What is the purpose of this Data Processing Agreement?

The Data Processing Agreement (DPA) sets out the legal framework that allows SwissWPSuite to process personal data on behalf of the Controller. It ensures compliance with GDPR, Swiss nDSG, and CCPA/CPRA, and defines the scope, purpose, and security obligations for the AI plugin and cloud services. The agreement guarantees that data is processed only for the intended purposes and in accordance with the terms agreed in the subscription.

Which regulations govern the DPA?

The DPA applies to the General Data Protection Regulation (EU) 2016/679, the Swiss Federal Act on Data Protection (nDSG), and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) where applicable. These regulations provide the legal basis for data processing, outlining rights for data subjects and responsibilities for controllers and processors. SwissWPSuite complies with all relevant provisions to protect personal data across jurisdictions.

How is a data breach handled under the DPA?

In the event of a data breach, the Processor must notify the Controller without undue delay, as stipulated by GDPR Art. 33 and Swiss nDSG. The DPA requires the Processor to provide all relevant details, including nature, scope, and remedial actions. The Controller then informs affected individuals and supervisory authorities as required by law.

What role do sub-processors play in this agreement?

The DPA permits SwissWPSuite to engage sub-processors only after obtaining the Controller’s prior written approval. Sub-processors must sign equivalent data processing agreements and adhere to the same security and privacy obligations. The Processor remains fully liable for the actions of any sub-processor.

What security measures does the DPA enforce?

SwissWPSuite is required to implement technical and organizational measures such as encryption, access controls, and regular security assessments. The DPA mandates continuous monitoring and audit rights for the Controller to verify compliance. These safeguards align with GDPR Art. 32 and Swiss nDSG standards, ensuring data confidentiality, integrity, and availability.

Data Processing Agreement – SwissWPSuite Terms & Conditions

Last Updated: March 21, 2026
Effective Date: March 21, 2026

Preamble

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

Controller: The entity that has entered into a subscription agreement with SwissWPSuite (“you”, “Controller”)
Processor: Swisswpsecure, Le Moulin 3, 1312 Eclepens, Switzerland (“we”, “SwissWPSuite”, “Processor”)

This DPA governs the processing of personal data by SwissWPSuite on behalf of the Controller in connection with the SwissWPSuite AI plugin and associated cloud services.

This DPA is entered into pursuant to:

Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”)
Article 9 of the Swiss Federal Act on Data Protection (“nDSG”)
California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), where applicable

1. Definitions

Terms not defined herein have the meaning given to them in the GDPR or the main Terms of Service.

“Personal Data” — Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) and nDSG Art. 5(a).
“Processing” — Any operation performed on Personal Data, as defined in GDPR Art. 4(2).
“Sub-Processor” — A third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Data Breach” — A breach of security leading to accidental or cocess to Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor provides the SwissWPSuite AI WordPress plugin and associated cloud services, which require the processing of certain data transmitted by the Controller’s WordPress installation to the Processor’s servers.

2.2 Duration

2.3 Nature and Purpose of Processing

Processing Activity	Purpose	Data Involved
License validation	Authenticate the Controller’s subscription	License key, site domain
AI content generation	Generate SEU metadata, FAQs, content rewrites	Content submitted by Controller (titles, descriptions, post bodies)
Sentinel security scanning (Layer 2)	AI-powered security analysis	Scan metadata (site configuration, plugin list, finding summaries — no visitor PII)
Token balance management	Track AI usage and billing	License key, usage amounts, timestamps
Payment processing	Process subscription payments	Delegated to Stripe (see Sub-Processors)
Invoice generation	Tax compliance and accounting	Email, name, address, invoice amounts

2.4 Categories of Data Subjects

2.5 Types of Personal Data

Email address (account identification)
Name and postal address (invoicing, where provided)
Site domain (license validation)
Content submitted to AI features (may incidentally contain personal data such as names mentioned in blog posts)
Token usage records (license key, action type, amount)

3. Obligations of the Processor

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.

3.2 Confidentiality

3.3 Security Measures (GDPR Art. 32)

Encryption in transit: TLS 1.2+ for all API communications
Encryption at rest: Database encryption, encrypted credential storage
Access control: Role-based access, SSH key-only server access, no shared credentials
Data minimization: Only data necessary for the stated purpose is processed
Pseudonymization: Where feasible
Resilience: Server monitoring, automated restart, database backups
Regular testing: Periodic security audits and penetration testing

3.4 Sub-Processor Management

3.4.1 General Authorization

The Controller grants the Processor general written authorization to engage Sub-Processors, subject to the requirements in this Section 3.4.

3.4.2 Current Sub-Processors

Sub-Processor	Purpose	Location	Safeguards
Groq LLC	AI language model processing	USA	Standard Contractual Clauses (SCCs)
Stripe, Inc.	Payment processing (PCI DSS compliant)	USA	EU-US DPF certified

3.4.3 Notification of Changes

The Processor shall inform the Controller of any intended changes to Sub-Processors at least 30 days before the change takes effect.

3.4.4 Sub-Processor Obligations

3.5 Assistance with Data Subject Rights

Providing account data upon authenticated request from the Controller
Deleting or anonymizing data upon the Controller’s written instruction
Responding to Controller inquiries within 10 business days

3.6 Assistance with Data Protection Obligations

3.7 Data Breach Notification

3.8 Deletion and Return of Data

3.9 Audit Rights

4. Obligations of the Controller

5. International Transfers

6. CCPA/CPRA Addendum (US Customers)

7. Liability

8. Term and Termination

9. Governing Law

This DPA is governed by Swiss law. Disputes shall be submitted to the courts of the Canton of Zurich, Switzerland.

10. Contact

Template — consult qualified legal counsel before publishing.