Data Processing Agreement (DPA)

This Data Processing Agreement (the "DPA") governs the processing of personal data by codebar Solutions AG (the "Processor") on behalf of the customer (the "Controller") in connection with the MCP Gateway service. It supplements and forms an integral part of the service agreement between the parties (the "Main Agreement") and implements Art. 9 revDSG (Swiss Federal Act on Data Protection) and, where applicable, Art. 28 GDPR.

Capitalised terms not defined here have the meaning given to them in the revDSG and the GDPR.

1. Roles and subject matter

The Controller determines the purposes and means of processing. The Processor processes personal data solely to provide the MCP Gateway service and only on the Controller's documented instructions — including with regard to international transfers — unless required otherwise by a law to which the Processor is subject; in that case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information.

2. Duration

This DPA applies for the duration of the Main Agreement and for as long as the Processor processes personal data on the Controller's behalf.

3. Nature and purpose of processing

The Processor operates an OAuth-protected Model Context Protocol (MCP) gateway that brokers requests between MCP/AI clients and the Controller's DocuWare instance(s), stores the connection configuration and operational metadata, and maintains audit logs. The Processor does not persist DocuWare document content or request/response bodies.

4. Categories of data subjects and personal data

Data subjects: the Controller's users and operators.

Categories of personal data:

• Account data (name, email address).
• Authentication and session data, including IP address and browser user-agent.
• Metadata about access to the connected DocuWare environment (actor, event, token issuance, request method/path/status/duration).

The gateway does not persist DocuWare document content or request/response bodies.

5. Processor obligations

The Processor will:

• Process personal data only on the Controller's documented instructions, as recorded in this DPA, the Main Agreement, or subsequent written instructions.
• Inform the Controller without undue delay if, in its opinion, an instruction infringes the revDSG, the GDPR, or other applicable data protection law.
• Ensure that persons authorised to process the data are subject to an appropriate duty of confidentiality.
• Implement and maintain the technical and organisational measures set out in Annex B.
• Taking into account the nature of processing, assist the Controller by appropriate measures in responding to data-subject requests, and assist the Controller in meeting its security, breach-notification, and data-protection-impact-assessment obligations.
• Make available the information necessary to demonstrate compliance with this DPA and support audits in accordance with Section 9.
• Delete or return personal data on termination in accordance with Section 10.

6. Sub-processors

The Controller grants a general authorisation for the engagement of the sub-processors listed in Annex C. The Processor will give the Controller prior notice of any intended addition or replacement of a sub-processor at least 30 days in advance and will give the Controller the opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a justified objection, the Controller may terminate the affected part of the service. The Processor will impose data-protection obligations on its sub-processors that are substantially equivalent to those set out in this DPA and remains fully responsible for its sub-processors' performance.

7. Personal data breach

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data. The notification will, to the extent available, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. The Processor will provide the further information reasonably required for the Controller to meet its own notification obligations toward authorities and data subjects.

8. International transfers

Processing takes place primarily within the EU/EEA; Switzerland benefits from an EU adequacy decision. Any transfer of personal data to a country without an adequate level of protection is safeguarded by appropriate measures — such as the EU Standard Contractual Clauses (Module 3, processor-to-processor) together with the Swiss addendum ("Swiss finish"), or, for a recipient certified under the Swiss–U.S. Data Privacy Framework, reliance on that framework. The applicable safeguard for each sub-processor is indicated in Annex C.

9. Audits

The Processor will make available the information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. To minimise disruption, audits take place on at least 30 days' prior written notice, during normal business hours, no more than once in any 12-month period (unless a personal data breach has occurred or a supervisory authority requires otherwise), and subject to confidentiality. Audit requests may be satisfied through up-to-date documentation, certifications, or third-party audit reports where these reasonably demonstrate compliance.

10. Deletion or return of data

On termination of the services, the Processor will, at the Controller's choice, delete or return the personal data and delete existing copies within 90 days, unless retention is required by law. On request, the Processor will confirm completion of deletion in writing.

11. General

This DPA forms part of the Main Agreement. In the event of a conflict between this DPA and the Main Agreement regarding the processing of personal data, this DPA prevails. The governing law, jurisdiction, and limitation-of-liability provisions of the Main Agreement apply to this DPA. Should any provision be or become invalid, the remaining provisions remain in force.

Annex A — Details of processing

Subject matter:

operation of the MCP Gateway service.

Nature and purpose:

brokering MCP/AI client requests to the Controller's DocuWare instance(s), storing connection configuration and metadata, and audit logging.

Duration:

the term of the Main Agreement.

Data subjects:

the Controller's users and operators.

Categories of data:

account, authentication/session, and access metadata as described in Section 4.

Annex B — Technical and organisational measures

Measures are aligned to the protection goals of Art. 32 GDPR / Art. 8 revDSG and Art. 3 DPO (Datenschutzverordnung).

Confidentiality

• Encryption at rest (AES-256) for DocuWare credentials, tokens, and signing keys.
• Encryption in transit (TLS) for all communications.
• Hashing of passwords and tokens; secrets are never stored in clear text.
• Role-based access control, least-privilege access, and tenant isolation.

Integrity

• Audit logging of relevant actions, retained by default for 365 days.
• Change management and access logging.

Availability and resilience

• Regular backups and documented restoration procedures.
• Hosting on infrastructure providers operating certified data centres (e.g. ISO 27001 / SOC 2; see Annex C).

Process for regular testing and evaluation

• Vulnerability and patch management for the application and its dependencies.
• A documented incident-response process.
• Periodic review of these technical and organisational measures.

Annex C — Sub-processors

Note: the listed providers may rely on their own onward infrastructure sub-processors. The Processor selects providers that contractually maintain equivalent data-protection and security obligations.

Contact

To request a signed copy of this DPA: helpdesk@codebar.ch