Trust
Template Data Processing Agreement under Article 28 EU GDPR and Article 9 Swiss FADP. Download the PDF for execution.
Download executable PDF
To execute, request a counter-signed copy from privacy@legalaudit.ch. Material changes are notified at least 30 days in advance.
This DPA is entered into between the Customer (Controller) and LegalAudit SA, Lugano, Switzerland (Processor). For subject-matter under EU GDPR, LegalAudit acts as Processor. Where LegalAudit determines technical means strictly necessary to deliver the service, it does so on documented instructions from the Controller.
Personal Data, Processing, Controller, Processor, Sub-processor and Supervisory Authority have the meaning given in EU GDPR Art. 4 and Swiss FADP Art. 5. "Services" means the LegalAudit Cyber Console, forensic dossier generation, Expert Review, and Enterprise monitoring.
Subject matter: technical triage of customer-submitted artefacts (URLs, files, archives, emails) and generation of forensic dossiers. Duration: for the term of the service agreement plus retention windows defined in Section 9. Nature: storage, scanning, sandboxed extraction, AI-assisted analysis, and dossier rendering.
Data subjects: authorised users of the Customer; data subjects referenced inside submitted evidence (names, email addresses, IP addresses, financial identifiers). Personal data categories: identification data, professional contact data, technical telemetry, and any personal data contained in submitted evidence.
LegalAudit processes Personal Data only on documented Controller instructions, ensures personnel are bound by confidentiality, implements the security measures in Section 7, assists the Controller with Article 32 to 36 GDPR obligations, deletes or returns Personal Data at the end of the engagement, and makes available all information necessary to demonstrate compliance.
The Controller grants general authorisation for the sub-processors listed at legalaudit.ch/trust/subprocessors. LegalAudit notifies the Controller of intended changes at least 30 days in advance and the Controller may object on reasonable grounds. Existing sub-processors are bound by written contracts imposing materially the same obligations.
Encryption in transit (TLS 1.3 with HSTS preload), encryption at rest (AWS KMS SSE-KMS, customer-segregated paths), hash-chained WORM audit log (SHA-256), least-privilege IAM, ClamAV scanning of every upload, bubblewrap-sandboxed archive extraction, SSRF guards on outbound fetches, mandatory MFA for staff with production access, role-based access control, and quarterly access reviews.
LegalAudit notifies the Controller of any Personal Data breach without undue delay and in any case within 24 hours of becoming aware of it, via security@legalaudit.ch. The notification includes the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.
LegalAudit assists the Controller with appropriate technical and organizational measures, insofar as possible, to fulfil obligations under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Customer-facing requests received by LegalAudit are forwarded to the Controller within 2 business days.
Free chat: 24 hours. Paid chat: 30 days. Forensic dossiers: retained for the customer relationship plus statutory archival. Audit logs: 13 months minimum (Swiss CC Art. 958f obligations). On termination, LegalAudit deletes or returns all Personal Data within 30 days, except where Union or Swiss law requires retention.
Primary data residency is Switzerland and the European Union. Where a sub-processor processes data outside the EEA/Switzerland, transfers rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the Swiss Addendum, with transfer impact assessments on file.
Once per calendar year, with 30 days written notice, the Controller may audit compliance with this DPA either by review of independent audit reports (SOC 2, ISO 27001 when available) or by an on-site audit conducted by a mutually agreed third-party auditor under confidentiality. Costs are borne by the Controller unless material non-compliance is identified.
Liability is subject to the limitations set out in the master service agreement. This DPA enters into force on signature, runs for the term of the underlying agreement, and survives until the last Personal Data has been deleted or returned.
This DPA is governed by Swiss substantive law. The competent forum is Lugano, Switzerland, without prejudice to mandatory rules of EU Member States protecting data subjects.
Nature, purpose, duration, categories of data and data subjects as set out in Sections 3 to 4.
Current list maintained at legalaudit.ch/trust/subprocessors. Changes notified via the trust center and via email to Controller designated contacts.
Detailed at legalaudit.ch/trust/security.
Informational document published by LegalAudit SA. Statements reflect the current state of controls and are reviewed quarterly. They are not a contractual warranty unless incorporated into a signed agreement. For binding terms request the executed DPA at privacy@legalaudit.ch.