Illizeo — Header EN (preview mega-menus)
Login Try for free →
DPA

Data Processing
Addendum.

The data-processing agreement governing rights and obligations between you (Controller) and Illizeo (Processor), pursuant to GDPR article 28.

Version May 2026 GDPR art. 28 & FADP compliant
Art. 28GDPR applicable
EU / EEAHosting
14dAudit notice
30dPost-contract delay

1. Introduction, scope & definitions

These provisions govern the rights and obligations of the Customer (“Controller”) and Illizeo (“Processor”) in the processing of personal data carried out on behalf of the Controller, in connection with the use of Illizeo software and services.

Hierarchy: in case of conflict with the main contract, the DPA terms prevail. Capitalised terms have the meaning given in the main contract or the GDPR.

The Controller accepts these provisions on its own behalf and on behalf of any affiliated entity concerned by processing under this DPA.

2. Scope of processing, data categories & data subjects

2.1Types of data

  • Identity (last name, first name, address, date of birth, phone, business email)
  • HR contractual data (degrees, training, contracts, certificates)
  • Administrative management (banking details, leave, absences, sick leave, schedules, evaluations)
  • Payroll
  • Invoicing and contractual settlements

2.2Data subjects

  • Employees, external providers, freelancers, volunteers in post
  • Former employees
  • Candidates, future volunteers or employees

2.3Location of processing

  • Exclusively EU / EEA / adequate countries (GDPR art. 45)
  • Any transfer outside the EEA: art. 46+ safeguards (SCCs, etc.)
  • Duration: throughout service provision unless otherwise agreed in writing

3. Confidentiality

Illizeo undertakes to ensure the confidentiality of personal data, in accordance with articles 28(3)(b), 29 and 32(4) GDPR.

Any person authorised to process personal data is bound by an obligation of confidentiality, whether arising from an employment contract, a specific agreement or a legal duty.

4. Controller obligations

  • The Customer remains solely responsible for compliance with GDPR in its use of the services
  • Immediate information of Illizeo of any anomaly or non-compliance detected
  • Designation of a data-protection contact if needed

5. Customer instructions

  • Illizeo only processes data on documented instructions from the Customer (except legal obligation under GDPR)
  • If an instruction appears to breach GDPR, Illizeo informs the Customer and may suspend execution
  • Persons authorised to issue instructions are designated in the software; failing this, only the Customer’s legal representatives
  • Illizeo may suspend any instruction until the issuer’s authority is proven

6. Processor obligations

6.1General obligations

  • Designated DPO, contact details available on Illizeo’s website
  • Reasonable assistance to the Customer for DPIAs and prior authority consultations
  • Immediate notice to the Customer of any data-protection authority action concerning the DPA

6.2Audits

  • Verification of DPA, TOM and GDPR compliance during business hours, 14-day notice
  • External auditor allowed, prior NDA
  • “Event-triggered audit” in case of incident: shorter reasonable notice, no limitations
  • Outside events: max 1 on-site audit per year, 1 day max
  • Illizeo may decline a non-event audit if it provides sufficient evidence (ISO 27001, art. 40 codes of conduct, art. 42 certifications)
  • Illizeo may refuse a competing auditor or for other legitimate reasons

6.3Technical & Organisational Measures (TOM)

  • Implementation pursuant to GDPR article 32
  • Adapted to state of the art, costs, nature and risks
  • Latest version on the TOM page or via Settings > Support > Subscription & Billing
  • Updates possible without reducing overall security level

7. Sub-processors

  • Up-to-date list available here or in the software
  • Customer consent presumed for sub-processors listed at contract signing
  • Any addition/removal notified to Customer: substantiated objection within 14 days
  • If unresolved objection, Illizeo may terminate the contract immediately
  • All sub-processors bound by GDPR art. 28(3) compliant contract
  • Illizeo remains fully liable for the acts and omissions of its sub-processors

8. Data subject rights

  • Any GDPR request received by Illizeo is forwarded to the Customer
  • The software allows autonomous management of personal data
  • If the Customer cannot handle a request alone, Illizeo provides reasonable assistance
  • Illizeo accepts no liability for non-response, incorrect or late response if the failure rests with the Customer

9. Information & notification

Illizeo undertakes to inform the Customer without undue delay upon becoming aware of any personal-data breach, in accordance with GDPR article 33.

10. Data return & deletion

  • Processing deemed completed at contract expiry, by default
  • Data retention 30 days after contract end
  • During those 30 days: return (machine-readable format), deletion, or autonomous export via the software at the Customer’s request
  • Early deletion possible upon request, except statutory retention
  • After 30 days without request: irreversible automatic deletion (subject to legal obligations)

11. Liability

  • Each party is liable in accordance with GDPR article 82
  • Liability exclusions/limitations do not apply in cases of intentional fault, gross negligence, bodily injury or death
  • Otherwise: rules defined in the main contract between Illizeo and the Customer

12. Final provisions

12.1Confidentiality

  • Both parties undertake strict confidentiality (trade secrets, security measures, contractual content)
  • All information is presumed confidential pending written proof to the contrary

12.2Modifications

  • Modifications in writing (including email) per GDPR
  • Explicit “DPA amendment” mention required
  • Adjustments possible electronically (GDPR art. 28(9))

12.3Third parties & proceedings

  • If seizure, requisition or insolvency threatens the data: Illizeo informs the Customer immediately
  • Illizeo notifies third parties that ownership and control of the data belong to the Customer

12.4Governing law & jurisdiction

  • Swiss law applies (default: law of Illizeo’s registered office)
  • UN CISG expressly excluded
  • Competent court: Illizeo’s principal place of business

12.5Entirety & severability

  • The DPA cancels and replaces all prior commitments (except agreements pre-1 September 2024)
  • If any provision is invalid, the others remain in force

Legal hub

All our legal documents in one place.

Technical & Organisational Measures

Detail of the security measures we apply.

View →

Sub-processors

List of third parties involved in processing your data.

View →

Privacy Policy

How we collect, use and protect your data.

View →