Skip to main content

Data Processing Agreement

 

Between

  1. The Customer of deskbird services (“Controller”), and
  2. deskbird AG, Churerstrasse 54, 8808 Pfäffikon, Switzerland (“Processor”)

Controller and Processor hereinafter jointly referred to as “Parties”, individually referred to as a “Party”, enter into this Data Processing Agreement (“DPA”) as well as the Addendum concerning secrecy and non-disclosure:

 

Recitals

In the course of its business activities and in accordance with the Services Agreement concluded between the Parties, the Processor receives from the Controller personal data for which the Controller is responsible. The Parties agree on the provisions in this DPA to comply with the applicable data protection laws, in particular the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the German Federal Data Protection Act (“BDSG”), and the Swiss Federal Act on Data Protection (“nFADP”).

 

1. Definitions

1.1 Personal data shall mean any information relating to an identified or identifiable natural person (“Data subject”).

1.2 Data processing carried out on behalf shall mean any collection, processing, or use of Data by the Processor on behalf of the Controller.

 

2. Subject Matter and Content of the Processing

2.1 Subject matter of the processing

The Processor operates a cloud-based software solution for booking office resources (e.g., desks, rooms, parking spots), for alignment of absences and office attendances, and for evaluation of office capacities. The Processor licenses this solution to the Controller.

2.2 Duration of the processing

The duration of the processing is defined in the Services Agreement between the Parties.

2.3 Categories of Data

Depending on configuration and setup:

       
  • If synchronized with an Active Directory (e.g., Entra ID, HRIS):
     ● First name, last name, email address, job title, department, profile picture
    •    
  • If using standard registration via deskbird:
     ● Mandatory: First name, last name, email address
     ● Optional: Profile picture

In all cases, the following data is processed:
 ● Resource bookings
 ● Week scheduling, office attendance and absence planning
 ● User groups and group memberships within the Controller's organization

2.4 Purpose of processing

The data listed in 2.3 is required to operate the software solution.

2.5 Type and extent of processing

The data is processed as necessary for the described functionalities of the solution. Transaction data is automatically anonymized after 6 months.

2.6 Categories of Data Subjects

Employees and managers of the Controller.

2.7 Technical and Organisational Measures

a) Measures implemented by the Processor are defined in a separate document to this DPA and updated regularly to reflect the state of the art. Changes must not reduce the agreed protection level. The Processor shall inform the Controller without undue delay of any material changes.

b) Processor shall allow the Controller to verify compliance prior to the start of processing and shall document compliance at least annually through relevant documents or certifications. The audit rights in Section 2.11 remain unaffected.

c) Processor shall ensure that its systems comply with "privacy by design" and "privacy by default" principles.

2.8 Rights of Data Subjects

a) Data subject rights (e.g., rectification, erasure, restriction, data portability, objection) shall be handled by the Controller.

b) Processor shall forward such requests to the Controller without undue delay and shall not respond without prior instruction.

c) Processor shall support the Controller in fulfilling data subject rights at its own expense.

d) Processor shall correct, block, or delete Data per Controller instruction within five (5) days and confirm completion.

2.9 Obligations of the Processor

a) Processor may only process Data according to the documented instructions of the Controller unless required by law.

b) Processor shall maintain and review records of technical and organisational measures and provide them upon request.

c) Processor shall provide a data protection contact or DPO and inform the Controller of any changes.

d) All personnel with access to Data shall be bound to confidentiality and instructed in their data protection obligations.

2.10 Subcontracting

a) Processor shall not engage subprocessors without prior general or specific written consent.

b) Subprocessors shall be bound by obligations equivalent to those in this DPA.

c) Processor shall verify and document the technical and organisational measures of subprocessors.

d) Processor remains fully liable for subprocessors.

A current list of approved subprocessors is published at: https://www.deskbird.com/subprocessors. Customers may request the deactivation of specific subprocessors if needed.

 

2.11 Audit Rights of Controller

The Controller may audit the Processor’s compliance during regular business hours, providing at least 20 working days’ notice. The Processor shall provide reasonable cooperation and allow on-site access if justified. Controller bears audit costs, unless a breach is discovered.

2.12 Data Breaches

a) Processor shall notify the Controller within 24 hours of discovering a personal data breach or any violation of this DPA.

b) The Processor shall support the Controller in mitigating the effects and complying with reporting duties.

c) These obligations also apply to suspected breaches.

2.13 Instructions by Controller

a) Processing takes place exclusively on the basis of the Controller’s instructions.

b) Instructions shall be followed without delay or within the timeframe defined by the Controller.

c) Processor shall raise concerns over unlawful instructions and may suspend processing until clarified.

2.14 Erasure of Data after Processing

Upon termination of the Services Agreement, Processor shall delete or return all personal data unless otherwise required by Union or Member State law. No retention right shall apply.

 

3. Further Obligations of Processor

3.1 Processor shall not process Data for other purposes or make copies without consent.
3.2 Processor shall assist the Controller in defending legal claims related to data protection.
3.3 Information requests from data subjects shall be handled exclusively by the Controller.
3.4 Processor shall assist with documentation (e.g., data processing registers, DPIAs).
3.5 Processor shall inform the Controller of any data protection authority actions or complaints related to this DPA.
3.6 No data may be processed outside the EU/EEA without prior written consent.
3.7 Processor shall document processing operations and make them available upon request.

 

4. Liability

4.1 The Controller remains responsible for the lawfulness of processing.
4.2 The Processor is liable for any violations of this DPA or applicable data protection law and shall indemnify the Controller from resulting third-party claims.

 

5. Final Provisions

5.1 Controller shall inform Processor of any irregularities identified during audits.
5.2 The written form requirement may be fulfilled by email or fax.
5.3 Processor shall notify the Controller of any threats to Data (e.g., seizure, insolvency).
5.4 Invalid provisions shall not affect the remainder of the DPA; invalid clauses shall be replaced by valid ones with similar intent.
5.5 This DPA is governed by Swiss law; place of jurisdiction is Schwyz, Switzerland.
5.6 In case of conflict, this DPA shall prevail over other agreements between the Parties.

 

Effective date: 01.01.2023

This DPA applies to all current and future customers of deskbird and does not require individual signature.