What is a Data Processing Agreement and why is it important for using SwissWPSuite?

A Data Processing Agreement is a legal contract that outlines the responsibilities of a Controller and a Processor when personal data is processed on behalf of the Controller. It ensures compliance with GDPR, Swiss nDSG, and CCPA/CPRA, providing a framework for data protection, breach notification and sub‑processor usage. SwissWPSuite's DPA is mandatory for any subscription, guaranteeing that both parties understand their duties and rights. This agreement is key for lawful data handling and protects user privacy.

Who is the Controller and who is the Processor in this DPA?

In this DPA, the Controller is the entity that has signed a subscription with SwissWPSuite, typically a website owner or business. The Processor is Swisswpsecure, located at Le Moulin 3, 1312 Éclepens, Switzerland, which manages the AI plugin and cloud services. The Controller retains control over personal data, while the Processor processes it solely according to the Controller’s instructions. Understanding this distinction is essential for compliance and accountability.

How does SwissWPSuite handle personal data during plugin usage?

SwissWPSuite processes personal data only in the context of its AI WordPress plugin and associated cloud services. The data transmitted from a Controller’s WordPress installation is processed to provide AI functionality, such as content generation or analysis, and stored temporarily on SwissWPSuite’s servers. All processing is limited to what is necessary for the agreed purpose and conducted under strict technical and organizational safeguards. This ensures that personal data is used responsibly and in line with GDPR and Swiss law.

What legal obligations does the DPA impose on SwissWPSuite regarding data breaches?

The DPA requires SwissWPSuite to promptly notify the Controller of any data breach that could compromise personal data. It must implement measures to prevent breaches, including encryption, access controls, and regular security audits. In case of a breach, SwissWPSuite must cooperate fully with the Controller and, where applicable, with supervisory authorities. This clause upholds transparency and protects the privacy rights of data subjects.

SwissWPSuite Data Processing Agreement

Last Updated: March 21, 2026
Effective Date: March 21, 2026
Template Notice: This document is a template. Consult qualified legal counsel in your jurisdiction before publishing.

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

Controller: The entity that has entered into a subscription agreement with SwissWPSuite (“you”, “Controller”)
Processor: Swisswpsecure, Le Moulin 3, 1312 Eclepens, Switzerland (“we”, “SwissWPSuite”, “Processor”)

This DPA governs the processing of personal data by SwissWPSuite on behalf of the Controller in connection with the SwissWPSuite AI plugin and associated cloud services.

This DPA is entered into pursuant to:

Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”)
Article 9 of the Swiss Federal Act on Data Protection (“nDSG”)
California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), where applicable

1. Definitions

Terms not defined herein have the meaning given to them in the GDPR or the main Terms of Service.

“Personal Data” — Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) and nDSG Art. 5(a).
“Processing” — Any operation performed on Personal Data, as defined in GDPR Art. 4(2).
“Sub-Processor” — A third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Data Breach” — A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor provides the SwissWPSuite AI WordPress plugin and associated cloud services, which require the processing of certain data transmitted by the Controller’s WordPress installation to the Processor’s servers.

2.2 Duration

Processing continues for the duration of the Controller’s subscription, plus a maximum of 30 days for data deletion after termination.

2.3 Nature and Purpose of Processing

Processing Activity	Purpose	Data Involved
License validation	Authenticate the Controller’s subscription	License key, site domain
AI content generation	Generate SEO metadata, FAQs, content rewrites	Content submitted by Controller (titles, descriptions, post bodies)
Sentinel security scanning (Layer 2)	AI-powered security analysis	Scan metadata (site configuration, plugin list, finding summaries — no visitor PII)
Token balance management	Track AI usage and billing	License key, usage amounts, timestamps
Payment processing	Process subscription payments	Delegated to Stripe (see Sub-Processors)
Invoice generation	Tax compliance and accounting	Email, name, address, invoice amounts

2.4 Categories of Data Subjects

Site administrators (license holders)
Indirectly: visitors to the Controller’s site (IP addresses processed locally by the Plugin; not transmitted to Processor except scan metadata summaries)

2.5 Types of Personal Data

Email address (account identification)
Name and postal address (invoicing, where provided)
Site domain (license validation)
Content submitted to AI features (may incidentally contain personal data such as names mentioned in blog posts)
Token usage records (license key, action type, amount)

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller’s instructions are documented in the Terms of Service and this DPA. If the Processor believes an instruction infringes applicable data protection law, it shall inform the Controller without delay.

3.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data are bound by contractual or statutory obligations of confidentiality.

3.3 Security Measures (GDPR Art. 32)

The Processor implements appropriate technical and organizational measures, including:

Encryption in transit: TLS 1.2+ for all API communications
Encryption at rest: Database encryption, encrypted credential storage
Access control: Role-based access, SSH key-only server access, no shared credentials
Data minimization: Only data necessary for the stated purpose is processed
Pseudonymization: Where feasible (e.g., scan cache identified by fingerprint, not domain)
Resilience: Server monitoring, automated restart, database backups
Regular testing: Periodic security audits and penetration testing

3.4 Sub-Processor Management

3.4.1 General Authorization

The Controller grants the Processor general written authorization to engage Sub-Processors, subject to the requirements in this Section 3.4.

3.4.2 Current Sub-Processors

Sub-Processor	Purpose	Location	Safeguards
Groq LLC	AI language model processing	USA	Standard Contractual Clauses (SCCs)
Stripe, Inc.	Payment processing (PCI DSS compliant)	USA	EU-US DPF certified

3.4.3 Notification of Changes

The Processor shall inform the Controller of any intended changes to Sub-Processors at least 30 days before the change takes effect. Notification will be sent by email to the address associated with the Controller’s account. The Controller may object to the change within 14 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the subscription.

3.4.4 Sub-Processor Obligations

The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-Processor, via a written contract. The Processor remains fully liable for the acts and omissions of its Sub-Processors.

3.5 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) by:

Providing account data upon authenticated request from the Controller
Deleting or anonymizing data upon the Controller’s written instruction
Responding to Controller inquiries within 10 business days

3.6 Assistance with Data Protection Obligations

The Processor shall assist the Controller with:

Data protection impact assessments (GDPR Art. 35)
Prior consultation with supervisory authorities (GDPR Art. 36)
Compliance with security obligations (GDPR Art. 32)

3.7 Data Breach Notification

In the event of a Data Breach, the Processor shall:

Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach.
Provide the following information: Nature of the breach (categories and approximate number of data subjects and records affected), contact details of the Processor’s DPO, description of likely consequences, and description of measures taken or proposed to mitigate.
Cooperate with the Controller’s investigation and notification obligations.

The 48-hour notification timeline is stricter than the GDPR’s 72-hour requirement for the Controller to notify the supervisory authority, giving the Controller adequate time to assess and report.

3.8 Deletion and Return of Data

Upon termination of the subscription:

The Processor shall delete all Personal Data within 30 days, unless retention is required by law.
Upon request, the Processor shall provide the Controller with a copy of their data in a structured, commonly used format (JSON or CSV) before deletion.
Data subject to legal retention obligations (invoices: 10 years under Swiss OR Art. 958f) shall be retained for the minimum required period and then deleted.
The Processor shall certify deletion in writing upon the Controller’s request.

3.9 Audit Rights

The Controller has the right to audit the Processor’s compliance with this DPA:

Audit method: The Controller may request a written compliance report, or commission an independent third-party audit.
Frequency: Once per calendar year, unless a Data Breach has occurred (in which case additional audits are permitted).
Cost: Audits are conducted at the Controller’s expense.
Notice: The Controller shall provide at least 30 days’ written notice.
Scope: Limited to data processing activities covered by this DPA.
Confidentiality: Audit findings are confidential and may not be disclosed to third parties without the Processor’s consent.

4. Obligations of the Controller

The Controller shall:

Ensure a lawful basis exists for all Personal Data transmitted to the Processor.
Provide clear and documented processing instructions.
Maintain an appropriate privacy policy informing data subjects about processing activities.
Notify the Processor promptly of any data subject requests that require the Processor’s assistance.
Ensure that Personal Data transmitted to the Processor is accurate and up-to-date.

5. International Transfers

5.1 Transfer Mechanisms

When Personal Data is transferred from Switzerland or the EU/EEA to a country without an adequacy decision, the transfer is governed by:

Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), Module 2 (Controller to Processor), OR
The EU-US Data Privacy Framework (DPF) or Swiss-US Data Privacy Framework, where the recipient is certified, OR
Other appropriate safeguards as recognized under GDPR Art. 46 or nDSG Art. 16-17.

5.2 Supplementary Measures

Where required by a Transfer Impact Assessment, the Processor implements supplementary measures including:

End-to-end encryption of data in transit
Pseudonymization of identifiers where feasible
Access controls limiting personnel who can access Personal Data

6. CCPA/CPRA Addendum (US Customers)

Where the California Consumer Privacy Act or California Privacy Rights Act applies:

The Processor acts as a Service Provider as defined in CCPA Section 1798.140(ag).
The Processor shall not sell, share, or use Personal Data for any purpose other than performing the services specified in this DPA.
The Processor shall not combine Personal Data received from the Controller with data from other sources, except as permitted by the CCPA.
The Processor shall comply with the Controller’s instructions regarding consumer rights requests (know, delete, correct, opt-out).
The Processor certifies that it understands the restrictions in this Section and will comply with them.

7. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party is liable for damages caused by its breach of this DPA in accordance with applicable data protection law.

8. Term and Termination

This DPA enters into force upon the Controller’s acceptance of the Terms of Service and remains in effect for the duration of the processing. The obligations in Sections 3.7 (Breach Notification), 3.8 (Deletion), and 3.9 (Audit) survive termination.

9. Governing Law

This DPA is governed by Swiss law. Disputes shall be submitted to the courts of the Canton of Zurich, Switzerland, without prejudice to the data subject’s right to lodge a complaint with a supervisory authority.

10. Contact

Processor:
Swisswpsecure
Le Moulin 3, 1312 Eclepens, Switzerland
Data Protection Officer: [email protected]

Template — consult qualified legal counsel before publishing.