Data Processing Addendum

This Data Processing Addendum (“Addendum”) amends any Agreement for services made between you as a customer (CUSTOMER) and Altoo AG (ALTOO) as the provider. In the event of a conflict or inconsistency, the terms of this Addendum shall supersede those of the Agreement.

 

1. Definitions

    • In this Addendum the following terms shall have the meanings set out below:
      • “Data Subject” means a natural person whose Personal Data is Processed;
      • “Data Protection Legislation” means laws and regulations, which protect the privacy rights of individuals, in so far as those laws and regulations apply to the Processing of Personal Data in connection with this Agreement, including without limitation Data protection legislation enacted by Switzerland, the EU and EU Member States, and similar measures;
      • “Personal Data” means any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
      • “Sensitive Data” means Personal Data revealing, racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, etc.;
      • “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
      • “Data Controller” means the entity disclosing the Personal Data, i.e. CUSTOMER;
      • “Data Processor” means the entity receiving the Personal Data, i.e. ALTOO;
      • “Data Protection Impact Assessment” means an analysis of how Personal Data is collected, used, shared, protected and maintained.

 

2. Subject matter and duration of the Processing

    • ALTOO acting as Data Processor on behalf of CUSTOMER (Data Controller) collects, maintains and processes Personal Data and shall do so only for the purposes of the Agreement or as otherwise directed in writing by the CUSTOMER. In doing so, ALTOO and CUSTOMER shall comply with the Data Privacy and Security requirements set forth in this Addendum.
    • Unless otherwise agreed in writing, the duration of the Processing corresponds to the duration of the Agreement.

 

3. Nature and purpose of the Processing

    • ALTOO offers software applications and related services to companies, including, among other things, the ALTOO WEALTH PLATFORM, a configurable SaaS platform to consolidate wealth data, bundled and offered as services named modules. Nature and purpose of Processing is further defined in the Agreement and respective service documentation.

 

4. Type of Personal Data and categories of Data Subject

    • The category of Data Subjects collected, processed and stored are:
      • CUSTOMER (if a natural person)
      • Employees of CUSTOMER
      • Clients of CUSTOMER
      • Potential clients of CUSTOMER
      • Employees of Clients of CUSTOMER
      • Employees of potential Clients of CUSTOMER
      • Authorised Agents
      • Contact Persons
    • The Personal Data processed by ALTOO are:
      • Personal Master Data (Key Personal Data)
      • Contact Data
      • Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest)
      • CUSTOMER History
      • Financial Data
      • Billing and Payments Data

 

5. Data Privacy

    • CUSTOMER shall in its quality of Data Controller:
      • Inform Data Subjects of its rights;
      • Inform Data Subjects of the Personal Data collected in the context of the Services provided by ALTOO;
      • Where necessary under applicable Data Protection Legislation ensure that there is a legal basis to Process Personal Data and, if the legal basis is consent of Data Subjects, collect and log the consent of Data Subjects associated to the collection, storage and Processing of its Personal Data;
      • Ensure that no Sensitive Data is uploaded into ALTOO Services;
      • CUSTOMER warrants towards ALTOO that any Personal Data disclosed to ALTOO was collected in a lawful way and does not infringe upon the rights and freedoms of the Data Subject and/or third parties.
    • ALTOO shall in its quality of Data Processor:
      • Use all commercially reasonable endeavors to assist CUSTOMER in its compliance with Data Protection Legislation, including without limitation the preparation of necessary notifications, registrations and documentation which CUSTOMER may be reasonably required to make or enter into in order to comply with Data Protection Legislation in connection with this Agreement;
      • Only process the Personal Data in accordance with CUSTOMER’s documented written instructions, which may be specific instructions or standing instructions of general application in relation to the performance of ALTOO obligations under the Agreement, unless otherwise required by applicable law to which ALTOO is subject. In such a case, ALTOO shall inform CUSTOMER of that legal requirement before carrying out the required Processing, unless that law prohibits such information on important public interest grounds;
      • Put in place measures to ensure:
        • that any employees who have access to Personal Data do not process the Personal Data except on instructions from the CUSTOMER, unless required to do so by applicable law to which ALTOO is subject; and
        • that any employees who have access to Personal Data are reliable and have committed themselves to confidentiality;
      • Not to disclose Personal Data to any other body (including any subcontractor) without CUSTOMER’s express agreement in writing;
      • Not transfer Personal Data from the European Economic Area or relating to residents of the European Economic Area to any location outside Switzerland or the European Economic Area unless:
        • CUSTOMER has consented to such transfer and such transfer complies and continues to comply with the requirements for international data transfers under applicable Data Protection Legislation or;
        • if the specific Conditions of Article 44 et seq. GDPR and/or Section 3 of the Swiss FADP (and/or similar provisions under other applicable Data Protection Legislation) have been fulfilled.
      • Commission subcontractors (additional contract processors) only after prior specific or general written or documented consent of CUSTOMER.
        • Further outsourcing to subcontractors or changing of existing subcontractors are permissible if (1) ALTOO submits such an outsourcing to a subcontractor to CUSTOMER in writing or in text form (including a post on the ALTOO WEALTH PLATFORM) with appropriate advance notice; (2) CUSTOMER has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to ALTOO; and (3) The subcontracting is based on a contractual agreement in accordance with applicable Data Protection Legislation.
      • Promptly notify CUSTOMER if ALTOO receives a request from a Data Subject to have access to Personal Data or exercise any other applicable Data Subject rights, and assist the CUSTOMER insofar as reasonably possible in responding to any such complaint or request, including, without limitation:
        • where authorized by CUSTOMER, by allowing the Data Subject to have access to its Personal Data or to have that Personal Data corrected, deleted, or blocked within the relevant time frames set out by applicable law;
        • by providing CUSTOMER with any requested information relating to the Processing of Personal Data under this Addendum;
        • by providing CUSTOMER with any Personal Data ALTOO holds in relation to a Data Subject, if required in a commonly-used, structured, electronic and machine-readable format;
      • If CUSTOMER is obliged by Data Protection Legislation to carry out a Data Protection Impact Assessment in relation to the Services ALTOO provides pursuant to this Agreement ALTOO will provide the CUSTOMER with such support and information as reasonably required in carrying out such assessment;
      • Permit CUSTOMER (or the duly authorized representatives or any regulator to which CUSTOMER is subject) to inspect and audit ALTOO Processing activities under this Agreement (and/or those of any of its agents or subcontractors to whom ALTOO has been permitted by CUSTOMER to disclose the Personal Data), and comply with all reasonable requests or directions by CUSTOMER to enable them to verify and/or procure that ALTOO is in full compliance with the obligations under this Agreement;
        • ALTOO may claim a reasonable compensation for all costs such an inspection or audit may involve.
      • Immediately inform CUSTOMER if in ALTOO’s opinion one of the CUSTOMER’s instructions infringes the provisions of applicable Data Protection Legislation;
      • If so requested by CUSTOMER at any time, provide them with a copy of the Personal Data or (at CUSTOMER’s option) destroy it; and;
      • Upon termination of ALTOO provision of services relating to Personal Data, delete all Personal Data related to CUSTOMER and delete any existing copies of the Personal Data, save where applicable law requires ALTOO to retain copies of such data.

 

6. Security

    • CUSTOMER is responsible for the proper creation and management of its user accounts, including user account disabling and account reviews. CUSTOMER shall mainly ensure that:
      • Access and authorizations are granted on the need to have basis;
      • Each User is assigned with a unique account;
      • Accounts are periodically reviewed to validate their relevance;
      • Generic accounts are not used;
      • Passwords are of an appropriate complexity as enforced by the ALTOO Wealth Platform
      • Suspected compromised accounts are disabled at once.
    • ALTOO shall:
      • Implement and maintain appropriate technical and organizational measures to ensure the security and protection of Personal Data, taking into account the nature and sensitivity of the information to be protected, the risk presented by Processing, the state of the art, and the costs of implementation, in compliance with applicable Data Protection Legislation. Such measures shall include appropriate physical, electronic and procedural safeguards, to (1) ensure the security and confidentiality of Personal Data, (2) protect against any threats or hazards to the security or integrity of Personal Data, and (3) prevent unauthorized access to or use of Personal Data, without limiting any other obligations under this Agreement;
      • Keep in force the security measures set forth in Technical and Organizational Measures provided in Appendix 1 to this Addendum.
      • Notify the CUSTOMER as soon as reasonably possible if they know, discover or reasonably believe that there has been (1) any unauthorized access to or acquisition of Personal Data that compromises the security, confidentiality or integrity of Personal Data, or (2) any unauthorized disclosure of, access to or use of any Personal Data, or (3) any unauthorized intrusion into systems containing Personal Data resulting in unauthorized access or access in excess of authorization (“Data Security Breach”);
      • In the event of a Data Security Breach, (1) immediately investigate, correct, mitigate, remediate and otherwise handle the Data Security Breach, including without limitation, by identifying Personal Data affected by the Data Security Breach and taking sufficient steps to prevent the continuation and recurrence of the Data Security Breach; and (2) provide information and assistance needed to enable the CUSTOMER to evaluate the Data Security Breach and, if applicable, to provide timely notices disclosing a Data Security Breach and to comply with any obligations to provide information that the Data Security Breach to relevant regulators.

 

APPENDIX 1 – ALTOO AG – TECHNICAL AND ORGANIZATIONAL MEASURES

 

(A)  General provisions

This appendix describes the technical and organizational measures that Altoo AG takes to protect the confidentiality, integrity and contractual availability of personal data.

 

(B)  Technical and organisational security measures

 
1. Confidentiality
    • Access control
      • “Unauthorised persons must be denied (physical) access to data processing facilities in which customer data (including personal data) is processed or used.”
      • Implemented measures:
        • Data center (certified): Personnel lock with badge, PIN & fingerprint; video surveillance; logging of access; regular checking of permanent access permits.
    • User control
      • “Data processing systems must be prevented from being used by unauthorised persons.”
      • Implemented measures:
        • Online access: multi-factor login (username, pw, 2fa, client cert, …)
        • Regular check of authorized users
    • Access control and memory control
      • “It must be ensured that those authorised to use a data processing system can only access the data necessary for the performance of their tasks (need-to-know) and subject to their access authorisation, and that customer data (including personal data) cannot be read, copied, modified or removed without authorisation during processing, use and after storage.”
      • Implemented measures:
        • Differentiated authorizations (profiles, roles, transactions and objects)
        • Regular review of authorized users and their roles
        • No “account sharing” (several people use one account) / unique “user ID” (user assignment)
 
2. Integrity
    • Transfer control (transport control, data carrier control and disclosure control)
      • “It shall be ensured that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine at which points a transmission of personal data is provided by data transmission equipment.”
      • Implemented measures:
        • Encryption / tunnel connection (VPN = Virtual Private Network)
        • Logging Electronic signature
        • Encrypted storage Logging Transport security (HTTPS)
    • Input control and logging
      • “It must be ensured that it is possible to check and establish retrospectively whether and by whom personal data have been entered into data processing systems, modified or removed.”
      • Implemented measures:
        • Logging
 
3. Availability and resilience
    • Availability control and recovery
      • “Ensure that customer data (including personal data) is protected against accidental or deliberate destruction or loss.
      • Rapid recoverability must be ensured.”
      • Implemented measures:
        • Backup procedures, redundancy (resilience) of data storage and IT systems, uninterruptible power supply (UPS), separate storage, virus protection / firewall, emergency plan (disaster recovery plan)
    • Resilience and reliability
      • “It must be ensured that IT systems remain functional even in the event of malfunctions and errors. In addition, it must be ensured that IT system malfunctions are reported internally.
      • Implemented measures:
        • IT systems are designed in such a way that essential functions remain executable even in the event of malfunctions and errors (redundancy).
        • Facilities are planned and implemented in such a way that a risk-appropriate failure safety exists (redundancy/resilience).
        • Processes for reporting malfunctions to a helpdesk are implemented (monitoring with alerting)
 
4. Procedures for regular review, assessment and evaluation
    • Data protection management
      • Implemented measures:
        • Regularly audited Information Security Management System (ISMS)
        • Dok Information Security Guidance (VR approved specification of data to be protected
        • Information Security Guideline (behavioural instructions for employees with regard to data security)
    • Incident response management (detection and mitigation or elimination of data security breaches)
      • Implemented measures:
        • Managemant must be informed (in accordance with Altoo’s Information Security Guideline), which then orders further measures depending on the situation.
    • Privacy-friendly preferences
      • Implemented measures:
        • Authorization profiles initially restrictive and regularly checked
    • Order control
      • “No commissioned data processing or subcontracted processing without appropriate instructions from the client.”
      • Implemented measures:
        • Clear contract design
        • Written order placement

 

HOW WE MAY CHANGE THIS DATA PROCESSING ADDENDUM

We may change this Data Processing Addendum at any time, in particular if we change our data processing practices or if new legislation becomes applicable. The version provided on our website applies at all times.

This Data Processing Addendum is in the English language only, which language shall be controlling in all respects. All versions of this Addendum in any other language shall be for information only.

 

Last update: 13.09.2023

Left Menu Icon