Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of the Terms of Service between cobank (the “Processor”) and the customer (the “Controller”) and applies where cobank processes personal data on the Controller’s behalf.

1. Roles of the parties

The Controller is the controller of the personal data it submits and determines the purposes and means of processing. cobank acts as processor and processes that data only on the Controller’s documented instructions — which these Terms and the use of the service constitute — unless applicable law requires otherwise.

2. Subject matter and duration

The subject matter is the processing necessary to provide the service. Processing continues for the term of the subscription and any agreed evidence-retention period, after which the rules on return and deletion apply.

3. Nature and purpose

cobank processes personal data to read invoices and supporting records, classify line items, calculate emissions, and produce reporting and audit output, together with the related account, authentication, and billing functions.

4. Data categories and data subjects

The personal data processed is limited to business-contact and account identifiers — such as the names and email addresses of the Controller’s authorised users — and any personal data incidentally contained in uploaded invoices and records. Data subjects are the Controller’s authorised users and any individuals named in the documents the Controller submits.

5. Security measures (Art. 32 GDPR / revFADP)

cobank maintains technical and organisational measures appropriate to the risk, including:

• Tenant isolation enforced at the database layer through row-level security, so each customer’s data is segregated.
• An append-only, hash-chained audit log of ledger changes, designed so that records cannot be altered undetectably.
• Encryption of data in transit and at rest.
• Role-based access control within each workspace and least-privilege access for operators.

Measures may be updated over time provided the level of protection is not reduced.

6. Sub-processors

The Controller authorises cobank to engage the sub-processors listed on the sub-processor page for the purposes described there. cobank remains responsible for its sub-processors and binds them to data-protection obligations no less protective than this DPA. cobank will give reasonable notice of intended changes so the Controller can object on reasonable grounds.

Sub-processors

7. International transfers

Some sub-processors process personal data outside Switzerland and the EU/EEA. Where they do, cobank relies on an appropriate transfer mechanism — such as the European Commission’s Standard Contractual Clauses, together with any measures required for Swiss data — or an adequacy decision where one applies.

8. Personal-data breaches

cobank will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with the information reasonably available to support the Controller’s own notification obligations.

9. Assistance to the Controller

Taking into account the nature of the processing, cobank will provide reasonable assistance to the Controller in responding to data-subject requests and in meeting its obligations on security, breach notification, and data-protection impact assessments.

10. Return and deletion

On termination, cobank will, at the Controller’s choice, return or delete the Controller’s personal data, except where retention is required by law or by an agreed evidence-retention period. For audit engagements, records may be retained for up to seven years to preserve the evidentiary chain. After any such period, the data is deleted.

11. Governing law

This DPA is governed by the substantive law of Switzerland and is read together with the Terms of Service. Where the GDPR applies to the Controller’s processing, this DPA is construed to give effect to its requirements.

12. Contact

Data-protection questions and requests under this DPA can be sent to: