Data Processing Agreement

This Data Processing Agreement (the "DPA") is entered into between the customer that has accepted the Guard.ch Terms of Service (the "Customer") and the operator of Guard.ch:

Processor

Zesiger.net (registered name), Switzerland, trading as Guard.ch

Legal representative

Janis Zesiger

Data protection contact

[email protected]

Registered address and identifiers

As published in the Imprint

This DPA forms an integral part of the Terms of Service whenever the Customer processes personal data of third parties through Guard.ch. By accepting the Terms, the Customer accepts this DPA on behalf of itself and any affiliate using its account. The DPA is deemed executed by both parties upon the Customer's acceptance of the Terms of Service and takes effect without a separate signature. Customers may request a countersigned copy by writing to [email protected].

Where applicable data protection law requires additional clauses (for example the EU Standard Contractual Clauses, the Swiss FDPIC-recognised equivalent, or the UK International Data Transfer Addendum), those clauses are incorporated by reference and prevail over any conflicting term of this DPA or the Terms of Service. As between this DPA and the Terms of Service, this DPA prevails for data protection matters.

Unless otherwise defined, capitalised terms have the meanings below or, failing that, the meanings given in the Terms of Service.

Applicable Data Protection Laws

The Swiss Federal Act on Data Protection (FADP), Regulation (EU) 2016/679 (GDPR), the UK GDPR and the UK Data Protection Act 2018, and any other privacy or data protection statute that applies to the parties' processing under this DPA.

Controller

The natural or legal person that determines the purposes and means of the Processing of Personal Data.

Processor

Zesiger.net, processing Personal Data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller in the course of providing Guard.ch.

Processing

Any operation performed on Personal Data, including collection, recording, storage, retrieval, transmission, erasure or destruction.

Subprocessor

A third party engaged by the Processor to process Personal Data on behalf of the Controller, including hosting providers, edge node operators, and storage vendors.

Data Subject

The identified or identifiable natural person to whom Personal Data relates.

Service

The Guard.ch website investigation service: the Controller submits a target URL, the Service opens it inside an isolated remote browser, records what happens, and makes the resulting Capture and automated analysis available to the Controller for review and replay.

Investigation

A single, time-bounded run of the Service against a target URL submitted by the Controller, as defined in the Terms of Service.

Capture

The artefacts produced by an Investigation (display recording, network and event log, cookies, certificates, lookups, and derived analysis), stored against the workspace that initiated the Investigation.

The Processor processes Personal Data on the Controller's behalf solely to deliver the Service and to comply with the Controller's documented instructions. The detailed description of the Processing is set out in Annex I below and summarised here.

For the Processing of Capture content and workspace artefacts, the Customer is the Controller and Zesiger.net is the Processor. The Customer determines the URLs that are investigated and the personnel with access to the workspace.

For limited matters where each party determines its own purposes and means, both parties act as independent controllers. Consistent with Section 6.1 of the Privacy Policy, these limited matters include: billing and tax records; detecting and preventing abuse of the Service; securing the Processor's platform and infrastructure; statutory record-keeping by the Processor; compliance with legal obligations binding on the Processor (for example a binding order from a Swiss authority); and the operation of the Processor's own marketing site. The Processor does not use Capture content for any other own purpose and does not use it to train models.

The Customer warrants that it has a valid legal basis under Applicable Data Protection Laws for instructing the Processor to investigate the URLs and content it submits, including any required transparency notices to data subjects of the investigated sites where legally required. The description of what an Investigation records, including the limits of the built-in minimisation, is set out in Section 4.3 of the Privacy Policy and forms part of the Controller's documented instruction.

The Service lets the Customer switch an Investigation's replay from private (the default) to link sharing, which makes the replay viewable by anyone in possession of the link until sharing is revoked or the retention window expires. Enabling link sharing constitutes a documented instruction to disclose that Capture to any holder of the link. The Customer is responsible for the lawfulness of that disclosure, including towards third parties whose personal data, credentials, cookies, or form inputs appear in the Capture, and for revoking sharing when it is no longer needed.

The Processor undertakes the following with respect to the Controller's Personal Data.

5.1 Documented instructions

The Processor processes Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do otherwise by Union or Member State law, Swiss law, or other law to which the Processor is subject. In that case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are set out in this DPA, the Terms of Service, the capture behaviour documented in the Privacy Policy, and any in-product configuration chosen by the Controller (workspace settings, plan selection, access controls). The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Laws.

5.2 Confidentiality (Art. 28(3)(b) GDPR)

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to what each person needs to perform their role.

5.3 Security of processing (Art. 32 GDPR; Art. 8 FADP)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A summary of those measures is set out in Annex II and described in detail at /legal/security. The Processor assesses and evaluates the effectiveness of those measures on an ongoing basis and updates them as the threat landscape and the state of the art evolve, without materially degrading the overall level of protection during a subscription term.

5.4 Assistance with data subject requests

Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection) and the corresponding rights under the FADP and UK GDPR. Where a data subject contacts the Processor directly about Capture content, the Processor will forward the request to the Controller without undue delay and will not respond on substance except where it processes the same data as an independent controller under section 4.

5.5 Assistance with security, DPIA, and consultation duties (Arts. 32 to 36 GDPR)

The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor. This includes assistance with data protection impact assessments and prior consultations with supervisory authorities, and the breach assistance described in section 9.

5.6 Return or deletion at end of services

At the choice of the Controller, the Processor deletes or returns all the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless Union or Member State law, Swiss law, or other applicable law requires storage of the Personal Data. Standard deletion happens automatically when the plan retention window expires (one day on Free plans, one month on paid plans). After termination of the subscription, Captures are retained for up to one (1) month to allow export, then deleted together with workspace metadata, consistent with section 14 of the Terms of Service. The Controller may request earlier deletion in writing. Encrypted backups age out within a further thirty-five (35) days after primary deletion. Records the Processor must keep under statutory retention duties (for example Swiss bookkeeping records under Art. 958f of the Code of Obligations) are retained for the statutory period only.

5.7 Demonstration of compliance

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allows for and contributes to audits conducted by the Controller or another auditor mandated by the Controller, subject to section 10 below.

The Controller grants the Processor a general written authorisation to engage Subprocessors for the Processing of Personal Data. The current list of authorised Subprocessors, including each vendor's role, location, and transfer safeguard, is maintained at /legal/subprocessors and forms part of this DPA (Annex III).

The Processor will give notice of any intended addition or replacement of a Subprocessor that processes the Controller's Personal Data at least thirty (30) days before the change takes effect, by updating the subprocessors page and, where the Controller has subscribed to change notifications as described on that page, by email. Changes that do not affect how Personal Data is processed, stored or transferred (for example a vendor's corporate rename, an address update, or the removal of a vendor) may be reflected on the next routine update of the register without the notice period. The Controller may object on reasonable data protection grounds in writing to [email protected] within fourteen (14) days of the notification. On receipt of a timely objection, the parties will work in good faith to find a workable alternative. Where no alternative can reasonably be agreed, the Controller may terminate the affected portion of the Service without penalty and receive a pro-rata refund for the unused term, as its sole remedy.

The Processor imposes on every Subprocessor, by way of a written contract, data protection obligations that are in substance no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor remains fully liable to the Controller for the performance of each Subprocessor's obligations.

The Processor is established in Switzerland, which the European Commission and the United Kingdom recognise as providing an adequate level of data protection. All durable customer content, including Captures, account records, and the production database, is stored at the Hetzner facility in Helsinki, Finland (EU/EEA). Captures have no durable copy anywhere else.

Edge capture nodes in Singapore, Salt Lake City (United States), and Beauharnois (Canada) host the investigation container, render the page, and write the Capture artefacts to the container's writable filesystem for the duration of the Investigation. At the end of the Investigation the artefacts are uploaded to Helsinki over TLS and the container is destroyed with its writable layer; nothing persists on an edge node between Investigations. Transient Capture data may therefore be processed outside the EEA and Switzerland for the bounded lifetime of the investigation container.

Transfers of Personal Data outside the EEA, Switzerland, and the United Kingdom are protected as follows, mirroring Section 9 of the Privacy Policy:

• Canada (Beauharnois): the European Commission's adequacy decision for the Canadian commercial sector under PIPEDA, recognised equivalently under Swiss law; the EU Standard Contractual Clauses (Module 3, processor to processor) and the Swiss FDPIC-recognised equivalent are additionally in place.
• Singapore and the United States (edge nodes): the EU Standard Contractual Clauses (Module 3) and the Swiss FDPIC-recognised equivalent, plus encryption in transit for both the analyst stream and the artefact upload to Helsinki.
• US-based Subprocessors: where the individual vendor is certified under the EU-US Data Privacy Framework and its Swiss extension, as identified per vendor in the Subprocessors register, that certification is the primary transfer mechanism and the EU Standard Contractual Clauses operate as a fallback. For all other US transfers, the EU Standard Contractual Clauses and the Swiss FDPIC-recognised equivalent apply.
• United Kingdom: where the UK GDPR applies to a transfer, the Processor relies on the UK adequacy regulations for Switzerland and the EEA and, for onward transfers, on safeguards recognised under the UK GDPR (including, where executed, the ICO's International Data Transfer Addendum to the EU Standard Contractual Clauses).

The Processor maintains transfer impact assessments for the transfers described above and will make a copy of the relevant assessments and clauses available to the Controller on written request to [email protected].

The Service exposes self-service tooling that allows the Controller to view, export and delete Captures and workspace artefacts. The tooling does not currently allow the Controller to redact or edit individual data points inside a stored Capture: deletion operates at the level of the Capture. The Controller is responsible for using the available tooling to respond to data subject requests within the statutory deadline.

Where the Controller cannot fulfil a request through self-service tooling, the Processor will assist on written request to [email protected]. Standard assistance is included in the subscription fee. Manifestly unfounded, excessive or repetitive requests may be subject to reasonable cost recovery to the extent permitted by Art. 12(5) GDPR or the equivalent provision of other Applicable Data Protection Laws.

The Processor notifies the Controller of any personal data breach affecting the Controller's Personal Data without undue delay after becoming aware of it, and in any event within forty-eight (48) hours of becoming aware, consistent with the commitment in Section 17 of the Privacy Policy. Notification is sent to the email address registered on the Controller's account.

The notification contains, to the extent known at the time of notification:

• A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
• The Processor's data protection contact for follow-up communication.

Where the information cannot be provided at the same time, it may be provided in phases without undue further delay. The Processor cooperates with the Controller and provides additional information as it becomes available so that the Controller can meet its own obligations: under Article 33 GDPR, the Controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to natural persons, and under Article 34 GDPR must inform data subjects where the breach is likely to result in a high risk; under Article 24 FADP, a controller subject to Swiss law must notify the FDPIC as soon as possible where the breach is likely to lead to a high risk for the data subjects. The Processor's duty under this DPA is to notify the Controller; the Processor does not notify supervisory authorities or data subjects on the Controller's behalf unless explicitly instructed to do so in writing or required by law applicable to the Processor.

The Processor supports audit and information requests in the following sequence. First, the Processor makes available its written security documentation: the public Security Statement at /legal/security, Annex II of this DPA, the Subprocessors register, and, on request, additional architecture and control descriptions. Second, the Processor completes the Controller's reasonable written security questionnaires at no charge, at most once per twelve (12) months unless a personal data breach affecting the Controller or a binding order of a competent supervisory authority justifies an additional round.

The Processor does not currently hold a SOC 2 report, an ISO/IEC 27001 certificate, or a completed external penetration test report, and audit requests cannot be satisfied by reference to such documents; the current certification posture is stated honestly at /legal/security. If the Processor obtains a relevant third-party attestation in the future, it may offer that attestation in satisfaction of an audit request to the extent it covers the scope of the request.

Where the written information above is insufficient to demonstrate compliance, or where an audit is required by Applicable Data Protection Laws or by a competent supervisory authority, the Controller (or an independent auditor it mandates that is not a competitor of the Processor) may audit the Processor's compliance with this DPA under the following conditions: at most once every twelve (12) months, unless triggered by a personal data breach affecting the Controller or a binding order of a competent supervisory authority; on at least thirty (30) days' prior written notice; during normal business hours; remotely where reasonably possible; limited in scope to the Processing under this DPA; without access to other customers' data or to information that would compromise the security of the Service; and subject to the auditor signing a reasonable confidentiality agreement. Each party bears its own costs; the Controller additionally reimburses the Processor's reasonable time and expenses for audits exceeding one business day, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor bears its own costs and reimburses the Controller's reasonable audit costs.

The liability of each party under this DPA is governed by the limitation of liability provisions of the Terms of Service. The aggregate liability of the Processor under this DPA and the Terms of Service combined is capped as set out in section 19 of the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Data Protection Laws, including liability towards data subjects under Article 82 GDPR.

The Controller indemnifies the Processor against claims by data subjects or supervisory authorities to the extent those claims arise from the Controller's instructions or content (for example URLs the Controller instructed the Service to investigate in breach of Applicable Data Protection Laws). The Processor indemnifies the Controller against claims to the extent they arise from the Processor's breach of its obligations under this DPA. Where the Controller is a consumer, these indemnities apply only to the extent permitted by the mandatory law of the consumer's habitual residence.

This DPA enters into force on the effective date stated above or, if later, the date on which the Controller first accepts the Terms of Service. It remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination of the subscription, the Processor stops processing Personal Data on behalf of the Controller (other than the retention-for-export window and statutory retention described in section 5.6) and deletes or returns the data at the Controller's choice. Provisions that by their nature should survive termination (confidentiality, liability, governing law) continue in effect.

This DPA is governed by the substantive law of Switzerland, without regard to its conflict of laws rules. The place of jurisdiction for any dispute arising out of or in connection with this DPA is Schmiedrued, Switzerland, subject to any mandatory venue under Applicable Data Protection Laws (in particular the right of data subjects to bring claims before the courts of their habitual residence).

For any data protection question or to exercise rights under this DPA, contact [email protected].

This Annex describes the Processing of Personal Data carried out by the Processor on behalf of the Controller. Where the EU Standard Contractual Clauses apply to a transfer under this DPA, this Annex serves as the description of processing required by Annex I of those clauses.

The Processor implements the technical and organisational measures described in full at /legal/security, which states what is in place today and what is on the roadmap. The summary below reflects the current state.

• Encryption. TLS 1.2 minimum and TLS 1.3 preferred for all HTTP traffic; where WebRTC transport is used, remote-browser media is additionally protected with DTLS-SRTP; Capture artefacts are uploaded to storage over TLS, and internal calls between the edge tier and the backend are authenticated with a shared secret header. Storage volumes in Helsinki are encrypted at the block level; backups remain within the Helsinki environment and are covered by the same at-rest encryption. Account credentials are hashed with bcrypt.
• Isolation and confidentiality. Each Investigation runs in its own container with a fresh filesystem layer and separate process and network namespaces; containers cannot read each other's filesystems or see each other's processes. Containers are destroyed at the end of the Investigation and their writable layer is discarded; no Capture data persists on an edge node between Investigations. Stored Captures are bound to the producing workspace, and cross-workspace access is rejected at the backend (default deny).
• Access control. Per-account credentials with passkey (WebAuthn) support; role-based access control and OIDC single sign-on on the plans that include them; opaque, server-side revocable session tokens bound to the issuing workspace. Internal production access is restricted to the smallest practical set of people on a least-privilege basis; sensitive operations are recorded in an append-only audit log.
• Network segmentation. Browser containers hold no storage credentials; storage reads are mediated by the backend, which checks workspace membership and Capture ownership before issuing a download URL; the remote browser's only outbound network is the public internet.
• Availability and restoration. Continuous monitoring of the backend, proxy, edge fleet, and storage tier with on-call alerting; a documented incident response process; encrypted backups that age out within thirty-five (35) days of primary deletion.
• Vulnerability management. Pinned dependencies with monitored security advisories; prompt patching of critical CVEs on internet-exposed components; regular rebuilds of browser images against the latest stable upstream. The Processor has not yet completed an external penetration test; one is on the roadmap for 2026, and no certification or attestation (SOC 2, ISO/IEC 27001) is claimed (see section 10).
• Data minimisation by design. Password-field masking, per-field and payload character caps, exclusion of binary response bodies, hard time and event ceilings per Investigation, plan-based retention, and self-service deletion. The pipeline does not currently provide automated redaction of non-password content, capture scoping, or pre-upload review; these limits are disclosed in Section 4.3 of the Privacy Policy.
• Governance. Documented data protection contact ([email protected]), internal incident escalation, and a public subprocessor register with change notification.
• Physical security. Durable storage is operated from the data centre facilities of the hosting providers listed in the Subprocessors register, which maintain physical access controls under their own audited programmes; the Processor relies on those provider controls and does not operate its own data centres.

The full set of measures and the honest statement of which certifications the Processor does and does not hold are published at /legal/security and updated whenever the controls materially change.

The current list of authorised Subprocessors, including the legal entity name, country of processing, scope of Processing and applicable transfer mechanism, is published at /legal/subprocessors and forms part of this DPA.

The Controller is deemed to have approved each Subprocessor listed on that page at the time the Controller accepts this DPA. Subsequent additions or replacements are notified in accordance with section 6.