Season’s greetings from big®. Ready to start the new year with us and move your projects forward?

Request demo
Request demo

Data Processing Agreement (DPA) between Kaulquappe AG and the Customer

1. Parties

Processor (P):
Kaulquappe AG
Zurich, Switzerland
(„Kaulquappe“)


Controller (C):
The Customer using the big® SaaS services.
(“Customer”)
Together referred to as the “Parties”.

2. Subject Matter of this Agreement

a) This Data Processing Agreement (“DPA”) governs the rights and obligations of the Parties regarding the processing of personal data by Kaulquappe on behalf of the Customer in connection with the use of the software-as-a-service solution big®.
b) The Customer remains the Controller under the Swiss Federal Act on Data Protection (FADP / DSG) and, where applicable, the EU General Data Protection Regulation (GDPR)
c) Kaulquappe processes personal data solely for the purpose of delivering, maintaining, securing and improving the big® SaaS services.

3. Nature, Scope and Purpose of Processing

a) Purpose

Kaulquappe processes personal data exclusively for:

  • providing and operating big®,
  • hosting and database management,
  • backups and disaster recovery,
  • technical administration and support,
  • monitoring and security operations.

b) Types of Personal Data

Data processed may include:

  • identification data (name, email, user ID),
  • contact details,
  • usage data and logs,
  • content entered by the Customer into big®,
  • metadata (timestamps, system metadata), technical identifiers (IP addresses, UUIDs).

c) Categories of Data Subjects

Typical data subjects include:

  • employees of the Customer,
  • end users of the Customer,
  • any persons whose data the Customer enters into big®.

d) Kaulquappe does not intentionally process special categories of data (sensitive data), unless directly uploaded by the Customer.

4. Duration of Processing

The processing is carried out for the duration of the subscription to big®.

After termination:

  • customer data is returned, and
  • deleted after expiry of statutory retention obligations.

5. Instructions of the Controller

a) Kaulquappe processes personal data only on documented instructions from the customer.
b) Instructions must be issued in writing or by email.
c) If Kaulquappe considers an instruction to be unlawful, it will immediately inform the Customer.

6. Obligations of the Processor (Kaulquappe)

Kaulquappe undertakes to:

a) Process personal data only in accordance with this DPA and Customer instructions.
b) Ensure all personnel with access to personal data are bound by confidentiality.
c) Implement appropriate technical and organisational measures (TOMs) to protect dat.
d) Notify the Customer without undue delay of:

  • personal data breaches,
  • regulatory inquiries affecting Customer data,
  • any violation of this DPA.

e) Make information available to the Customer necessary to demonstrate compliance with this DPA.

7. Technical and Organisational Measures (TOMs)

Kaulquappe implements:

  • encryption in transit (TLS),
  • role-based access controls (RBAC),
  • secure authentication (including MFA for admin accounts), logging and monitoring,
  • firewalls and network segmentation,
    regular backups and recovery processes,
  • patch management and security updates,
  • intrusion detection and incident response procedures.

A detailed TOM overview can be provided upon request.

8. Use of Sub-Processors

a) The Customer authorises Kaulquappe to use sub-processors. The primary sub-processor is:

Mandatory Sub-Processor:

  • Google Cloud Platform (GCP)
  • Region: Switzerland or EU (depending on selected region)
  • Purpose: Hosting, storage, infrastructure

Additional sub-processors (optional, depending on service use):

  • Email service providers (support communication)
  • Monitoring and logging tools
  • Security service providers

b) Kaulquappe ensures that all sub-processors provide adequate data protection guarantees.
c) Kaulquappe will inform the Customer of significant changes to sub-processors. The Customer may object within 14 days if a legitimate reason exists.

9. International Data Transfers

a) If personal data is transferred outside Switzerland/EU, Kaulquappe ensures:

  • an adequacy decision exists, or
  • Standard Contractual Clauses (SCCs) are applied, or
  • equivalent safeguards under the FADP/GDPR.

b) big® stores data by default in GCP regions in Switzerland or the EU.

A transfer to the USA occurs only if:

  • explicitly requested by the Customer, or
  • technically required (e.g., GCP support cases).

10. Support for Data Subject Rights

Kaulquappe supports the Customer, to the extent technically feasible, in fulfilling requests from data subjects, including:

  • access,
  • rectification,
  • erasure,
  • portability,
  • restriction of processing.

Kaulquappe may charge fees for extensive or complex requests.

11. Notification of Personal Data Breaches

a) Kaulquappe will notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer data
b) The notification will include:

  • description of the breach,
  • likely consequences,
  • remedial actions taken or proposed,
  • contact details of Kaulquappe’s responsible contact.

c) The Customer is responsible for notifying supervisory authorities or affected individuals, unless otherwise agreed.

12. Return, Deletion and Retention of Data

a) Upon termination of the contract, Kaulquappe will provide all Customer data in a commonly used format (e.g., CSV, JSON).
b) Data will be deleted once statutory retention periods have expired.
c) Backup data is deleted automatically according to regular backup cycles.

13. Audit Rights

a) The Customer may perform one audit per year (remote audit, questionnaire or document review) to verify compliance.
b) Audits must be coordinated in advance and may not unreasonably disrupt Kaulquappe’s operations.
c) Audit costs shall be borne by the Customer.

14. Liability

a) The liability limitations set out in the big® General Terms and Conditions (GTC) also apply to this DPA:
b) Kaulquappe is not liable for data protection violations arising from:

  • incorrect or missing Customer instructions,
  • unlawful Customer data,
  • Customer-side misconfigurations.

15. Final Provisions

Amendments to this DPA must be made in writing. If any provision of this DPA
becomes invalid, the remaining provisions remain unaffected. This DPA is governed exclusively by Swiss law. The exclusive place of jurisdiction is Zurich (Commercial
Court).