Data Processing Agreement (DPA)

Last updated: February 8, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Firstech AG (“Company”, “we”, “us”) and the customer (“Customer”, “you”) using the Incido Service.

This DPA governs the processing of personal data by the Company on behalf of the Customer in connection with the Service. Processing is strictly limited to what is necessary for Service provision and as documented in these terms. Personal Data will not be used for marketing, profiling, or any purpose unrelated to the Service.

1. Definitions

For the purposes of this DPA:

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under Swiss FADP and EU GDPR.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • Controller: The entity determining the purposes and means of Personal Data processing.
  • Processor: The entity processing Personal Data on behalf of the Controller.
  • Subprocessor: Any third-party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Roles

  • Customer acts as the Controller of Personal Data.
  • Company (Firstech AG) acts as Processor of Personal Data on behalf of the Customer.

3. Subject Matter, Nature, and Purpose of Processing

  • Subject Matter: Personal Data submitted, stored, or transmitted by the Customer through the Service.
  • Nature of Processing: Collection, storage, access, transmission, and display of Personal Data strictly for Service provision and technical support.
  • Purpose: To provide, maintain, and improve the Incido platform, including customer support and security monitoring.

4. Types of Personal Data

  • User account information (name, email, organization, role)
  • Service usage data (logs, activity, system events)
  • Any other Personal Data provided by Customer through the Service

5. Categories of Data Subjects

  • Employees or contractors of the Customer
  • End-users of the Customer who interact with the Service

6. Company Obligations

The Company shall:

  • Process Personal Data only on documented instructions from the Customer.
  • Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Assist the Customer in fulfilling its obligations regarding data subject rights (access, correction, deletion) and security obligations under applicable law.
  • Maintain records of processing activities performed on behalf of the Customer.
  • Notify the Customer without undue delay in the event of a Personal Data breach.

7. Subprocessors

The Company may engage Subprocessors to perform processing activities.

A current list of Subprocessors is provided at: https://incido.app/subprocessors

The Company shall provide an updated list of Subprocessors at least annually or upon material change.

The Company shall remain fully liable for Subprocessor compliance with this DPA.

8. International Data Transfers

  • Personal Data may be processed in Switzerland or the European Economic Area (EEA).
  • Transfers outside the EEA or Switzerland will be conducted under standard contractual clauses or equivalent safeguards as required under applicable law.

9. Security Measures

The Company implements industry-standard security measures, including but not limited to:

  • Encryption of data in transit and at rest
  • Access control and multi-factor authentication for administrative access
  • Regular vulnerability assessments and monitoring
  • Secure backup and disaster recovery procedures

10. Data Retention and Deletion

  • Account data is retained until account deletion plus 12 months for legal compliance.
  • Logs and analytics data are retained up to 12 months for security, troubleshooting, and legal compliance.
  • Upon termination of the Service, the Customer may export data, after which the Company will delete all Personal Data in a secure manner unless legal obligations require retention.

11. Audit Rights

  • The Customer may, upon reasonable notice, audit the Company’s compliance with this DPA.
  • Audits may occur once per calendar year or as reasonably required, with prior notice of at least 30 days, and shall not unreasonably interfere with the Company’s operations.
  • Audits may be conducted via documentation review or on-site inspection by the Customer or an appointed auditor, under confidentiality obligations.

12. Liability

The Company’s liability for violations of this DPA is limited to the same extent as under the Terms of Service, except for cases of intent or gross negligence.

13. Amendments

The Company may update this DPA from time to time to comply with legal obligations or improve security and privacy practices.

Material changes will be communicated in advance via the Service or email. Continued use of the Service constitutes acceptance of updated DPA terms.

14. Governing Law

This DPA is governed by Swiss law, excluding conflict-of-law rules.

Disputes shall be subject to the exclusive jurisdiction of the courts of Luzern, Switzerland.

By using the Incido Service, the Customer confirms acceptance of this DPA and agrees that it forms part of the Terms of Service.