collection of personal data No
Recording (capturing personal data in a file or the SMC Service) No
Organization (organizing personal data in the SMC Service) No
Storage (keeping the personal data in the SMC Service for a determined period, including for archiving purposes) No
Modification (modifying the content or the way the personal data are structured…) No
Consultation (looking at personal data that we have stored in our files or software programs…) No
Transmission (carrying the traffic that may include personal data on our network using switching and/or routing…) Yes
Disclosure or otherwise making available (communicating personal data to another recipient by any means…) Except for disclosure mentioned in the SMC Service description or required by law, or otherwise specifically directed by the customer, the categories of potential recipients are only those subcontractors referenced herein or otherwise approved by the Customer. No
Deletion or destruction (deleting or anonymizing the personal data or destroying the hard copies…) No
Other use No
Possible Categories of Personal Data processed:
Any Personal Data that may be included in the SMC Service by Customer in accordance with the Agreement, not identifiable by Systemorph
Duration of processing:
Subject Matter Duration of processing
Personal Data For the period of processing the personal data inserted in the SMC Service by Customer in memory only. No further storage or any other collection or keeping of such personal data Personal Data by Systemorph.
Purpose of processing:
The Customer decides on the purpose of the processing of the Personal Data in the SMC Service. Code used for processing is written by the Customer, and executed on the SMC.
Contact of Systemorph:
Title Contact details
Data protection
Name Purpose
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Dublin 18, Ireland
Personal Data may be processed solely inside the Microsoft Azure Kubernetes Services AKS as basis of the SMC Service.

Appendix 2 to the DPA — TOM

Systemorph has implemented and will maintain the following TOM, which in conjunction with the security commitments in this DPA (including the GDPR Terms), are Systemoph’s only responsibility with respect to the security of that data.

Domain Practices
Organization of Information Security

Security Ownership. Systemorph has appointed one or more security officers responsible for coordinating and monitoring the information security rules and procedures.

Security Roles and Responsibilities. Systemorph personnel with access to Customer Data are subject to confidentiality obligations.

Risk Management Program. Systemorph performed a risk assessment before processing the Customer Data or launching SNC services. Systemorph retains its security documents pursuant to its retention requirements after they are no longer in effect.

Asset Management

Asset Inventory Systemorph maintains an inventory of all media on which Customer Data is stored. Access to the inventories of such media is restricted to Systemorph personnel authorized in writing to have such access.

Asset Handling

  • Systemorph classifies Customer Data to help identify it and to allow for access to it to be appropriately restricted.
  • Systemorph does not print Customer Data.
  • Systemorph does not store Customer Data on portable devices, remotely accessing such data, or processing such data outside Systemorph’s facilities.

Human Resources Security

Security Training. Systemorph performs regular information security awareness trainings for all its employees and suppliers, which is mandatory to conduct and conclude.

Physical and Environmental Security

Physical Access to Facilities. Systemorph operates no physical data processing facilities. Access to office premises is protected.

Physical Access to Components. Systemorph does not handle incoming and outgoing media containing Customer Data.

Protection from Disruptions. Systemorph, in conjunction with its main supplier Microsoft Azure, uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.

Component Disposal. Systemorph, in conjunction with its main supplier Microsoft Azure, uses industry standard processes to delete Customer Data when it is no longer needed.

Communications and Operations Management

Operational Policy. Systemorph maintains information security documents describing its information security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.

Data Recovery Procedures. Data recovery procedures are not applicable in the context of the DPA.

Malicious Software. Systemorph, in conjunction with its main supplier Microsoft Azure, has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data, including malicious software originating from public networks.

Data Beyond Boundaries.

  • Systemorph encrypts, or enables Customer to encrypt, Customer Data that is transmitted over public networks.
  • Systemorph has no Customer Data in media leaving its facilities.

Event Logging. Systemorph logs, or enables Customer to log, access and use of information systems containing Customer Data.

Access Control

No Systemorph personnel has ever access to data in context of this DPA, therefore the usual Access Control measures do not apply.

Information Security Incident Management

Information Incident Response Process

  • Systemorph maintains a record of information security breaches and the procedure for recovering data.
  • For each information security breach that is a information security incident, notification by Systemorph will be made without undue delay and, in any event, within 72 hours.
  • Systemorph tracks, or enables Customer to track, disclosures of Customer Data, including what data has been disclosed, to whom, and at what time.

Service Monitoring. Systemorph information security personnel verify logs to propose remediation efforts on a regular basis, if necessary.

Business Continuity Management

  • Systemorph maintains emergency and contingency plans for its office premises.
  • Systemorph’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original or last-replicated state from before the time it was lost or destroyed.