Data Processing Agreement

1.1 This Data Processing Agreement ("DPA") forms part of the Agreement between VynFi.com LLC (i.G.) ("Processor," "VynFi," "we") and you ("Controller," "Customer," "you") governing the processing of personal data in connection with the AssureTwin platform ("Service").

1.2 This DPA applies where VynFi processes personal data on your behalf as a data processor under Article 28 of the General Data Protection Regulation (GDPR) and Article 9 of the Swiss Federal Act on Data Protection (nDSG).

1.3 Terms not defined in this DPA have the meanings given in our Terms of Service and the GDPR. "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in Article 4 GDPR.

2.1 VynFi shall process personal data only on your documented instructions, including with regard to transfers of personal data to a third country or international organization, unless required to do so by Union or Member State law to which VynFi is subject. In such a case, VynFi shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2 Your instructions to VynFi are documented in this DPA, the Terms of Service, and any additional written instructions agreed upon by the parties. Your use of the Service constitutes an instruction to process personal data as necessary to provide the Service.

2.3 VynFi shall immediately inform you if, in VynFi's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

3.1 Data Subjects. End users of the Service (your employees, contractors, and authorized users who access AssureTwin under your account).

3.2 Categories of Personal Data. The following categories of personal data are processed:

3.3 No Special Categories. The Service is not designed to process special categories of personal data (Article 9 GDPR) or personal data relating to criminal convictions (Article 10 GDPR). You must not submit such data to the Service.

4.1 VynFi processes personal data for the following purposes:

5.1 You provide general authorization for VynFi to engage sub-processors to assist in providing the Service. A current list of sub-processors is maintained on our Subprocessor List page.

5.2 VynFi shall notify you at least 30 days before engaging a new sub-processor or materially changing the scope of an existing sub-processor's processing. Notification is provided via email and update to the Subprocessor List page, as well as to subscribers of dpa-updates@assuretwin.com.

5.3 If you have a reasonable objection to a new sub-processor, you may notify VynFi within the 30-day notice period. VynFi shall work in good faith to address your concerns. If VynFi cannot resolve the objection, you may terminate your subscription in accordance with the Terms of Service.

5.4 VynFi shall impose on each sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA.

6.1 VynFi shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit: TLS 1.3 for all data transmitted between clients and the Service
• Encryption at rest: AES-256 encryption for all stored data
• Authentication: Microsoft Entra ID with support for multi-factor authentication (MFA)
• Secrets management: Azure Key Vault with hardware security modules (HSM)
• Access controls: Role-based access controls (RBAC), principle of least privilege for production systems
• Infrastructure: Microsoft Azure (Switzerland North), SOC 2 Type II and ISO 27001 certified
• Monitoring: Automated threat detection, security monitoring, and incident response procedures

6.2 VynFi shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.1 Notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected; (b) the likely consequences of the breach; (c) measures taken or proposed to address the breach and mitigate its effects; and (d) the name and contact details of VynFi's point of contact.

7.2 VynFi shall cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach, including providing information necessary for you to fulfill your obligations to notify the supervisory authority and affected data subjects under Articles 33 and 34 GDPR.

7.3 Breach notifications shall be sent to the email address associated with your account and to security@assuretwin.com.

8.1 VynFi shall make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

8.2 Audit requests must be submitted in writing to dpa@assuretwin.com with at least 30 days' advance notice. Audits shall be conducted during normal business hours, no more than once per calendar year (unless required by a supervisory authority), and shall not unreasonably disrupt VynFi's business operations.

8.3 VynFi may satisfy audit requests by providing: (a) relevant third-party audit reports (e.g., SOC 2 Type II); (b) certifications (e.g., ISO 27001); (c) written responses to audit questionnaires; or (d) on-site or remote inspections where the foregoing are insufficient to demonstrate compliance.

9.1 VynFi's primary infrastructure is hosted in the Switzerland North (Zurich) region of Microsoft Azure. Data replication for disaster recovery occurs within the EU (West Europe, Netherlands).

9.2 Where personal data is transferred to sub-processors outside the EEA and Switzerland, VynFi relies on the European Commission's Standard Contractual Clauses (SCCs), supplemented with additional technical and organizational measures as appropriate, and the EU-U.S. Data Privacy Framework where applicable.

9.3 Details of transfer mechanisms for each sub-processor are listed on our Subprocessor List page.

10.1 Upon termination of the Agreement or upon your written request, VynFi shall, at your choice: (a) return all personal data to you in a structured, commonly used, machine-readable format; or (b) delete all personal data and certify such deletion in writing.

10.2 Deletion shall be completed within 30 days of the request or termination, except where retention is required by applicable law (e.g., Swiss tax law requires retention of billing records for 7 years).

10.3 VynFi shall ensure that all sub-processors delete personal data in accordance with the same timelines, unless retention is required by law.

11.1 The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service.

11.2 Nothing in this DPA limits either party's liability for: (a) its own fraud or willful misconduct; (b) liability that cannot be excluded under applicable law; or (c) data protection fines imposed by a supervisory authority to the extent attributable to that party's breach of its obligations.

12.1 This DPA shall remain in effect for the duration of the Agreement between you and VynFi. Obligations relating to confidentiality, data deletion, and liability survive termination.

12.2 This DPA is governed by the laws of Switzerland. Disputes arising under this DPA are subject to the exclusive jurisdiction of the courts of the Canton of Zurich.

For questions about this Data Processing Agreement, audit requests, or to report a data protection concern: