1. Introduction

The present data protection agreement (hereafter “DPA”) supplements the Terms of Use under which you, as a customer (hereafter “you”, the “Customer”), are allowed to use the application Shinymetrics, which is owned and operated by Opifex Sàrl, c/o RISTER Sàrl, Rue Adrien-Lachenal 26, 1207 Geneva (hereafter “we”, “us”, “Opifex”).

When you use Shinymetrics, personal data regarding the persons visiting your website is collected and processed. In this regard, you are the data controller and we are the data processor.

2. Data processing

Opifex processes personal data to allow the Customer to use the app Shinymetrics. In this context, the purpose of the processing is to understand how the persons visiting the Customer’s website are behaving.

Opifex does not process Customer’s personal data for its own purposes.

Opifex shall act and in accordance with the instructions of the Customer, which are in particular contained in the Terms of use.

Opifex complies with the Swiss Federal Act on Data Protection of 25 September 2020 (hereafter: “FADP”). The Customer will comply with all applicable laws and regulations, in particular when applicable the FADP and the Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter: “GDPR”).

The Customer guarantees that it has all rights to provide to Opifex the personal data for the processing, including the consent of the persons visiting the Customer’s website if this consent is required by the applicable legislation.

3. Categories of data subjects and types of personal data

The processing relates to the personal data of the persons visiting the Customer’s website.

Depending on the parameters chosen by the Customer, the processing can involve the following data in relation with the use of the Customer’s website:

• Date and time of an interaction;
• Type of interaction (clicking on a link, entering text, downloading a file, etc.);
• IP address;
• Operating system;
• Web browser;
• Size of the web browser window;
• Language;
• Platform used;
• Referer (meaning the last web page the user was on);
• Entire URL;
• Session (meaning a group of interactions in a given time period)

4. Confidentiality

Opifex will make sure that all employees who need to access the personal data (i) are informed that the personal data is confidential and (ii) comply with the obligations mentioned in this DPA.

5. Subprocessing

The Customer gives Opifex a general authorization to engage subprocessors.

Annex 1 contains the list of subprocessors engaged by Opifex and authorized by the Customer.

Before the addition of any new subprocessor to the list, the Customer will be informed of the identity of the new subprocessor and the scope of the planned subprocessing activities. The Customer will have 30 days to object to this change. In such case, Opifex will adapt the fees to take this into account. The Customer and Opifex have a termination right with 30 days-notice.

Opifex remains responsible in case a subprocessor fails to fulfil its data protection obligations.

Opifex will impose on every subprocessor, by way of a contract, the same data protection obligations as set out in the present DPA.

6. Security

Prior to any processing personal data, Opifex must ensure that all appropriate technical and organizational measures have been taken to ensure the protection of the Personal Data. The measures implemented are described in Annex 2.

7. Transfer of personal data outside of Switzerland

Opifex may process personal data in Switzerland Germany, and France. No personal data will be processed outside of these countries.

If the Customer is not based in a country that is recognized by the Federal Council as providing an adequate level of protection (Andorra, Argentina, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faeroe Islands, Finland, France, Germany, Gibraltar, Greece, Guernsey, Hungary, Iceland, Ireland, Island of Man, Israel, Italia, Jersey, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, New-Zeeland, Norway, Pays-Bas, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom, Uruguay), it shall complete and sign the Standard Contractual Clauses (data processor to data controller) available at [], and email a copy of them to […], before starting using Shinymetrics.

8. Assistance to the Customer

Opifex shall assist the Customer for the fulfilment of the Customer’s obligations, in particular:

• Inform the Customer without delay in case of a personal data breach and assist the Customer for taking all reasonable measures to prevent or mitigate the consequences of the breach, notify the breach to the competent authority and, if required, inform the concerned data subjects.
• Help the Customer carry out a data protection impact assessment, if required;
• Make available to the Customer all the information necessary to demonstrate compliance with the obligations mentioned in the present DPA;
• Allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;
• Assist the Customer for the fulfilment of its obligation to respond to requests of the data subjects.

This assistance may be subject to additional fees.

9. Entry into force and termination

This DPA will enter into force upon the Customer’s agreement to the Terms of use.

It will terminate upon deletion of the Customer’s Shinymetrics account.

The obligation of confidentiality (clause 4.) will remain in effect after the termination of the DPA.

Within 30 days after the end of the DPA, Opifex will delete the personal data associated with the Customer’s account (including personal data about the persons visiting the Customer’s website).

Notwithstanding the above, Opifex may keep personal data if required by the applicable laws and regulations.

---

Annex 1 – List of Subprocessors

The Customer has authorized the use of the following subprocessors:

• 1. Name: Amazon Web Services
  Address: Avenue John F. Kennedy 38, Luxembourg, 1855, Luxembourg
  Amazon Web Services (AWS) provides hosting services for the application as well as data storage.

Annex 2 – Technical and organizational measures

All data storage and its processing lives on a subnetwork and not exposed to the internet at large, only the client-facing application is exposed to the internet.

All data transfers for processing by the application (on the subnetwork) is encrypted with TLS.

All data storage, databases and file storages, are password protected.

All data storage is encrypted.

The client is free to request deletion of data.

User account information is password protected with high entropy hashes.

Data recorded by a user is only available to said user as well as other users they may explicitly grant access to. Every server request for data is checked for valid authenticated to protect against leaks.

All data is backed up so as to be restored in the event of an incident.