Data processing agreement

Last updated: 01.04.2026 This Data Processing Agreement (“DPA”) is an addendum to the Service Agreement (“Agreement”) between Ruler GmbH (“Tale”, “we”, “us”, “our”) and the entity or person agreeing to the Agreement (“Customer”, “you”, “your”). This DPA applies to the extent that Tale processes Personal Data on behalf of the Customer in the course of providing the services under the Agreement. By executing the Agreement, the Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, on behalf of its authorized users and affiliates. This DPA is effective as of the date of the Agreement.

​

1. Definitions

Capitalized terms not defined herein shall have the meanings set out in the Agreement. “Applicable Data Protection Law” means the Swiss Federal Act on Data Protection (FADP/nDSG) and its ordinances, the EU General Data Protection Regulation (GDPR), and any other applicable data protection or privacy legislation, in each case as amended, repealed, or replaced from time to time. “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Tale on behalf of the Customer. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Tale on behalf of the Customer in connection with the services under the Agreement. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, Tale is the Processor. “Sub-processor” means any third party engaged by Tale to process Personal Data on behalf of the Customer.

​

2. Scope and purpose of processing

​

2.1 Roles

The Customer is the Controller and Tale is the Processor with respect to the Personal Data processed under this DPA. Tale processes Personal Data solely for the purpose of providing and maintaining the services under the Agreement and in accordance with the Customer’s documented instructions.

​

2.2 Details of processing

​

2.3 Customer responsibilities

The Customer shall ensure that: a) it has a valid legal basis under Applicable Data Protection Law for the processing of Personal Data and for instructing Tale to process Personal Data on its behalf; b) it has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required under Applicable Data Protection Law; c) its instructions to Tale comply with Applicable Data Protection Law; d) it is solely responsible for the accuracy, quality, and legality of the Personal Data submitted to the services.

​

3. Tale’s obligations as Processor

Tale shall: a) process Personal Data only on the basis of documented instructions from the Customer, including as set out in this DPA and the Agreement, unless required to do so by applicable law, in which case Tale shall inform the Customer of such legal requirement before processing (unless prohibited by law); b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; c) implement and maintain appropriate technical and organizational measures to protect Personal Data, as set out in Section 6; d) not engage any Sub-processor without complying with the requirements set out in Section 5; e) taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer’s obligation to respond to Data Subject requests, as set out in Section 8; f) assist the Customer in ensuring compliance with its obligations regarding data security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Tale; g) at the Customer’s choice, delete or return all Personal Data after the end of the provision of services, as set out in Section 12; h) make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, and allow for and contribute to audits and inspections, as set out in Section 9.

​

4. Customer instructions

​

4.1 Documented instructions

The Customer instructs Tale to process Personal Data to the extent necessary to provide the services in accordance with the Agreement. Additional or alternative instructions must be agreed upon in writing.

​

4.2 Notification of conflicting instructions

If Tale becomes aware that an instruction from the Customer infringes Applicable Data Protection Law, Tale shall promptly notify the Customer and may suspend the relevant processing until the Customer provides a lawful instruction.

​

5. Sub-processors

​

5.1 General authorization

The Customer provides a general written authorization for Tale to engage Sub-processors for the processing of Personal Data. Tale shall maintain a current list of Sub-processors, which is available upon request.

​

5.2 Notification of changes

Tale shall notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor, by updating the Sub-processor list and, where the Customer has subscribed to such notifications, by email.

​

5.3 Right to object

The Customer may object to a new or replacement Sub-processor by notifying Tale in writing within 30 days of receiving notice. The objection must be based on reasonable data protection grounds. If the Customer objects, Tale shall use commercially reasonable efforts to offer an alternative solution that avoids the use of the objected-to Sub-processor. If no resolution can be reached within 30 days, either Party may terminate the affected services under the Agreement.

​

5.4 Sub-processor obligations

Where Tale engages a Sub-processor, Tale shall: a) impose on the Sub-processor, by way of a written agreement, data protection obligations no less protective than those set out in this DPA; b) remain fully liable to the Customer for the performance of the Sub-processor’s obligations.

​

6. Technical and organizational measures

​

6.1 Security measures

Tale shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These measures include, as appropriate: a) encryption of Personal Data in transit and at rest; b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; c) measures to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; d) access controls ensuring that Personal Data is accessible only to authorized personnel on a need-to-know basis; e) regular testing, assessment, and evaluation of the effectiveness of the technical and organizational measures; f) physical security measures for data centers and infrastructure; g) employee security awareness training.

​

6.2 Certifications

Tale maintains ISO 27001 and SOC 2 Type II certifications. Tale shall maintain such certifications (or equivalent standards) and provide evidence of current certification to the Customer upon reasonable request.

​

6.3 Updates

Tale may update its security measures from time to time, provided that the updated measures do not materially decrease the overall level of protection afforded to Personal Data.

​

7. Data breach notification

​

7.1 Notification to the Customer

Tale shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Customer.

​

7.2 Content of notification

The notification shall include, to the extent reasonably available at the time: a) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; b) the contact details of Tale’s point of contact for further information; c) a description of the likely consequences of the Data Breach; d) a description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

​

7.3 Cooperation

Tale shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

​

7.4 Notification limitations

Tale’s obligation to notify the Customer of a Data Breach is not an acknowledgment of fault or liability. The Customer is solely responsible for determining whether a Data Breach triggers any notification obligations under Applicable Data Protection Law and for fulfilling those obligations.

​

8. Data subject rights

​

8.1 Assistance

Tale shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

​

8.2 Forwarding requests

If Tale receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Customer, Tale shall promptly forward the request to the Customer and shall not respond to the Data Subject directly, unless instructed to do so by the Customer or required by applicable law.

​

8.3 Costs

Where assistance with Data Subject requests requires significant effort beyond what is reasonably expected, Tale may charge the Customer a reasonable fee based on Tale’s administrative costs.

​

9. Audits and inspections

​

9.1 Audit reports

Tale shall make available to the Customer, upon reasonable request and no more than once per year, copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports and ISO 27001 certificates) to demonstrate compliance with the obligations set out in this DPA.

​

9.2 Additional audits

If the Customer reasonably determines that the information provided under Section 9.1 is insufficient to verify compliance with this DPA, the Customer may request an additional audit. Such audits shall be: a) conducted at the Customer’s expense (unless the audit reveals a material breach by Tale); b) subject to reasonable prior notice of at least 30 days; c) conducted during normal business hours and in a manner that minimizes disruption to Tale’s operations; d) carried out by the Customer or an independent third-party auditor that is not a competitor of Tale and that is bound by appropriate confidentiality obligations; e) limited in scope to the processing of the Customer’s Personal Data.

​

9.3 Confidentiality

Any audit reports, findings, and information obtained through audits shall be treated as confidential information of Tale and shall be subject to the confidentiality provisions of the Agreement.

​

10. International data transfers

​

10.1 Processing locations

Tale processes Personal Data primarily in Switzerland. Where the Customer deploys Tale on its own infrastructure (on-premises or private cloud), the Customer determines the location of processing.

​

10.2 Transfers to adequate countries

Tale may process Personal Data in countries recognized by the Swiss Federal Council as providing an adequate level of data protection under Art. 16 FADP, or by the European Commission under Art. 45 GDPR.

​

10.3 Safeguards for other transfers

Tale shall not transfer Personal Data to countries without an adequate level of data protection unless appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC), or other legally recognized transfer mechanisms.

​

10.4 Transparency

The current locations of data processing and any relevant transfer mechanisms are described in the Sub-processor list referenced in Section 5.1.

​

11. Confidentiality

Tale shall treat all Personal Data processed under this DPA as confidential information. This obligation shall survive the termination of this DPA and the Agreement. Tale shall ensure that all personnel who have access to Personal Data are subject to appropriate confidentiality obligations.

​

12. Data retention and deletion

​

12.1 During the Agreement

Tale shall retain Personal Data for the duration of the Agreement and in accordance with the Customer’s documented instructions.

​

12.2 Upon termination

Upon termination or expiration of the Agreement, Tale shall, at the Customer’s written request: a) return all Personal Data to the Customer in a commonly used, machine-readable format; or b) securely delete all Personal Data and provide written confirmation of deletion. If the Customer does not make a written request within 30 days of termination, Tale shall delete all Personal Data within 90 days of termination.

​

12.3 Legal retention

Where applicable law requires Tale to retain certain Personal Data beyond termination, Tale shall inform the Customer, limit further processing to the extent required by law, and continue to protect the data in accordance with this DPA.

​

13. Liability

Liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, to the extent permitted by Applicable Data Protection Law. Nothing in this DPA or the Agreement shall limit or exclude either Party’s liability for damages arising from a willful or grossly negligent breach of Applicable Data Protection Law.

​

14. Relationship with the Agreement

​

14.1 Precedence

In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the processing of Personal Data.

​

14.2 Incorporation

This DPA is incorporated into and forms part of the Agreement. All terms, conditions, and provisions of the Agreement that are not expressly modified by this DPA shall remain in full force and effect.

​

14.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

​

15. Governing law and jurisdiction

This DPA shall be governed by and construed in accordance with the substantive laws of Switzerland, excluding its conflict of law provisions and the United Nations Convention on Contracts for the International Sale of Goods (CISG). Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of the Canton of Bern, Switzerland, unless otherwise required by mandatory law.

​

16. Amendments

Tale may update this DPA from time to time to reflect changes in its data processing practices or to comply with changes in Applicable Data Protection Law. Material changes will be communicated to the Customer in advance. The Customer’s continued use of the services after such changes take effect constitutes acceptance of the updated DPA.

​

17. Contact

For any questions regarding this DPA or data processing activities, please contact us through our contact form. Ruler GmbH Seestrasse 4 3700 Spiez Switzerland