Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between ALPIX SA ("Processor") and the enterprise client identified in the applicable Order Form ("Controller") and forms part of the Master Subscription Agreement or Terms of Service between the parties.

IMPORTANT: Given the on-premise architecture of the ALPIX platform, ALPIX SA acts as Processor only to the limited extent described in Section 3 below. In practice, because ALPIX does not receive, access, or process Client workflow data, the applicability of this DPA to the ALPIX platform's core operation is architecturally limited.

This DPA is provided to satisfy regulatory requirements and to document the parties' respective obligations under EU GDPR (Regulation 2016/679) and Swiss nLPD.

"Personal Data" has the meaning given to it under applicable Data Protection Law.

"Data Protection Law" means EU GDPR, the Swiss nLPD, and any applicable national implementing legislation.

"Processing" has the meaning given to it under applicable Data Protection Law.

"Client Data" means all workflow and behavioral data captured by the ALPIX agent within the Controller's infrastructure.

"ALPIX Platform" means the operational intelligence software, agent, management console, and analytical engine provided by ALPIX SA.

The ALPIX platform is deployed exclusively within the Controller's own IT infrastructure. The ALPIX agent encrypts all captured data on the endpoint device using AES-256 encryption before any write operation. Encrypted data is stored exclusively in the Controller's designated on-premise data store.

ALPIX SA does not receive, store, process, or access any Client Data or Personal Data captured by the ALPIX platform in its normal operation. No Client Data is transmitted to ALPIX infrastructure at any point.

The Controller is the sole data controller with respect to Personal Data processed by the ALPIX platform within their environment. ALPIX SA is not a data processor in respect of Client Data in the ordinary operation of the platform.

This DPA governs the limited circumstances in which ALPIX may access Controller systems during on-premise deployment, maintenance, or support activities.

To the extent ALPIX SA processes any Personal Data in connection with services provided under the Agreement, ALPIX acts as Processor on behalf of the Controller. Such processing may occur only in the following limited circumstances:

(a) Initial platform deployment and configuration: ALPIX engineers may access Controller systems under supervision to install and configure the ALPIX platform, subject to prior written authorisation from Controller.

(b) Technical support: Where Controller requests on-site or remote support, ALPIX engineers may access Controller systems to the minimum extent necessary to resolve the reported issue, under Controller supervision and subject to Controller's security policies.

(c) Software updates: ALPIX may provide software update packages for installation by Controller's IT team. ALPIX does not perform remote updates.

In all cases, ALPIX personnel accessing Controller systems are subject to strict confidentiality obligations and access is logged.

To the extent applicable, the categories of data subjects whose Personal Data may be processed are: employees, contractors, and agents of the Controller who use enterprise devices on which the ALPIX agent is deployed.

Categories of Personal Data: behavioral workflow metadata including application usage patterns, document interaction timestamps, workflow timing signals, and cross-application transition sequences. The ALPIX platform does not capture document content, communication content, passwords, biometric data, or special categories of Personal Data as defined under Article 9 GDPR.

The Controller is responsible for: (a) ensuring it has a valid legal basis for deploying the ALPIX platform and processing behavioral workflow data of its employees; (b) providing appropriate notice to employees and conducting works council consultation where required by applicable law; (c) maintaining a Record of Processing Activities covering the ALPIX deployment; (d) conducting a Data Protection Impact Assessment where required under Article 35 GDPR; (e) ensuring that data subject rights requests relating to Client Data are handled by the Controller.

ALPIX provides a deployment documentation package including model employee notification text, DPIA template, and works council information materials to assist Controllers in meeting these obligations. Such materials are provided for guidance only and do not constitute legal advice.

To the extent ALPIX acts as Processor under Section 3, ALPIX shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorised to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organisational measures as set out in Section 7; (d) assist the Controller in meeting its obligations under Data Protection Law, including responding to data subject rights requests to the extent applicable; (e) delete or return all Personal Data to the Controller upon termination of the Agreement, at the Controller's election; (f) provide all information necessary to demonstrate compliance with this DPA and cooperate with audits.

ALPIX implements the following technical and organisational measures in connection with any Processing activities under this DPA:

Encryption: All Client Data is encrypted using AES-256. Encryption keys are generated during deployment and held exclusively by the Controller. ALPIX does not hold encryption keys.

Access controls: Access to Controller systems by ALPIX personnel requires prior written authorisation from Controller, is limited to the minimum necessary, and is conducted under Controller supervision. All such access is logged.

Personnel training: ALPIX personnel with potential access to Controller systems are trained on data protection requirements and are subject to written confidentiality obligations.

Incident response: ALPIX maintains an incident response procedure and will notify Controller within 24 hours of becoming aware of any breach or suspected breach affecting Controller systems.

Vendor security: Any sub-processors engaged by ALPIX are subject to data processing agreements providing equivalent protections to those set out in this DPA.

Given the on-premise architecture of the ALPIX platform, ALPIX does not engage sub-processors to process Client Data in the normal operation of the platform.

ALPIX may use sub-processors for its own internal business operations (email, CRM, accounting). These processors do not have access to Client Data.

ALPIX will notify Controller of any changes to sub-processors used in connection with services provided under the Agreement with at least 30 days' prior notice, during which time Controller may object on reasonable grounds relating to data protection.

As Controller, the Client organisation is responsible for responding to data subject rights requests from its employees relating to Personal Data processed by the ALPIX platform.

ALPIX will assist Controller in responding to such requests to the extent technically feasible and legally required, within the constraints of the on-premise architecture (i.e. where Controller has provided ALPIX with access to relevant systems for this purpose).

Where ALPIX receives a data subject rights request directly that relates to Client Data, ALPIX will promptly forward such request to Controller.

Given the on-premise architecture of the ALPIX platform, no Client Data is transferred internationally in the normal operation of the platform. Client Data remains within the Controller's designated infrastructure at all times.

Any international transfer of Personal Data by ALPIX in connection with limited support or deployment activities shall be subject to appropriate safeguards, including Standard Contractual Clauses where applicable.

Controller has the right to audit ALPIX's compliance with this DPA, upon reasonable written notice of no less than 30 days, no more than once per calendar year, and subject to reasonable confidentiality protections.

ALPIX may satisfy audit requirements through the provision of relevant certifications, third-party audit reports, or other documentation in lieu of an on-site audit, subject to Controller agreement.

This DPA is governed by the same law as the Master Subscription Agreement, being the laws of Switzerland.

Contact for DPA enquiries: dpa@alpix.com