Data Processing Agreement

1. Purpose

1.1 EasyLife 365 AG ("EasyLife") provides customers ("Customers" or "Customer", together with EasyLife: "the Parties") with software for the governance and provisioning of Microsoft 365 tools ("Product"). The Product is provided based on and in accordance with the General Terms And Conditions ("Main Contract"), which the Customer has accepted when ordering the Product.

1.2 The provision of the Product involves processing personal data by EasyLife on behalf of the Customer. The object and purpose of this data processing agreement ("DPA" or "Agreement") are to define the rights and obligations of the Parties under data protection law in connection with the use and provision of the Product governed by the Main Contract.

1.3 This Agreement forms an integral part of the Main Contract and assists the Parties in complying with the regulations on the processing of personal data, including applicable data protection law in the United States, Mexico, Canada, Switzerland and the European Union, in particular the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Swiss Federal Data Protection Act ("CH-DSG", SR 235.1) and the EU General Data Protection Regulation ((EU) 2016/679, "GDPR"), and any other data protection law, without jurisdictional limits, effective now or in the future (here, “Data Protection Laws”). Where and to the extent applicable, this Agreement also supports the Parties in complying with Regulation (EU) 2023/2854 on harmonised rules on fair access to and use of data (“Data Act”) for data processed within the Product.

2. Scope

2.1 The provisions of this DPA, together with its annexes, which form an integral part of the DPA, shall apply to all activities related to the Main Contract in which EasyLife processes personal data on behalf of the Customer.

2.2 The categories of personal data to be processed, the type and purposes of the processing, and the categories of data subjects are listed in Annex 1 to this DPA.

2.3 To the extent EasyLife, in connection with the Product, qualifies as a provider of data processing services and/or as a data holder under the Data Act, this Agreement also governs the rights and obligations of the Parties in relation to such roles and to data that falls under the scope of the Data Act and is stored or otherwise processed within the Product environment (“Exportable Data”). Data that remains solely within Microsoft 365, Entra ID or other systems controlled by the Customer is outside the scope of this Agreement for the purposes of the Data Act.

3. Definitions

3.1 Unless otherwise defined in this Agreement, all terms shall have the same meaning as in Data Protection Laws. If the terms or their equivalents (e.g., "sensitive personal data" and "special categories of personal data") are understood differently in the provisions applicable in the specific case, the term shall be understood for this DPA to include a broader understanding and thus ultimately cover all meanings. If a contradiction between the provisions applicable in the specific case cannot be resolved by this means, the understanding under the law applicable to the Agreement shall prevail.

3.2 For this Agreement:

• (a) “Security Incident” means any data breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data on systems managed or otherwise controlled by Customer.
• (b) "Subcontractor" means any service provider engaged by EasyLife (or any other Subcontractor of EasyLife) to process personal data in connection with the Main Contract or this Agreement. Subcontractors within the meaning of this Agreement are only those who provide services that are directly related to the provision of the Product by EasyLife. In particular, service providers who merely provide ancillary services, such as the testing or maintenance of data processing procedures or systems by other bodies, telecommunications services, postal and transport services, or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems shall not be considered Subcontractors.
• (c) "in writing" or "written" shall also mean in an electronic form that enables proof by text, including communication by e-mail.
• (d) “Data Act” means Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data.
• (e) “Non-Personal Data” means any data that does not qualify as personal data under applicable Data Protection Laws.
• (f) “Mixed Dataset” means any dataset that contains both personal data and Non-Personal Data.
• (g) “Exportable Data” means Customer-related data (personal or non-personal) that is generated or stored within the Product and which EasyLife is required to make available to the Customer, or to another provider designated by the Customer, under the Data Act and this Agreement, excluding data that remains exclusively in Microsoft 365, Entra ID or other systems fully controlled by the Customer or third parties.
• (h) “Data Processing Services” means services provided by EasyLife that qualify as “data processing services” within the meaning of the Data Act (in particular Chapter 4).
• (i) “Switching” means the migration by the Customer of Exportable Data from the Product to another data processing service or to the Customer’s own environment in accordance with the Data Act and this Agreement.

4. Legal responsibility of the Customer

4.1 Within the scope of this DPA, the Customer remains the controller in terms of Data Protection Law.

4.2 For purposes of Data Protection Law, Customer acknowledges and agrees that EasyLife is a “Service Provider” under Data Protection Laws. As a Service Provider, EasyLife will not collect, use, retain, disclose, sell, or otherwise make personal data available for any purpose other than for the specific purposes set forth herein or as instructed by Customer in writing.

4.3 The Customer warrants that the transfer of personal data and the processing of such data by EasyLife and the Subcontractors as outlined in this Agreement are permissible under Data Protection Law and are not prohibited by any other statutory or contractual provision applicable to the Customer. The Customer shall remain solely responsible for compliance with its obligations under the applicable data protection provisions, particularly the fulfilment of data subjects’ requests.

4.4 The Customer has verified that the technical and organizational measures implemented by EasyLife as described in Annex 2 are sufficient to ensure adequate data protection for the personal data to be processed by EasyLife and comply with all applicable Data Protection Laws.

4.5 The Customer shall inform EasyLife immediately if it discovers any violations or irregularities concerning data protection provisions or its instructions during the term of the Agreement.

4.6 On request, the Customer shall provide EasyLife with all the information necessary to maintain a record of all processing activities carried out on the Customer's behalf, insofar as it is not available to EasyLife itself in easily accessible and useful form.

4.7 If EasyLife is required to provide information to a governmental body or person on the processing of personal data within the scope of this DPA or to cooperate with these bodies or persons in any other way, the Customer is obliged at the first request to assist EasyLife in providing such information and in fulfilling other cooperation obligations.

4.8 For the purposes of the Data Act, the Customer remains responsible for data processed solely within its own Microsoft 365, Entra ID or other third-party environments. To the extent EasyLife qualifies as a data holder or provider of Data Processing Services under the Data Act in relation to Exportable Data, the Parties shall comply with the respective obligations set out in this Agreement and in the Data Act, without prejudice to the Customer’s responsibilities under applicable law.

5. Data processing and obligation to follow instructions

5.1 EasyLife shall process all personal data within the scope of this DPA on behalf of the Customer and by the documented instructions of the Customer and by this Agreement, unless EasyLife is legally required to do otherwise. In the latter case, EasyLife shall inform the Customer of that legal requirement before processing unless that law prohibits such information on important public interest grounds.

5.2 The Customer’s instructions are, in principle, exhaustively stipulated and documented in the provisions of this DPA. Individual instructions derogating from this DPA's stipulations or imposing additional requirements shall require EasyLife's written consent. In this case, the instructions shall be documented in an appropriate form, and the additional costs incurred by EasyLife, as a result, shall be borne by the Customer, whereby EasyLife reserves the right to implement the individual instruction under any other procedure provided for in the Main Contract.

5.3 The Customer shall ensure that instructions are as clear and comprehensible as possible, comply with the applicable laws, in particular data protection law, and are compatible with the other requirements in this DPA. If EasyLife is of the opinion that an instruction infringes this Agreement or applicable data protection law, it is after informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction.

5.4 EasyLife reserves the right to anonymize or aggregate the personal data processed on behalf of the Customer in such a way that it is no longer possible to identify individual data subjects and to use them in this form for designing, developing, and optimizing the Product and other services to meet the needs of customers as well as for the purposes agreed upon in the Main Contract. The Parties agree that anonymized and, according to the above requirement, aggregated personal data are not considered personal data for this Agreement. Clarifying: The use of such Data is only to increase the Security and Quality of the Products of EasyLife; compliant with the regulatory requirements.

5.5 In principle, EasyLife shall process the personal data on behalf of the Customer inside the European Economic Area (EEA) or Switzerland. EasyLife is nevertheless permitted to process the personal data by the provisions of this Agreement outside the EEA or Switzerland if the Customer is informed in advance about the place of data processing and if the requirements of the applicable data protection provisions about cross-border transfers are fulfilled.

5.6 To the extent EasyLife provides Data Processing Services and/or acts as a data holder under the Data Act in relation to Exportable Data, EasyLife shall process such data solely for the purposes of providing, maintaining and securing the Product, fulfilling its statutory obligations (including under the Data Act) and complying with the Customer’s documented instructions, and shall not use Exportable Data for the benefit of another customer or third party, except as expressly permitted by the Main Contract, this Agreement or applicable law.

6. Technical and organizational measures

6.1 EasyLife shall implement appropriate technical and organizational measures within the meaning of the CH-DSG and the GDPR or other applicable Data Protection Laws and as set out in Annex 2 to this Agreement. EasyLife is entitled to change the organizational and technical measures. However, it has to be ensured that the contractually agreed level of protection is not reduced.

6.2 EasyLife shall ensure that all persons engaged in processing personal data on behalf of the Customer are subject to a contractual or statutory duty of confidentiality concerning this data processing.

7. Information, cooperation, and support obligations of EasyLife

7.1 EasyLife shall support the Customer as far as possible and reasonable in fulfilling the requests and claims of data subjects laid down in Chapter III GDPR, in complying with the provisions on the security of the processing of personal data, and in complying with the requirements for reporting data breaches and for carrying out data protection impact assessments (including prior consultation). Where and to the extent applicable, EasyLife shall also support the Customer in fulfilling obligations arising under the Data Act in relation to Exportable Data, including in relation to interoperability, Switching and the provision of information on formats and interfaces. The Customer shall reimburse EasyLife for any documented expenses and costs incurred as a result. This shall not apply in the cases where the support became necessary due to (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of this DPA, by EasyLife.

7.2 As far as a data subject submits a request for the exercise of his rights directly to EasyLife, EasyLife will forward this request to the Customer in a timely manner.

7.3 EasyLife will provide the Customer with all information necessary and available to prove compliance with the obligations outlined in this Agreement, to the extent that the Customer does not already have such information.

7.4 The Customer shall have the right to audit EasyLife's compliance with this Agreement (including inspections) or to have such audit conducted by a qualified third party subject to a duty of confidentiality. EasyLife shall allow for and, as far as reasonable, contribute to such audits upon reasonable notice to EasyLife. The Customer shall reimburse EasyLife for any documented expenses and costs incurred as a result, unless the reason for the inspection was caused by (i) a breach of law applicable to the data processing under this DPA and/or (ii) a breach of contract, by EasyLife. The costs incurred on the part of the Customer shall be borne by the Customer.

7.5 In order to carry out inspections in accordance with Section ‎7.4, the Customer is, as far as reasonable and necessary to comply with the data protection requirements, entitled to access the business premises of EasyLife in which personal data is processed on behalf of the Customer within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification at his own expense, without disruption of the course of business and under strict confidentiality of EasyLife's business and trade secrets. EasyLife is entitled, at its own discretion and taking into account the customer's legal obligations, not to disclose information sensitive about EasyLife's business or if EasyLife would be in breach of statutory or other contractual provisions as a result of its disclosure.

7.6 At the discretion of EasyLife, proof of compliance with the obligations under this Agreement may be provided, instead of an inspection, by submitting an appropriate, current report from an independent and qualified company or authority (e.g. certified auditor) or a suitable certification, if the opinion, report or certification enables the Customer to appropriately verify the compliance with obligations under this Agreement.

7.7 Clarifying ‎7.5 and ‎7.6: If and as far as Customer has reasonable grounds to believe, that the provided documents or procedures in ‎7.5 or ‎7.6 are insufficient or do not enable the Customer to comply with his obligations under GDPR, Customer may conduct an inspection according to sec. ‎7.4. In cases of urgency or outstanding importance such inspections are not bound to business hours or prior notification

7.8 Upon becoming aware of a Security Incident, EasyLife shall notify the Customer without undue delay or as otherwise required by Data Protection Laws and provide information relating to the Security Incident as EasyLife is able. EasyLife will promptly take reasonable steps to contain and investigate any Security Incident.

7.9 EasyLife’s notification of or response to a Security Incident under ‎7.8 shall not be construed as an acknowledgment by EasyLife of any fault or liability with respect to the Security Incident.

7.10 EasyLife processes logs and troubleshooting data for a limited retention period (as described in Annex 1) exclusively for security, operational and diagnostic purposes. Such data is not intended to form part of Exportable Data; however, where required under the Data Act and technically feasible, EasyLife will, upon Customer’s written request, reasonably cooperate to provide access to or exports of such data, provided that this does not adversely affect the security or confidentiality of EasyLife’s or other customers’ systems or data.

8. Subcontractors

8.1 The Customer grants EasyLife the general authorization to engage Subcontractors with regard to the processing of personal data on behalf of the Customer. Annex 3 contains a list of the Subcontractors engaged by EasyLife at the time of conclusion of the Agreement.

8.2 EasyLife shall inform the Customer in writing in advance of any intended subcontracting or replacement of existing Subcontractors. The Customer may only raise an objection for important reasons relating to data protection (e.g. if the subcontractor does not fulfil the requirements of Art. 28 para 1 GDPR), which the Customer must prove to EasyLife. If the Customer does not object within 14 days after receipt of the notification, its right to object concerning this subcontractor shall expire. If the Customer objects in compliance with the aforementioned conditions, EasyLife is entitled to terminate the Main Contract and this Agreement extraordinarily in the sense and according to the conditions of the Main Contract.

8.3 EasyLife shall conclude a written contract with the Subcontractors engaged. The contract must impose the same obligations on the Subcontractors as are imposed on EasyLife under this Agreement. The Parties agree that this requirement is met if the contract has a level of protection equivalent to this Agreement.

8.4 Subject to compliance with the requirements of Section ‎5.5 of this Agreement, the provisions of this Section ‎8 shall also apply if a Subcontractor outside of Switzerland or the EEA is involved. The Customer hereby authorizes EasyLife to conclude a contract with another Subcontractor on behalf of the Customer based on the modernized standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of the EU Commission ("modernized standard contractual clauses"). The Customer shall support EasyLife in entering into such a contract and complying with all the requirements for the cross-border transfer of personal data on behalf of the Customer within the scope of this Agreement. EasyLife may, at its sole discretion, require the Customer to enter into such a contract directly with the respective Subcontractor. Any refusal by the Customer to support or enter into the contract shall entitle EasyLife to terminate the Main Contract and this Agreement extraordinarily in the sense and according to the terms of the Main Contract.

9. Duration and termination of the Agreement

9.1 This Agreement shall apply between the Parties as of the effective date of the Main Contract and is concluded for an indefinite period for as long as EasyLife has personal data from the Customer.

9.2 Upon termination of this Agreement, EasyLife shall, according to the Customer’s instructions

• (a) return all personal data within the scope of this Agreement and all copies thereof, including personal data supplied by and collected on behalf of the Customer, or
• (b) destroy such personal data and copies thereof.

The return and/or destruction shall be confirmed in writing to the Customer.

9.3 Section ‎9.2 does not apply to personal data that EasyLife is legally obligated to store or data required to document proper and correct data processing on behalf of the Customer or to enforce or defend claims arising from this Agreement or the Main Agreement.

10. Indemnification and bearing of costs

10.1 EasyLife's liability under this Agreement shall be governed by the disclaimers and limitations of liability provided in the Main Contract. As far as third parties assert claims against EasyLife which are caused by the Customer's breach of this Agreement, of an agreement with other service providers (e.g., Microsoft), or one of his obligations under the applicable data protection law, the Customer shall upon the first request indemnify and hold EasyLife harmless from these claims.

10.2 The Customer undertakes to indemnify EasyLife upon the first request against all possible fines imposed on EasyLife corresponding to the Customer's part of the responsibility for the infringement sanctioned by the fine.

11. Data Act–specific provisions

11.1 Roles under the Data Act To the extent applicable, the Parties acknowledge that:

• (a) EasyLife qualifies as a provider of Data Processing Services for the Product within the meaning of the Data Act; and
• (b) EasyLife may qualify as a data holder only with respect to Exportable Data stored within the Product environment, but not with respect to data that remains solely within Microsoft 365, Entra ID or other systems under the exclusive control of the Customer or third parties.

11.2 Exportable Data and portability EasyLife shall make Exportable Data available to the Customer in a commonly used, machine-readable and structured format through self-service interfaces (including export functionalities and APIs) as provided by the Product. Such exports shall be provided free of charge, save for justified and documented additional efforts requested by the Customer that go beyond the standard functionality of the Product.

11.3 Switching and absence of undue obstacles EasyLife shall not impose unjustified contractual, technical or commercial obstacles to Switching in relation to Exportable Data. In particular, EasyLife:

• (a) shall not charge specific fees for Switching, other than for additional services expressly requested by the Customer that exceed the standard export capabilities;
• (b) shall enable the Customer, where technically feasible and as supported by the Product, to run the Product in parallel with another service during a transition period; and
• (c) shall provide reasonable cooperation and information necessary to enable the effective migration of Exportable Data to another service or to the Customer’s own environment.

11.4 Transparency on formats, interfaces and APIs EasyLife shall document and make available to the Customer information on the export formats, relevant data structures and interfaces (including APIs) used to access Exportable Data within the Product. Such documentation may be provided via technical documentation, online help, or other written means.

11.5 Third-country governmental access to Non-Personal Data Where EasyLife receives a legally binding request from a third-country authority for access to Non-Personal Data or Mixed Datasets covered by the Data Act and stored within the EU or Switzerland, EasyLife shall, to the extent permitted by law:

• (a) notify the Customer of the request without undue delay;
• (b) assess the legality and scope of the request, and challenge any request that appears to be manifestly unlawful or disproportionate;
• (c) provide access only to the extent strictly required to comply with the request; and
• (d) document the request and the response in an appropriate manner.

11.6 Public sector access under exceptional need EasyLife does not, in the ordinary course of providing the Product, hold data that falls within the “exceptional need” access regime for public sector bodies as defined in the Data Act. Should such a situation arise, the Parties shall cooperate in good faith to comply with any applicable obligations, allocate responsibilities and implement appropriate technical and organisational measures, taking into account the role of the Customer as controller and the role of EasyLife as processor and, where relevant, data holder.

12. Various

12.1 Each party shall provide courts or supervisory authorities, and the Customer shall provide all data subjects a copy of the contents of this Agreement upon their request or if required by law.

12.2 In principle, this Agreement can be amended only with the written consent of both Parties. The Customer may clarify Annex 1, provided this does not lead to any significant change in the processing. EasyLife must be notified immediately of any such amendments. Within the scope of technological progress and developments, EasyLife is also permitted to amend details of individual technical and organizational measures, insofar as these are adequate measures and at the same time do not reduce the level of security of the previous steps. EasyLife shall inform the Customer of any such amendments.

12.3 The Customer shall not assign or transfer this Agreement or any rights or obligations arising from this Agreement to third parties without the prior written consent of EasyLife.

12.4 The substantive laws of Switzerland shall govern this Agreement. All disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the ordinary courts at the registered office of EasyLife. Mandatory provisions and places of jurisdiction remain reserved.  

Annex 1: Description of the processing

A1.1. Categories of personal data to be transferred and/or processed:

• Company Name
• Name
• Business address
• Telephone number
• Email address
• Contractual data (contractual relationship, product, or contractual interests)
• Customer history, contract implementation, payment data
• Audit logs (Authentication against EasyLife services)
• Data related to the implementation of the Product
• Data related to the use of the Product
• Activity logs for troubleshooting purposes (retained for a maximum of 90 days for security and diagnostic purposes)
• Data related to the Customer’s Microsoft 365 environment and tools (e.g., TenantId, domains)

A1.2. Type and purpose of the data processing:

All processing operations are required to provide the Product, and the complementary services based on the Main Contract concluded with the Customer (such as collection, processing, analysis, transfer, and storage). This includes, where applicable, the provision of Exportable Data and support for Switching and interoperability in accordance with the Data Act.

A1.3. Categories of data subjects:

• Employees (internal)
• Contact persons
• Employees of external companies
• Interested parties

Annex 2: Technical and organizational measures

A2.1. Entry Control

Measures to prevent unauthorized persons from accessing data processing systems with which personal data are processed.

The Service is a PaaS service consumed by EasyLife and governed by Microsoft 365. There is no physical access to such environments.

A2.2. Access Control

Measures to prevent the use of data processing systems by unauthorized persons:

• Assignment of user rights
• Password assignment
• Authentication with username/password
• Use of intrusion prevention systems
• Additional measures: web-application firewalls, regular vulnerability scans, regular penetration testing, patch management, minimum requirements for password complexity
• Access Control governed by Conditional Access, Privileged Identity Management (PIM), and Multi-factor Authentication
• Encryption of storage accounts
• Use of mobile device management (for example, remote locking and wiping of smartphones)
• Hardware encryption for notebooks
• Use of a software firewall (office clients)

A2.3. Access Rights Control

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access rights and that personal data cannot be processed, used, or stored without authorization, read, copied, modified, or removed:

• Creation of an authorization concept
• Number of administrators reduced to the "absolute minimum.”
• Logging of the application access, especially for entry, modification, and data deletion
• Hardware encryption
• Rights management by system administrators
• Password policy with guidelines on password length, password change management

A2.4. Transfer Control

Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or while being transported or stored on data carriers and that it can be verified and ascertained to which bodies the transmission of personal data using data transmission facilities is intended:

• Documentation of data recipients and transmission times, including agreed deletion times
• Hardware encryption
• Data disclosure (only) in anonymized or coded form
• Overview of general requests and delivery operations
• TLS encryption for all communications (web client, APIs, mobile apps)

A2.5. Input control

Measures to ensure that it is possible to verify at a later date whether and by whom personal data can be entered, modified, or removed in data processing systems:

• Logging of entry, modification, and deletion of data
• Traceability of data entry, modification, and deletion by individual users (not user groups)
• Assignment of rights for entry, modification, and deletion of data based on an authorization concept
• Creation of an overview of the approved applications for entering, modifying, or deleting data
• Storage of forms through which data has been collected using automated processing

A2.6. Instruction control

Measures to ensure that data further processed on behalf and in agreement with the data controller are only processed on its instructions:

• Selection of subcontractors taking into account their history (especially about information security)
• Written instructions to subcontractors
• Ensure that subcontractors have appointed a data protection officer
• Effective control rights assured by subcontractors
• Prior review of documentation and security measures taken by subcontractors
• Obligation of subcontractor's employees to maintain confidentiality
• Secure deletion of data at the end of the contract
• Continuous monitoring of subcontractors and their activities

A2.7. Availability Check

Measures to ensure that personal data is protected against accidental destruction or loss:

• Testing of data recovery
• Creation of backup & recovery concepts
• Preparation of an emergency response plan
• Several data centers in the active configuration

A2.8. Principle of Separation

Measures to ensure that personal data collected for different purposes are processed separately:

• Creation of an authorization concept
• Records with purpose attribute/data fields
• Authorized and documented database rights
• Logical client separation (at software level)
• For coded data: Separation of the assignment file and storage on a separate secured IT system
• Separation of productive and test systems

 

Annex 3: List of approved Subcontractors

Name	Address	Processing Purpose
Microsoft	Blackthorn Road - 18 Dublin, Ireland	Provision of Azure infrastructure and execution of API calls to the customer’s tenant
HubSpot	277 Rue Saint-Honoré in Paris, France	CRM for contract and contact management
Bexio	Alte Jonastrasse 24 - 8640 Rapperswil, Switzerland	Billing system
Zammad	Marienstrasse 18 – 10117 Berlin, Germany	Support & Helpdesk

For EasyLife 365 Collaboration and EasyMeet 365 exclusively:

Name	Address	Processing Purpose
Twilio Sendgrid	375 Beale St Ste 300 - 94105 San Francisco, USA	Sending of e-mail communication to customers

Annex 4: Journal of changes

Date	Article	Subject of Change
2025-01-01		Creation of the New DPA Version 2025
2025-11-13	1, 2, 3, 4, 5, 7, 11, Annex 1	Alignment with Regulation (EU) 2023/2854 (Data Act), clarification of roles as data processing service and data holder, Exportable Data and Switching, transparency and third-country request handling for Non-Personal Data.