Data Processing Agreement (DPA)

1.Purpose and Applicability

This Data Processing Agreement (“DPA”) governs the processing of personal data by Swiss Lab of Intelligence (“SwissLI AG”, “Processor”) on behalf of the Client (“Controller”).

aodit is designed to operate without processing personal data.

Accordingly:

• SwissLI AG does not process personal data as part of standard service delivery

• This DPA applies only in limited cases where SwissLI AG processes personal data on behalf of the Client

2.Roles of the Parties

• The Client acts as Controller

• SwissLI AG acts as Processor, only where applicable

In standard aodit deployments, SwissLI AG does not act as a processor of personal data.

3.Nature of Processing

SwissLI AG's services are based on:

• Adversarial testing using synthetic data

• Evaluation of AI system behaviour

• Generation of reports based on controlled inputs

Accordingly:

• SwissLI AG does not process personal data within AODIT evaluations

• Evaluation outputs (e.g. transcripts) are generated using synthetic, non-personal data

Only in exceptional cases, the Client may request analysis of materials. Such processing occurs only upon explicit written instruction from the Client.

4.Categories of Data and Data Subjects

4.1 Standard Operation

• No personal data is processed

• No data subjects are involved

4.2 Exceptional Cases (If Applicable)

If the Client voluntarily provides materials containing personal data:

Categories of Data may include:

• Business contact data

• Documents or outputs provided by the Client

Data Subjects may include:

• Client employees or representatives

SwissLI AG does not intentionally process special categories of personal data.

5.Processing Instructions

Where this DPA applies, SwissLI AG shall:

• Process personal data only on documented written instructions from the Client

• Process data only for the explicitly agreed purpose

• Not use personal data for training, development, or internal reuse

6.Confidentiality

SwissLI AG ensures that:

• All personnel are bound by confidentiality obligations

• Access to any data is restricted on a need-to-know basis

7.Security Measures

SwissLI AG implements appropriate technical and organisational measures proportionate to its processing model. Given the architecture:

• SwissLI AG does not host or process client AI system data

• Personal data exposure is limited to business communication and, where applicable, explicitly shared materials

Security measures include:

• Secure communication via Google Workspace

• Multi-factor authentication (MFA) for account access

• Restricted access controls

• Encryption in transit (TLS)

Further details are defined in the Security Policy and Technical & Organisational Measures (TOM).

8.Sub-Processors

SwissLI AG uses limited third-party providers for business operations, including:

• Google Workspace (email and document handling)

SwissLI AG does not use sub-processors to process client AI system data. Where the Client explicitly requests external analysis, specific tools or providers may be used only with prior written approval from the Client.

9.International Data Transfers

SwissLI AG operates primarily in Switzerland. As a principle, no client AI system data is transferred outside client-controlled infrastructure.

In exceptional cases where the Client provides materials for analysis:

• Data may be processed using tools located outside Switzerland

• Such processing occurs only with Client knowledge and instruction

• Appropriate safeguards are applied where required

10.Assistance to the Controller

Where applicable, SwissLI AG shall reasonably assist the Client with:

• Data subject requests

• Regulatory inquiries

• Security-related matters

Such assistance is limited to the scope of actual processing performed.

11.Data Breach Notification

SwissLI AG shall notify the Client without undue delay, and in any event within 48 hours after becoming aware of a personal data breach affecting data processed under this DPA.

12.Data Retention and Deletion

SwissLI AG does not retain client AI system data as part of standard aodit operation. Where personal data is processed under this DPA:

• Such data is retained only for the duration necessary to fulfil the agreed purpose

• And is deleted or returned upon completion of the engagement, unless otherwise agreed

Outputs generated by aodit :

• Are based on synthetic or non-personal data

• Do not constitute personal data

• May be retained by SwissLI AG for internal benchmarking, quality improvement, and development purposes, provided no Client-specific confidential information is disclosed

13.Audit and Verification

The Client may request reasonable information to verify compliance with this DPA. Any audit:

• Must be proportionate to the limited processing activities

• Must not interfere with SwissLI AG's operations or confidentiality obligations

14.Liability

Liability is governed by the applicable agreement (e.g. Terms & Conditions or Master Service Agreement).

15.Governing Law

This DPA is governed by Swiss law.

Jurisdiction: Courts of Lucerne, Switzerland.

16.Relationship with Other Agreements

This DPA forms part of the contractual relationship between the parties. In case of conflict, this DPA prevails for data protection matters.