← Back

Data Processing Agreement (DPA)

Auftragsverarbeitungsvertrag gemäss Art. 28 DSGVO / Art. 9 nDSG

Version 1.0 · April 2026

Enterprise customers

To request a signed DPA, email legal@archbit.ch with your company name and billing email. We respond within 2 business days.

1. Parties

Controller: The Customer ("Controller"), as identified in the ARCHBiT subscription agreement.

Processor: ARCHBiT GmbH, Zurich, Switzerland ("Processor").

2. Subject Matter and Purpose

The Processor provides the ARCHBiT ITSM/MSP platform to the Controller. In doing so, the Processor processes personal data on behalf of and under the instructions of the Controller.

3. Nature, Purpose and Duration of Processing

Categories of data subjects: Controller's employees, contractors, and end customers.

Categories of personal data: Names, email addresses, phone numbers, job titles, IP addresses, ticket content, time entries, and other data entered by Controller users.

Purpose: Provision of ITSM and MSP management services.

Duration: For the duration of the subscription agreement, plus 30 days post-termination for data retrieval.

4. Obligations of the Processor

The Processor undertakes to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorised to process the personal data are under appropriate confidentiality obligations
  • Implement technical and organisational measures (TOMs) as set out in Annex A
  • Notify the Controller without undue delay (within 72 hours) upon becoming aware of a personal data breach
  • Delete or return all personal data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance with this DPA

5. Sub-processors

For self-hosted deployments, the Customer (Controller) is solely responsible for sub-processor selection. ARCHBiT GmbH does not sub-process any Customer data. Where optional cloud services are used (e.g. email delivery), the Customer configures and controls these directly.

6. International Transfers

For self-hosted deployments, all data remains on the Customer's own infrastructure. No personal data is transferred to ARCHBiT GmbH or any third party. The Customer is responsible for ensuring their hosting environment meets applicable data transfer requirements.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) within 10 business days of a written request from the Controller.

Annex A — Technical and Organisational Measures (TOMs)

CategoryMeasure
Encryption (transit)TLS 1.3 for all data in transit; HTTPS enforced, HSTS enabled
Encryption (at rest)AES-256 for stored credentials and sensitive fields
Access controlRole-based access (RBAC); principle of least privilege; MFA required for admin access
Authenticationbcrypt password hashing; TOTP two-factor authentication; JWT with short expiry
Audit loggingAll authentication and data-modification events logged with timestamp, user, and IP
AvailabilityAutomated PostgreSQL backups; daily snapshot; 30-day retention
PseudonymisationUser IDs used internally; deletion anonymises PII fields while retaining operational data
Incident responseSecurity incidents logged and escalated; Controller notified within 72 hours of breach
Patch managementAutomated dependency vulnerability scanning; critical patches applied within 14 days
Physical securityInfrastructure is operated by the Customer on their own premises or chosen hosting provider. ARCHBiT has no access to Customer infrastructure.

Governing Law

This DPA is governed by Swiss law. The exclusive place of jurisdiction is Zurich, Switzerland. For EU Controller customers, this DPA is supplemented by the EU Standard Contractual Clauses (Module 2: Controller to Processor) where applicable.