Data Processing Agreement

Last updated: 20 May 2026, Pursuant to Art. 28 GDPR

1. Subject matter

This Data Processing Agreement ("DPA") supplements the Terms of Service and governs the processing of personal data that the controller (the customer, "Controller") transfers to us (Andrin Iten & Max Diez, "Processor") in the course of using the schwiizerdütsch.com API.

2. Nature of processing

The Processor provides a text-to-speech API that processes text input and generates audio output. Processing occurs exclusively for the purpose of delivering the contractually agreed service.

3. Data subjects

Data subjects may include end users of the Controller's applications, employees of the Controller, and other natural persons whose text data is submitted to the API.

4. Categories of data

Text content submitted to the API; technical metadata (IP address, API key, timestamps, request parameters). Text and audio are not retained after processing.

5. Obligations of the Processor

The Processor shall:

6. Technical and organisational measures

The Processor implements the following TOMs:

7. Sub-processors

The following sub-processors are engaged:

The Controller is notified of any changes to sub-processors with at least 30 days' advance notice.

8. Data transfers

Some processing — TTS synthesis (Modal, USA) and text normalisation (Google) — takes place outside Switzerland. Where personal data is transferred to third countries, appropriate safeguards such as Standard Contractual Clauses are applied.

9. Data breaches

The Processor notifies the Controller of personal data breaches within 48 hours of becoming aware, with sufficient information to fulfil the Controller's notification obligations under Art. 33 GDPR.

10. Audit rights

The Controller may conduct audits or inspections of the Processor's data processing activities, either directly or through a mandated third party, upon 14 days' written notice.

11. Term and termination

This DPA is effective for the duration of the underlying service agreement. Upon termination, the Processor deletes all personal data within 30 days unless retention is required by law.

12. Contact

For DPA-related enquiries: andrin@iten.to