This Data Processing Agreement (DPA) governs how Jaff Studio processes personal data on behalf of business clients who use our AI and marketing services. It ensures compliance with Swiss data protection law (nFADP) and EU GDPR where applicable.
PARTIES TO THIS AGREEMENT
CONTROLLER (Auftraggeber):
[Your Company Name]
[Your Company Address]
("Client" or "Controller")
PROCESSOR (Auftragnehmer):
Jaff Studio
Switzerland
Email: contact@jaffstudio.com
("Processor" or "Jaff Studio")
This DPA governs the processing of personal data by Processor on behalf of Controller in accordance with:
Swiss Federal Act on Data Protection (nFADP)
EU General Data Protection Regulation (GDPR) where applicable
1. DEFINITIONS
"Personal Data": Any information relating to an identified or identifiable natural person
"Processing": Any operation performed on Personal Data
"Data Subject": Individual whose Personal Data is processed
"Sub-processor": Third party engaged by Processor to process Personal Data
2. SCOPE AND PURPOSE
2.1 Subject Matter
Processing of Personal Data in connection with AI-powered website and marketing services.
2.2 Duration
Term of the main Service Agreement.
2.3 Nature and Purpose of Processing
Website development and hosting
Marketing automation and analytics
AI-powered content generation
Customer data analysis
2.4 Types of Personal Data
Contact information (names, emails)
Customer behavior data (website visits, clicks, engagement)
Marketing preferences and interactions
Business information
2.5 Categories of Data Subjects
Client's customers
Website visitors
Marketing campaign recipients
Business contacts
3. OBLIGATIONS OF THE PROCESSOR
Processor shall:
3.1 Process Personal Data only:
On documented instructions from Controller
For the purposes specified in this DPA
In compliance with applicable data protection laws
3.2 Ensure persons authorized to process Personal Data:
Are bound by confidentiality
Receive appropriate training
3.3 Implement appropriate technical and organizational measures:
Encryption of data in transit and at rest
Access controls and authentication
Regular security testing
Incident response procedures
Data backup and recovery
3.4 Respect Data Subject Rights:
Assist Controller in responding to access requests
Enable data rectification, deletion, and portability
Respond to Controller requests within 14 days
3.5 Data Breach Notification:
Notify Controller within 24 hours of becoming aware
Provide details of breach nature, affected data, and mitigation
Assist Controller in breach investigation
3.6 Return or Deletion of Data:
Upon termination, return or delete all Personal Data within 30 days
Provide certification of deletion upon request
Exception: Data required for legal retention
3.7 Audits and Inspections:
Allow Controller to audit compliance
Provide information necessary for demonstrating compliance
Give advance notice of intended audits (minimum 14 days)
4. SUB-PROCESSORS
4.1 General Authorization
Controller authorizes Processor to engage sub-processors for:
AI processing (OpenAI, Anthropic)
Cloud hosting (AWS, Google Cloud, Azure)
Analytics (Google Analytics)
Email services
4.2 Current Sub-Processors:
OpenAI LLC - AI processing - USA
Google LLC - Analytics, Cloud - USA/EU
Amazon Web Services (AWS) - Cloud hosting - USA/EU
4.3 Changes to Sub-Processors:
Processor will inform Controller of any new sub-processors
Controller has 14 days to object
If objection, parties will negotiate in good faith
4.4 Sub-Processor Obligations:
Same data protection obligations as this DPA
Processor remains fully liable for sub-processor actions
5. INTERNATIONAL DATA TRANSFERS
5.1 Transfer Mechanisms
When transferring Personal Data outside Switzerland/EEA:
EU-Swiss adequacy decisions
Standard Contractual Clauses (SCCs)
Appropriate safeguards per Article 16 nFADP
5.2 Locations
Data may be processed in:
Switzerland
European Economic Area
USA (under adequacy frameworks)
6. CONTROLLER OBLIGATIONS
Controller warrants that:
It has legal basis to process Personal Data
It has obtained necessary consents
Processing instructions comply with applicable law
It will inform Processor of any legal restrictions
7. LIABILITY AND INDEMNIFICATION
7.1 Processor Liability
Processor is liable for damages caused by:
Non-compliance with this DPA
Acting outside or contrary to lawful instructions
Gross negligence or intentional misconduct
7.2 Limitation
Liability limited as specified in main Service Agreement, except for gross negligence or intentional acts.
7.3 Indemnification
Processor shall indemnify Controller against third-party claims arising from Processor's breach of this DPA.
For DPA inquiries, contract requests, or data protection questions, please contact us at the email above.
AGREEMENT EXECUTION
This DPA becomes effective upon execution of the main Service Agreement between the parties. By engaging Jaff Studio's services, you agree to the terms of this Data Processing Agreement.