Integrity feature — please do not modify: This agreement bears a version stamp with SHA-256 hash of the source text on every printed page. Before counter-signing, Aiara verifies that the hash matches the version published online at aiara.ch/en/legal/avv. Any content changes to the wording result in a different hash and will be rejected; in the event of an intentional manipulation, Aiara reserves the right to take legal action (see section 11.5).

Data Processing Agreement

Version 1.1 — Effective from 2026-05-26

between

the Customer (hereinafter "Controller")

— represented by the contact details provided during the order process —

and

Aiara Privacy Suite Sulzerallee 70 8404 Winterthur Switzerland

E-mail: support@aiara.ch

(hereinafter "Processor" or "Aiara")

— jointly the "Parties" —

Preamble

Aiara provides the Controller with a Software-as-a-Service solution under the name "Aiara Privacy Suite" for cookie consent management, automated privacy policies and compliance reports. As part of this service, Aiara processes personal data of the Controller's website visitors on behalf of the Controller. "Aiara Privacy Suite" is a product of Sidora AG (registered office: Winterthur, Switzerland), which is the legal entity providing the service and the contracting party to this agreement.

This agreement specifies the data protection obligations of the Parties and forms part of the main contract. It satisfies the requirements of:

Article 28 GDPR (EU General Data Protection Regulation), and
Article 9 FADP (revised Swiss Federal Act on Data Protection, in force since 1 September 2023).

1. Subject Matter and Duration

1.1 Subject Matter

Aiara processes personal data exclusively for the purpose of providing the following services:

Delivery and management of the cookie consent banner on the Controller's domains
Storage of consent records (evidence according to Art. 7 (1) GDPR)
Generation and updating of privacy policies and legal notices
Cookie scanning of the Controller's domains
Risk assessment according to FDPIC Annex A
Sending of system e-mails to the Controller (e.g. scan reports, compliance warnings)

1.2 Duration

The agreement begins with activation of the Aiara account and ends with the full termination of the main contract. The obligations under section 9 (deletion / return) continue beyond this point.

2. Nature and Purpose of Processing

Aspect	Description
Nature of processing	Collection, recording, organisation, storage, adaptation, retrieval, consultation, use, transmission (within the Aiara system), deletion
Purpose	Cookie consent management, evidence of consent, compliance reporting, automated generation of data protection documents
Legal basis	Art. 6 (1) (f) GDPR (legitimate interest, where evidence purposes apply) or consent (Art. 6 (1) (a) GDPR), depending on Controller configuration
Automated decision-making	None within the meaning of Art. 22 GDPR

3. Categories of Data Subjects and Data

3.1 Data Subjects

Website visitors of the domains registered by the Controller
Employees of the Controller with Aiara login

3.2 Categories of Personal Data Processed

Website visitors (before consent):

Stored locally in the visitor's browser (no transmission to server): banner configuration cache (aiara_banner_config), pseudonymous visitor ID (aiara_vid, UUID v4), expiry timestamp (aiara_vid_exp)

Website visitors (after click on Accept / Reject / Save): Transmitted to Aiara server and stored in the Aiara database:

Pseudonymous visitor ID (UUID v4, generated locally in browser)
Consent decision (selection of cookie categories as boolean)
Action (accept_all / reject_all / custom / withdraw)
URL of the page on which the decision was made
IP hash: SHA-256(IP address + server secret) — the raw IP address is NOT stored
User agent string (truncated to 500 characters)
Timestamp
Optionally for active A/B tests: assigned variant (a / b) and test ID

Employees of the Controller:

Name, e-mail address
Password hash (bcrypt, never plaintext)
Login activity (timestamp, IP, user agent)
Language preference, role assignment

3.3 Special Categories of Personal Data

Aiara does not process special categories of personal data within the meaning of Art. 9 GDPR or Art. 5 (c) FADP. The Controller ensures that no such data is routed through Aiara.

4. Obligations of the Processor

Aiara undertakes to:

Process personal data exclusively on documented instructions from the Controller. This agreement constitutes such instruction.
Ensure that all persons authorised to process the data are subject to confidentiality obligations or appropriate statutory secrecy.
Implement all technical and organisational measures specified in Annex B (TOMs).
Inform the Controller without delay if an instruction violates applicable data protection law.
Assist the Controller in complying with its obligations under Art. 32 to 36 GDPR.
Notify the Controller without undue delay (at the latest within 72 hours of becoming aware) of any personal data breach.
Provide all information necessary to demonstrate compliance with this agreement upon request.

5. Obligations of the Controller

The Controller:

Is solely responsible for the lawfulness of the data processing vis-à-vis data subjects.
Ensures the accuracy and currency of the domain and company data stored in Aiara.
Informs website visitors in their privacy policy about the use of Aiara as cookie consent solution.
Protects their Aiara login credentials and reports any suspicion of misuse immediately to support@aiara.ch.

6. Sub-Processors

6.1 General Authorisation

The Controller generally authorises the engagement of the sub-processors listed in Annex A. Aiara informs the Controller of any intended change with at least 30 days' notice. The Controller may object to the change within 14 days; in this case, Aiara reserves the right to terminate the contract for cause.

6.2 Obligations vis-à-vis Sub-Processors

Aiara contractually obliges each sub-processor in writing to the same obligations set out in this agreement, in particular to the TOMs in Annex B.

6.3 Third-Country Transfer

If a transfer to a third country without adequacy decision takes place, Aiara concludes the EU Standard Contractual Clauses (SCC) under Implementing Decision (EU) 2021/914 with the relevant sub-processor and — where required — performs a Transfer Impact Assessment (TIA).

7. Data Subject Rights

Aiara supports the Controller with appropriate technical and organisational measures in fulfilling data subject requests, in particular:

Access (Art. 15 GDPR / Art. 25 FADP): exportable via the Aiara dashboard
Rectification (Art. 16 GDPR / Art. 32 FADP): not applicable — stored consent data are evidence by their nature
Erasure (Art. 17 GDPR): implemented within 30 days upon written request to support@aiara.ch; except for data required to comply with statutory retention obligations
Restriction (Art. 18 GDPR): implemented upon request
Withdrawal of consent (Art. 7 (3) GDPR): possible at any time via the reopen function integrated in the banner

Aiara forwards direct requests from data subjects to the Controller without undue delay.

8. Audit Rights

The Controller has the right to verify Aiara's compliance with this agreement:

Initially by reviewing the TOMs (Annex B) and any certifications.
In case of justified cause, by on-site audits, with 30 days' notice, during normal business hours, without disrupting other customers. Costs are borne by the Controller, except in cases of demonstrated material breach.

9. Termination — Deletion and Return

After completion of processing — at the latest 30 days after termination of the main contract — Aiara, at the Controller's choice, returns or irretrievably deletes all personal data. Confirmation of deletion is provided in writing upon request.

Statutory retention obligations (e.g. Art. 958f CO / commercial law records) remain unaffected.

Backups containing the stored data are automatically overwritten within the regular backup rotation cycle (see Annex B).

10. Liability

Liability between the Parties is governed by the main contract and additionally by Art. 82 GDPR or Art. 39 FADP.

11. Final Provisions

11.1 Precedence

In the event of conflicts between this agreement and the main contract or other annexes, this agreement takes precedence in matters of data protection.

11.2 Written Form

Amendments and additions require text form (e-mail is sufficient).

11.3 Governing Law / Jurisdiction

Swiss law applies, excluding conflict-of-laws provisions. Place of jurisdiction is Winterthur. Insofar as mandatory EU data protection law applies, its provisions take precedence.

11.4 Severability

Should any provision of this agreement be or become invalid, the validity of the remaining provisions remains unaffected. The invalid provision is replaced by a valid one that comes closest to its meaning and purpose.

11.5 Authoritative online version

The version of this agreement published at https://www.aiara.ch/en/legal/avv is the binding reference. In the event of any deviation between a printed copy and the version published online, the online version applies exclusively. A SHA-256 hash of the source text is imprinted on every printed page; Aiara verifies that the hash matches the current online version before any counter-signature.

11.6 No unilateral modifications

Content changes to the wording of this agreement — of any kind — by the Controller are not permitted and will not be accepted. An agreement with modified wording does not come into existence, even if returned signed. In the event of an intentional manipulation of the document, Aiara reserves the right to take legal action. Adjustment requests or supplementary agreements are exclusively to be regulated through separate amendments signed by both parties.

Annex A — Sub-Processors

Sub-Processor	Registered Office	Place of Processing	Purpose	Data Category	Transfer Mechanism
Sidora AG (hosting infrastructure)	Switzerland	Switzerland (own data centre)	Hosting of the Aiara application, PostgreSQL database, Redis cache, backups	All categories listed in Section 3.2	Group-internal, CH→CH
Sendinblue / Brevo SAS (SMTP)	France (EU)	EU	Sending of transactional system e-mails (activation links, scan reports, compliance warnings) to the Controller	E-mail address, recipient name, e-mail content	EU adequacy
Stripe Payments Europe Ltd.	Ireland (EU)	EU / USA (for payment processing)	Processing of subscription payments by the Controller	Payment data of the Controller (not of website visitors)	EU SCC concluded by Stripe

Currency of this list: 2026-01-01. The current version is available at https://www.aiara.ch/trust.

Annex B — Technical and Organisational Measures (TOMs)

As of 2026-01-01. Aiara meets the requirements of Art. 32 GDPR and Art. 8 FADP through the following measures:

1. Confidentiality (Art. 32 (1) (b) GDPR)

1.1 Physical Access Control

Servers are located in a Swiss data centre with physical access control (24/7 security, biometric access control, video surveillance).
Access to the data centre is granted only to authorised personnel of the hosting provider.

1.2 System Access Control

SSH access exclusively via cryptographic keys (ed25519 / RSA-4096), no password authentication.
Multi-factor authentication for administrative access.
Unique, person-bound user IDs for each employee.

1.3 Data Access Control

Role-based authorisation (Spatie Permission): separation between admin (Aiara team) and client (end customers).
Tenant separation at database level via organization_id and domain authorisation middleware (VerifyDomain).
Passwords are stored exclusively as bcrypt hash.
Login sessions with inactivity timeout.

1.4 Pseudonymisation

IP addresses are stored exclusively as a non-reversible SHA-256 hash with application-specific salt. The raw IP is never persisted.
Visitor IDs are cryptographically random UUIDs (RFC 4122 v4), generated locally in the browser, and not linkable across domains.

2. Integrity (Art. 32 (1) (b) GDPR)

2.1 Transmission Control

All connections between browser, Aiara server and sub-processors are exclusively encrypted via TLS 1.2 or higher.
HSTS headers enforce HTTPS.
No transmission of personal data over unencrypted channels.

2.2 Input Control

All data changes are logged with timestamp and where applicable user reference.
Consent logs are immutable (append-only) and contain no fields for subsequent modification.

3. Availability and Resilience (Art. 32 (1) (b) and (c) GDPR)

3.1 Backup Concept

Daily backups, redundantly stored in two locations.
7-day retention, restoration of any day within this window is possible.
Backups are stored encrypted.

3.2 Recoverability

Recovery Time Objective (RTO): under 24 hours.
Recovery Point Objective (RPO): max. 24 hours.
Recovery tests are performed regularly.

4. Procedure for Regular Review (Art. 32 (1) (d) GDPR)

Security updates of the software in use (Laravel, PHP, PostgreSQL, Node, Playwright, all Composer / NPM dependencies) are applied regularly.
Automated dependency audits via the respective package managers.
Code reviews before production deployment.

5. Sub-Processor Control (Art. 28 GDPR)

Sub-processors are exhaustively listed in Annex A.
A data processing agreement is concluded with each sub-processor that meets at least the protection level of this DPA.

6. Data Separation (Art. 32 GDPR)

Strict tenant-based data separation at application level (organization_id).
Server-side domain lock middleware prevents cross-domain data access.
Banner script additionally verifies window.location.hostname against the registered domain client-side (defense-in-depth, three layers).

7. Personnel Obligations

All staff with data access are bound in writing to data secrecy and confidentiality.
Data protection training is conducted regularly.

Place, Date

For the Controller (signature, name, function)

For Aiara Privacy Suite (Sidora AG) (signature, name, function)

How to execute this agreement

1Print the full document or save it as PDF via your browser's print dialog — the version stamp on every page (hash 2c0aed8f96d43139) must be preserved.

2Fill in place, date and your signature on the final page in the "For the Controller" field. The remaining wording must not be modified.

3Send the signed copy (scanned or photographed) to support@aiara.ch.

4Aiara verifies that the hash matches the current online version. If the hash matches, we counter-sign promptly and return the fully executed agreement as PDF. In case of a different hash, we contact you to clarify.