1. Subject matter
This Data Processing Agreement ("DPA") supplements the Terms of Service and governs the processing of personal data that the controller (the customer, "Controller") transfers to us (Andrin Iten & Max Diez, "Processor") in the course of using the schwiizerdütsch.com API.
2. Nature of processing
The Processor provides a text-to-speech API that processes text input and generates audio output. Processing occurs exclusively for the purpose of delivering the contractually agreed service.
3. Data subjects
Data subjects may include end users of the Controller's applications, employees of the Controller, and other natural persons whose text data is submitted to the API.
4. Categories of data
Text content submitted to the API; technical metadata (IP address, API key, timestamps, request parameters). Text and audio are not retained after processing.
5. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure that authorised personnel are bound by confidentiality obligations
- Implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR
- Assist the Controller in fulfilling data subject rights requests
- Delete or return all personal data upon termination of the agreement
- Provide the Controller with all information necessary to demonstrate compliance with Art. 28 GDPR
- Notify the Controller of any data breach within 48 hours of becoming aware of it
6. Technical and organisational measures
The Processor implements the following TOMs:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access control, least-privilege principle, multi-factor authentication
- No retention of text or audio data after request completion
- Logical isolation of customer data
- Monitoring and alerting for security incidents
- Regular security reviews and dependency updates
- Submitted text and audio are processed only to fulfil the request, then discarded
7. Sub-processors
The following sub-processors are engaged:
- Google Cloud Platform (GCP) / Firebase: Infrastructure, compute, storage, authentication and database, on the basis of a Data Processing Agreement.
- Modal (Modal Labs, USA): TTS compute (speech synthesis). Submitted text is processed to generate audio and is not retained.
- Google (Gemini API): Text normalisation prior to synthesis. Submitted text is processed and is not retained.
The Controller is notified of any changes to sub-processors with at least 30 days' advance notice.
8. Data transfers
Some processing — TTS synthesis (Modal, USA) and text normalisation (Google) — takes place outside Switzerland. Where personal data is transferred to third countries, appropriate safeguards such as Standard Contractual Clauses are applied.
9. Data breaches
The Processor notifies the Controller of personal data breaches within 48 hours of becoming aware, with sufficient information to fulfil the Controller's notification obligations under Art. 33 GDPR.
10. Audit rights
The Controller may conduct audits or inspections of the Processor's data processing activities, either directly or through a mandated third party, upon 14 days' written notice.
11. Term and termination
This DPA is effective for the duration of the underlying service agreement. Upon termination, the Processor deletes all personal data within 30 days unless retention is required by law.
12. Contact
For DPA-related enquiries: andrin@iten.to