General Provisions

Version 09-2025

Introduction, Scope and Definitions

These provisions govern the rights and obligations of the Client (the “Data Controller”) and Illizeo (the “Processor”) in the context of personal data processing carried out on behalf of the Controller, in connection with the use of software and services provided by Illizeo (the “Data Processing Agreement”, or “DPA”). This DPA is established in accordance with the provisions of the European Union’s General Data Protection Regulation (GDPR). In case of contradiction between the provisions of this DPA and those of the main Contract, the terms of the DPA shall prevail.

Unless otherwise indicated, capitalized terms used in this DPA have the meaning given to them either in the main Contract or in the GDPR.

The Data Controller accepts these provisions on its own behalf as well as on behalf of any affiliated entity that may be concerned by personal data processing under this DPA.

Scope of processing, Data categories, Data subjects

The Data Controller acknowledges that the extent of data processing may vary depending on its use of Illizeo’s software solutions, subscribed modules and activated services. The following information provides an overview of the types of data and data subjects likely to be processed.

The types or categories of data likely to be processed include in particular:

Civil status and identification data: last name, first name, address, date of birth, telephone number, professional email;

HR contractual data: diplomas, training completed, supporting documents, employment contracts, attestations and certificates issued between the employer and its employees;

Administrative management and service data: bank details, leave, absences, sick leave, working hours, performance evaluations, HR communications;

Payroll data;

Billing and contractual settlement data.

Categories of data subjects may include (within the Controller or its affiliated entities):

• Employees, external service providers, freelancers, volunteers in position;
• Former employees (former employees, service providers or volunteers);
• Candidates, volunteers or future employees.

Personal data processing is carried out exclusively within the European Union, a Member State of the European Economic Area, or a third country recognized as ensuring an adequate level of protection within the meaning of Article 45 of the GDPR, as recognized by the European Commission.

If a transfer of personal data to a country located outside the European Economic Area should prove necessary, the Processor undertakes to fully comply with GDPR requirements, particularly through the implementation of appropriate safeguards, in accordance with Articles 46 et seq. of the Regulation.

Personal data is processed by Illizeo throughout the duration of provision of the relevant services or software, unless otherwise agreed in writing between the parties.

Confidentiality

Illizeo undertakes to guarantee the confidentiality of personal data, in accordance with Articles 28, paragraph 3, subparagraph 2, point b), 29 and 32, paragraph 4 of the GDPR. Any person authorized by Illizeo to process personal data is subject to a confidentiality obligation, whether arising from an employment contract, a specific agreement or a legal obligation.

Data Controller obligations

The Client, as Data Controller, remains solely responsible for compliance with GDPR provisions in the context of its use of software and services provided by Illizeo.

The Client undertakes to immediately and completely inform Illizeo of any anomaly or non-compliance it detects in personal data processing, particularly with regard to applicable data protection regulations.

If necessary, the Client will designate a contact person in charge of data protection matters under this DPA and will communicate their contact details to Illizeo.

Instructions

Illizeo will only process personal data on behalf of the Client based on documented instructions transmitted by the Client, within the framework of using subscribed software and services. Any exception must arise from a legal obligation under the GDPR. If Illizeo reasonably believes that an instruction could contravene the GDPR, it will inform the Client as soon as possible. Illizeo may suspend execution of said instruction until an agreement is reached between the parties.

The Client designates persons authorized to issue instructions in the software interface made available. In the absence of such designation, only the Client’s legal representatives are authorized to issue instructions to Illizeo. The latter reserves the right to suspend execution of an instruction until proof of the issuing person’s authority has been provided.

Processor obligations

General obligations

Illizeo appoints a data protection officer, whose up-to-date contact details are accessible on Illizeo’s official website.

Illizeo undertakes to provide reasonable assistance to the Client in conducting data protection impact assessments, as well as prior consultations with supervisory authorities, insofar as these steps concern exclusively processing carried out by Illizeo on behalf of the Client. This assistance is provided within the limits of reasonably available information and taking into account the nature of processing. If this assistance generates disproportionate efforts (volume, complexity, deadline), Illizeo reserves the right to invoice services, after having previously informed the Client of estimated costs.

Illizeo will immediately inform the Client of any action or control measure taken by a data protection authority, insofar as this concerns this DPA. This information obligation also extends to cases where a competent authority considers that personal data processed under this DPA is involved in administrative or criminal proceedings, unless Illizeo is legally required not to transmit this information.

Audits

The Client is authorized to verify, during Illizeo’s usual business hours and with at least 14 days’ notice, compliance with obligations arising from this DPA, technical and organizational measures (TOM) and the GDPR. The Client may mandate an external auditor to perform this verification. Verifications may include access to Illizeo’s premises, consultation of information, or examination of its own data, while respecting Illizeo’s legitimate interests. In case of security incident or significant violation of data protection rules (“Event Audit”), this period may be reduced to a reasonable time. Event Audits are not subject to the limitations provided in Articles 5.2.3 and 5.2.4.

Illizeo may condition acceptance of the audit on signing an appropriate confidentiality agreement by the mandated auditor. If the selected auditor is in competition with Illizeo, or if another legitimate reason exists, Illizeo may refuse the choice of auditor.

Apart from event-related audits, Illizeo will only be required to cooperate with one on-site audit per year, lasting a maximum of one day, at the Client’s request.

If Illizeo provides sufficient evidence of TOM (technical and organizational measures) implementation and effectiveness, it may refuse to hold a non-event-related audit. Such evidence may include, without limitation: approved codes of conduct within the meaning of Article 40 of the GDPR, certification under Article 42, or any other independent audit or certification deemed relevant (e.g.: IT security or data protection audit conducted by a recognized body).

Technical and Organizational Measures (TOM)

Illizeo undertakes to implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures take into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as risks to the rights and freedoms of data subjects. The latest updated version of TOMs is accessible in the Illizeo software client area (currently via: Settings > Support > Subscription & Billing > Data Processing Information).

Technical and organizational measures may be updated by Illizeo to adapt to technological developments or regulatory requirements. However, any modification must in no way compromise or reduce the overall level of security provided by the Services and software.

Sub-processors

The list of current subcontractors involved in data processing on behalf of Illizeo is available in the software (currently via: Settings > Support > Subscription & Billing > Data Processing Information).

The use of a subcontractor to process or use personal data is only authorized with the Client’s prior agreement. Agreement is deemed given for subcontractors listed in the software at the time of contract conclusion.

Illizeo reserves the right to change its list of subcontractors. In case of adding or removing a subcontractor, Illizeo will inform the Client in writing (for example by email). If the Client does not raise a reasoned objection, based on valid data protection reasons, within 14 days following notification, this change will be considered accepted. In case of unresolved objection, Illizeo may terminate the contract as of right with immediate effect.

Illizeo will conclude with any subcontractor a contract compliant with the requirements of Article 28, paragraph 3 of the GDPR, guaranteeing contractual obligations equivalent to those stipulated in this DPA. Illizeo remains fully responsible for the acts and omissions of its subcontractors vis-à-vis the Client.

Data subject rights

If a data subject addresses a request to Illizeo under Chapter III of the GDPR (data subject rights), Illizeo undertakes to redirect the request to the Client (the Data Controller), insofar as identification of the Client responsible for processing is possible.

The Client acknowledges that the software solution provided by Illizeo allows autonomous and complete management of personal data, thus facilitating compliance with its legal obligations, particularly regarding processing data subject requests. If the Client cannot process a request independently via software functionalities, Illizeo will provide reasonable assistance.

Illizeo disclaims all responsibility in case of non-response, incorrect response or late response to a data subject request if this failure is exclusively the Client’s responsibility.

Information and notification obligations

Illizeo undertakes to inform the Client without undue delay upon becoming aware of a personal data breach concerning them. This notification will be made in accordance with the provisions of Article 33 of the GDPR.

Data communication and deletion

Upon completion of personal data processing, Illizeo will make available the relevant data in accordance with the provisions below. By default, processing is considered complete on the service contract expiration date.

Illizeo will keep personal data provided for a period of 30 days after contract end. During this period, the Client may, upon simple written request (by any textual means of communication), request return of their data in machine-readable format, or their deletion, or proceed with autonomous data export via the software. It is exclusively the Client’s responsibility to export data within the allotted time.

If the Client expressly requests early deletion of their data before the end of the 30-day period, Illizeo will comply, unless certain data must be kept for legal or regulatory reasons.

If, at the end of the 30-day period, no return or deletion request has been received, Illizeo will automatically proceed with irreversible deletion of the relevant data, subject to legal retention obligations that may apply.

Liability

Each party is responsible, in accordance with Article 82 of the GDPR, for damages resulting from a violation of the provisions of this Data Processing Agreement (DPA) or the GDPR.

Any exclusion or limitation of liability provided in this agreement does not apply in case of intentional fault, gross negligence or bodily injury or death.

For any other aspect not expressly covered in this section, liability rules are those defined in the main contract between Illizeo and the Client.

Final provisions

Both parties undertake to treat in a strictly confidential manner all information relating to trade secrets, data security measures and contractual contents brought to their knowledge in the context of the contractual relationship, even after contract end. This expressly includes the content of this DPA as well as any documentation, evidence or information obtained as part of a compliance audit. In case of doubt, any information will be considered confidential until written proof to the contrary.

Any modification or addition to this DPA, including any warranty or commitment issued by Illizeo, must be made in textual form (including by email), in accordance with GDPR requirements, and must explicitly mention that it is an amendment or supplement to the DPA. This formal requirement also applies to any waiver of this form. The parties agree that DPA adjustments may be made electronically, in accordance with Article 28, paragraph 9 of the GDPR.

If the Client’s data is threatened by seizure, requisition, insolvency proceedings or any other action from third parties, Illizeo undertakes to immediately inform the Client. Illizeo will also notify all relevant third parties that exclusive ownership and control of data belongs to the Client, as data controller within the meaning of the GDPR.

This agreement is governed by Swiss law (or: by default, if not specified by the client, the applicable law is that of Illizeo’s registered office). The United Nations Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded. The competent court for any dispute related to this agreement is, to the extent possible, that of Illizeo’s principal place of business.

This DPA cancels and replaces all prior statements, warranties, agreements or commitments, written or oral, relating to its subject matter, unless there is a prior agreement concluded before September 1, 2024 between the parties.

If any provision of this DPA should be declared invalid or unenforceable, this will in no way affect the validity of other DPA provisions, which will remain fully in force.