Privacy Policy

Last Updated: May 4th, 2021


Thank you for choosing Interprefy as your interpretation solution. We are honored to provide our international customers best-in-class meeting and real-time interpretation solutions. As a provider of such meeting and interpretation services we take data privacy and data security very seriously. In fact, so seriously, that we chose to adhere to the strictest data privacy and security regulation: EU’s GDPR (General Data Privacy Regulation). With that in mind, please find below an overview how specifically we handle your data.

Who we are:

Interprefy is a Swiss corporation (Aktiengesellschaft – AG) located at Bellerivestrasse 11, CH -8008 Zürich, Switzerland (hereinafter “Interprefy” “we”, “us”).

What we do:

Interprefy enables its users (“they“, “their“, “you“ or “your“), via its Websites ( and ) (the “Websites”), its API, mobile apps, its services or other means (the “Interprefy Platform”), to remotely transfer voice, video and data in real-time (the “Services”).

For whom we do it:

This Privacy Policy is binding on all of our Users using our Services, including but not limited to our customers that set up the meetings (“Hosts”), the audience invited by the Host (“Audience Member”), interpreters translating meeting contents (“Interpreters”) and moderators monitoring the meeting (“Moderators”) (Hosts, Audience Members, Interpreters and Moderators are together the “Users”).

How we do it:

We adhere to EU’s GDPR with all disclosures and safeguarding requirements as outlined below:

1. Responsible, Contact, Data Protection Officer

Interprefy AG, Bellerivestrasse 11, CH -8008 Zürich, Switzerland is responsible for the procession of personal data within the provision of our services.

If you have any questions or concerns about data protection, please contact Data processing for the purpose of contacting us is carried out on the basis of your consent.

The Data Protection Officer of Interprefy AG can be contacted by emailing

2. Processing personal data.

2.1 We process personal data that we receive from Users using our Service.Personal data, is any information relating to an identified or identifiable natural person (“Personal Data”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics. An example is recordings of meetings that you speak at.

2.2 We process Personal Data in order to comply with contractual obligations.

Contract and billing fulfilment. When you ask us to set up a meeting for you (Host), we process Personal Data to fulfill a contract with you. Personal Data is processed for the purpose of providing Services in connection with the performance of our agreements with Users or for performing precontractual measures as a result of queries. i.e. contact person, company address, e-mail address, contact details, username and password, payment details, tax numbers. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our Terms of Use. We may also use Personal Data to accomplish administrative tasks, contact you within the framework of the business relationship and enforce our agreements with you, including this Privacy Policy.

Interpretation Service. When you are using or providing interpretation services at a meeting, we are processing Personal Data to fulfil a contract with you who provides or orders interpretation services. We collect and process the personal data that you enter or transfer. When interpreting, in particular the following Personal Data is processed: meeting information such as title, name, data/ time, and meeting attendance such as participants email/phone number in cases where 2-Factor Authentication is used, username, IP address, time connected, selected languages, meeting audio and video stream, meeting audio and video recordings, meeting chats.

2.3 Justified Interests. We process Personal Data in order to protect justified interests of our own and of third parties. For instance, we may use personal data for troubleshooting, quality control, analytics, monitoring the performance of our services, to resolve disputes, to enhance the operation of the Websites and the Interprefy Platform, to improve our marketing and promotional efforts, to analyze websites and Interprefy Platform usage, to improve and optimize the websites and the Interprefy Platform, for direct marketing, to lodge legal claims and to defend in case of legal disputes, to ensure IT security and the IT operation of Interprefy and for measures for business management and advanced development of services.

Host, speaker, interpreter and moderator login. When you are logging in with speaker, interpreter or moderator tokens, we will ask you to provide your full name. If you are the Host and able to create event on our platform, your name will be stored on your account. This is done to track Users and to provide better experience of the Interprefy Platform to all the Users. We retain this information in our logs as long as necessary to fulfil the described purpose and/or as required by law.

Storing Recordings. We might archive certain audio and video data for quality assurance purposes and keep it as long as necessary to fulfil the described purposes and/or as required by law. At the request of the User, events also can be recorded and made available for later viewing. This could, for example, be done via a searchable Media Library. Such archives are stored on our secure servers, have strict access policy and can be deleted at any time at you’re the Hosts request. Interprefy is a Processor (under GDPR) for Hosts’ meetings and as such stores such recordings for Hosts. If you are an Audience Member of a meeting on the Interprefy Platform and want recordings deleted, please reach out to Hosts to request deletion of such recordings.

2.4 Consent: We process Personal Data in order to comply with contractual obligations as a result of your consent. To the extent you have consented to the processing of Personal Data by us for certain purposes (i.e. newsletter), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.

2.5 Processor. If Interprefy processes personal data on behalf of a User (e.g. a Host), the provisions on commissioned processing of Interprefy and the Data Processing Agreement in Annex A apply.

3. Interprefy App.

We offer interpretation Apps for Windows, iOS, and Android operating systems. These Apps use the same functionality for interpretation as the web-based service. Therefore, the Privacy Policy also applies to the use of the Apps. If you use Interprefy with one of the apps, for technical reasons your device will automatically transmit same data as the web application as well as diagnostic information in event of errors. The processing of this data is based on consent and on our legitimate interest in improving the stability and functionality of our service. Data relating to access is used for error analysis, ensuring system security, logging access and to improve our interpretation service. We use cookies and web storage objects in our Apps that may store your name if it was entered on login. For technical reasons, the use of cookies and web storage objects in our Apps cannot be deactivated. If you do not agree with their use in the App, you can delete the App and instead use the web-based service where you can manage these settings.

4. Contact Form.

When you are filling the contact form on our website you can enter your name, message, email and/or phone number. The data entered in the form is transmitted to us and stored. The following data is also stored at the time the message is sent: IP address of the User and date and time of registration.

We ask you to voluntarily provide this information to be able to get in touch with you, to provide you with more information regarding our products and, if needed, to create an admin account for the Interprefy platform. We retain this information as long as necessary to fulfil the purpose for your request and/or as required by law, e.g. for tax and accounting purposes.

5. How we share information that we collect.

5.1 Transfer. A transfer of Personal Data of the User to third parties takes place exclusively within the framework of the fulfilment of the contract, or for the purpose of fulfilling legal requirements according to which we are obliged to provide information, to report or to transfer data, or due to the legitimate interest of us or the legitimate interest of a third party or if you have given consent to the transfer to third parties.

5.2 Service Providers.

We employ third-party service providers such as Cloud service providers or Interpreters to provide services on our behalf Users of our Services. and our customers and may need to share your information with them to provide information, products or services to you. Examples may include providing marketing assistance, processing credit card payments, supplementing the information you provide us in order to provide you with better service, and providing customer service or support. These service providers are prohibited from using your Personal Data except for these purposes, and they are required to maintain the confidentiality of your information. In all cases where we share your information with such agents, we explicitly require the agent to acknowledge and adhere to our privacy and customer data handling policies.

5.3 Partners. In addition, we may share data with trusted partners to help us perform statistical analysis or provide customer support. Such third parties are prohibited from using your personal data except for these purposes, and they are required to maintain the confidentiality of your information.

If you are enrolled in the Interprefy Platform as a Host, you may change any of your Personal Data by logging into your account and accessing the “Profile” page. We encourage you to promptly update your Personal Data if it changes, as out-of-date data may negatively affect the quality of your Interprefy Platform use and experience.

6. How We Transfer Data We Collect Internationally.

Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent this is required to fulfil the contract, it is required by law or you have given your consent.

Personal data is stored and processed in the European Union if meeting location is set to the country within European Union.

If we share Personal Data outside the EEA, we follow European Law and request third parties, to the extent required by law, to sign Standard Contractual Clauses.

7. Processing of Personal Data on behalf of others.

The processing of personal data on behalf of the User or third parties that host the meeting is regulated in the agreements with the controllers, i.e. Hosts.

8. Release of Personal Data.

We will not sell or share your Personal Data with other parties except as provided below:

8.1 Acquisition. As with any other company, we could merge with, or be acquired by another company. If this occurs, the successor company would acquire the information we maintain, including Personal Data. However, Personal Data would remain subject to this Privacy Policy.

8.2 As required by law. We reserve the right to disclose your Personal Data as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on our Websites; enforce or apply this Privacy Policy, Terms of Service or other agreements; or to protect the rights, property or safety of the Websites, Users of the Interprefy Platform, employers, or others.

9. Website visits and audience login.

When you use the Websites, Services and the Interprefy Platform as an audience User, data transmitted by your browser that enables you to access the website is collected. This includes:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
  • The country of origin for the visitor
  • Use of Google AdWords.

This data is not merged with other Personal Data within the framework of the Website. The log files with the above-mentioned data are automatically deleted after 180 days. We reserve the right to store the log files for longer if facts exist that suggest the assumption of unauthorized access (such as an attempt at hacking or a DOS attack). The personal data in log files are processed on the basis of the legitimate interest of Interprefy. The temporary storage of the IP address by the system is necessary to enable delivery of the website to the User's computer. For this purpose, the User's IP address must remain stored for the duration of the session.

10. Our website uses Google Conversion Tracking.

If you clicked on an ad delivered by Google on our website, a cookie is placed on your computer by Google AdWords. The cookie for conversion tracking is placed when a User clicks on an ad delivered by Google. These cookies expire within 30 days and are not personally-identifiable. If the User visits certain pages on our website and the cookie has not yet expired, we and Google will be able to recognize that the User has clicked on the ad and proceeded to that page. Every Google AdWords customer gets a different cookie, cookies cannot therefore be tracked across sites by AdWords customers. The information obtained using the conversion cookie is used to create conversion statistics for AdWords customers who have opted in for conversion tracking. Customers are given an overall number of Users who have clicked on their ad and proceeded to a page tagged with a conversion tracking tag. However, they will not receive any information that can personally identify Users. If you do not want to participate in the tracking, you can take the necessary steps to block a cookie – such as through a browser setting, which generally disables cookies from being stored, or adjust your browser settings in such a way that cookies from the domain "" are blocked.

11. Social Media

Our website includes Social Media Features, such as the Facebook Like button and Widgets, such as the Share Button or interactive mini-programs that run on our sites. These features may collect your IP address, which page you are visiting on our sites, and may set a cookie to enable the feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Websites. This Privacy Policy does not apply to these features. Your interactions with these features are governed by the privacy policy and other policies of the companies providing them.

12. Vonage

To implement our video and audio streaming and our chat function of the app and the video web application, we use the API from Vonage, 5 New Street, Square, London, England EC4A 3TW. This involves the transmission of encrypted communication data for the purpose of establishing the connection for the video conference call. We do not pass this data on to third parties without your consent. The corresponding use of data takes place within the framework of the processing of your request. Furthermore, for the technical provision of the API, we have entered into an agreement with the service provider of Vonage, Nexmo Inc, 23 Main Street Holmdel, New Jersey 07733 (USA) with an additional EU standard contractual clause in order to ensure a level of protection appropriate to data protection. Further information on data processing by this provider can be found in the Privacy Policy and the Terms of Use of Vonage at, or at and at

13. WhoisXMLAPI

We use additional third-party analysis of the IP address. The IP address is transmitted anonymously without any further personal data from our servers. The IP address is transmitted to WhoisXMLAPI service. This measure is intended to prevent invalid and non-legal requests.

14. Job Applications

We offer you the opportunity to apply for a position at Interprefy. In order to complete the application procedure, your application data is collected and processed electronically. The personal data you provide will be used exclusively for processing your job application. Your personal data will only be passed on or otherwise transferred to persons involved in the recruitment process. If, following the recruitment process, an employment contract is concluded, we will store your personal data as part of your personnel file for the purpose of standard organizational and administrative procedures, in compliance with the more extensive legal obligations. In the event that we reject an application, we will automatically delete the data transmitted to us 6 months after notification of rejection. The data will not be deleted, however, if legal regulations require that the data is stored for a longer period. If you expressly agree to a longer storage of your data, e.g. for your inclusion in our internal applicant pool, the data will be further processed based on your consent. You can, of course, let us know that you would like to revoke your consent at any time, with effect for the future.

15. Retention of Personal Data

We will retain your Personal Data for as long as is necessary to fulfil the purposes for which it was collected. We retain and use your personal information as necessary to comply with our business and legal obligations, resolve disputes, protect our resources and enforce our rights and contracts.

16. Choices on Collection/Use of Information.

Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without this data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it. In the event of non-provision, Interprefy cannot be used or can only be used with limited functionality.

If you do not want to receive newsletters and promotional emails from us, you may elect to opt-out of receiving them at any time by hitting the “unsubscribe” button at the bottom of any of our e-mails.

17. Rights of Data Subjects

Compliance with GDPR is our priority. Under GDPR, every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR).

Your consent to the processing of Personal Data granted to us may be revoked at any time by informing us accordingly. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.

To exercise your rights, send an e-mail to Please note that when a Host invites you to a meeting on Interprefy, that the Host is the “Controller” under GDPR and you need to exercise your above rights with the Host directly. That includes but is not limited to recordings of your video and audio, your chat, your email addresses, IP address etc. To the extent Interprefy is a “Controller” under GDPR (e.g. collecting information of Interpreters such as name, email address etc. to offer interpretation services), Interprefy will process your requests directly.

18. Data Security.

Your Personal Data resides on a secure server that only selected personnel have access to. We encrypt sensitive information using Secure Socket Layer (SSL) technology to ensure that your personal data is safe as it is transmitted to us.

19. Changes to our Privacy Policy.

Interprefy keeps its Privacy Policy under regular review and places any updates on this web page. This privacy policy was last updated on 28th of February 2021.

When you see a link to our Privacy Policy in the User Interface, receive it in an email or see it on our website or in a contract we might conclude with a Host or an Interpreter, please note that the update process is the same: all changes will be made and shown on this website and become immediately effective with publication.



Data Processing Agreement

The provisions of this Data Processing Agreement ("DPA") shall apply in addition to all activities related to the relationship between User and Processor, where the Processor and its employees or agents deals with Personal Data originating from or processed for the Controller.

1. Definitions

The terms used in this DPA shall have the meaning as expressly defined herein, otherwise the legally binding meaning, in particular that of Regulation (EU) 2016/679 ("GDPR").

2. Subject, purpose and duration of Processing

The object and purpose of the Processing are specified in the Order. The duration of the Processing shall correspond to the duration of the provision of services under the Order, unless otherwise provided for in this DPA.

3. Processing activities, nature of the data, Data Subjects

The Processing activities, the nature of the processed data and the categories of persons concerned by the data are set out in Annex 1.

4. Responsibility and right of instruction

4.1               The Controller decides on the purpose and means of Processing. He is responsible for assessing the permissibility of the data Processing. The Processor processes the Personal Data exclusively on behalf of and in accordance with the instructions by the Controller. The Controller's instructions as defined by the Order and this DPA may be amended, supplemented or replaced by individual instructions by the Controller at any time in writing or in text form. All instructions issued shall be documented by both the Controller and the Processor.

4.2               If the Processor is of the opinion that an instruction of the Controller infringes upon data protection regulations, the Processor shall inform the Controller immediately. The Processor is entitled to suspend the execution of the instruction in question until it is confirmed or amended by the Controller. The Processor may refuse to carry out an instruction that is obviously illegal.

5. Technical and organisational measures

5.1               The Processor is obliged to comply with the statutory provisions on data protection. The Processor shall take all necessary technical and organisational measures ("TOM") to ensure an appropriate level of protection in security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR, in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. In particular, the Processor shall not pass Personal Data of the Controller on to Third Parties or suspend access to information obtained from the Controller's area of responsibility. The Personal Data of Controller must be secured against knowledge of, damage by or other interference by unauthorised persons, taking into account state of the art safeguards. Within this area of responsibility, the Processor shall design the internal organisation in such a way that it meets the special requirements of data protection. The minimum TOMs to be complied with are listed in Annex 2.

5.2               TOM are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes require the prior consent of the Controller and must be documented by Processor.

7. Obligations of the Processor

7.1               The Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. The Processor ensures, in particular, compliance with the following requirements:

  • Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Processor entrusts only such employees with the data Processing outlined in this DPA who have been bound to confidentiality and have previously been acquainted with the data protection provisions relevant to their work.
  • The Controller and the Processor shall cooperate, if so requested, with the Supervisory Authority in performance of its tasks.
  • The Controller shall be informed immediately of any inspections and measures conducted by the Supervisory Authority, insofar as they relate to this DPA.

7.2               In the event of malfunctions, suspicion of data protection infringements or breaches of contractual obligations on the part of the Processor, suspicion of security-related incidents or other irregularities in the Processing of Personal Data by the Processor or by persons employed by the Processor within the scope of its obligations or by Third Parties, the Processor shall inform the Controller immediately in writing or in text form. The same shall apply to audits of the Processor by the data protection Supervisory Authority.

7.3               If the data of the Controller are endangered at the Processor's premises by seizure or confiscation, by insolvency or settlement proceedings or by other events or measures of Third Parties, the Processor shall inform the Controller immediately, unless this is prohibited by court or official order. In this context, the Processor shall immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the Controller as the responsible party within the meaning of the GDPR.

8. Assessment, Inspections

8.1               The Controller shall, before the start of data Processing and then regularly assess the TOM of the Processor. For this purpose, he may, for example, obtain information from the Processor, request existing attestations from experts, certifications or internal tests or, after timely coordination during normal business hours, personally check the TOM of the Processor himself or have them checked by a competent Third Party, provided that the latter is not in a competitive relationship with the Processor. The Controller shall only carry out inspections to the extent necessary and shall not disrupt the operating procedures of the Processor disproportionately. The Processor undertakes to provide the Controller, at the latter's oral or written request, within a reasonable period of time, with all information and evidence required to carry out an inspection of the Processor's TOM. If the inspection reveals facts whose future avoidance requires changes to the respective procedure, the Controller shall inform the Processor immediately of the necessary changes.

8.2               Upon request, the Processor shall provide the Controller with a comprehensive and up-to-date data protection and security concept for the Processing of Personal Data and about persons authorized to access the data. The Processor shall provide evidence to the Controller on its employees being bound by confidentiality agreements upon request.

9. Subcontracting

The Processor shall not commission the Processing of Personal Data of the Controller to any subprocessor without the prior written consent of the Controller. The Processor shall be entitled to establish further subcontracting relationships with subprocessors within the scope of its contractual obligations, provided that it notifies the Controller in advance and the Controller has given its prior written consent to the engagement of the subprocessor. The Processor shall be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services. When using subprocessors, the Processor shall oblige them in accordance with the provisions of this DPA and shall ensure that the Controller can exercise its rights under this DPA (in particular its testing and inspection rights) directly against the subprocessors. If subprocessors in third countries or International Organisation are to be involved, the Processor shall ensure that an appropriate level of data protection is guaranteed for the respective subprocessor (e.g. by concluding an agreement based on the EU Standard Data Protection Clauses). Upon request, the Processor shall provide the Controller with evidence of the conclusion of the aforementioned agreements with its subprocessor. The Controller agrees to the commissioning of the subprocessors subject to the condition precedent of a contractual agreement in accordance with Article 28 Paragraphs 2-4 GDPR. The eligible subprocessors are listed in Annex 3.

10. Support

10.1           The Processor shall assist the Controller in complying with the obligations concerning the security of Personal Data, reporting requirements for Data Breaches, Data Protection Impact Assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

  • Ensuring an appropriate level of protection through TOM that take into account the circumstances and purposes of the Processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  • The obligation to report a Personal Data Breach immediately to the Controller.
  • The duty to assist the Controller with regard to the Controller’s obligation to provide information to and to reply to requests from the Data Subject as set out in Chapter III of the GDPR and to immediately provide the Controller with all relevant information in this regard.
  • Supporting the Controller with its Data Protection Impact Assessment
  • Supporting the Controller with regard to prior consultation of the Supervisory Authority
  • Supporting the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR.

10.2           The Processor may not on its own authority reply to requests from Data Subjects in accordance with Art. 15 seq. GDPR, but only on documented instructions from the Controller. Insofar as a Data Subject contacts the Processor directly concerning such a request according to Art. 15 seq. GDPR, the Processor will immediately forward the Data Subject’s request to the Controller and await the Controller's instructions.

11. Duration

The term of this DPA shall be based on the term of the Order, unless the DPA contains obligations or rights of termination that go beyond the Order.

12. Extraordinary right of termination

The Controller may terminate the Order in whole or in part without notice if the Processor fails to meet its obligations under this DPA, infringes upon provisions of the GDPR intentionally or through gross negligence or is unable or unwilling to carry out an instruction of the Controller. In the case of simple - i.e. neither intentional nor grossly negligent - infringements, the Controller shall set the Processor a reasonable deadline within which the Processor can remedy the infringement before termination. Furthermore, the termination stipulations of the Order shall apply.

13. Deletion and return of Personal Data

13.1           Copies or duplicates of the Personal Data shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data Processing, as well as data required to meet regulatory requirements to retain data.

13.2           After termination of this DPA and/ or the Order or earlier upon request by the Controller, the Processor shall hand over to the Controller or – subject to prior consent – destroy all documents, Processing and utilization results, and data sets related to this DPA and/or Order that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

13.3           Documentation which is used to demonstrate orderly data Processing in accordance with this DPA shall be stored beyond the DPA duration by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the DPA duration to relieve the Processor of this contractual obligation.

13.4           The Controller has the right to control the complete return or deletion of the Personal Data at the Processor’s as it deems appropriate and in accordance with this DPA.

14. Confidentiality

14.1            The Processor shall treat as confidential all business secrets including the contents of the Order and this DPA and other information of the Controller (hereinafter referred to as "Confidential Information"). The Processor shall treat the Confidential Information with the same care as it treats its own Confidential Information of the same sensitivity, but at least with the care of a prudent businessman. Any use of the Confidential Information shall be limited to use in connection with this DPA and the Order. Without the prior consent of the Controller, the disclosure of confidential information to Third Parties is not permitted. Consent must be given in writing.

14.2           To the extent as is required by applicable legal obligations, Processor is furthermore entitled to disclose and pass on confidential information. To the extent permitted by law, the Processor shall inform the Controller prior to the disclosure of confidential information.

14.3           Excluded from the obligation of confidentiality is information which

  • were already generally known at the time of conclusion of this DPA and/or the Order or became generally known subsequently without breach of the obligations of confidentiality as provided for in this DPA;
  • the Processor has received from Third Parties or outside this DPA and/or Order without any obligation of confidentiality.

It shall be for the Processor to prove the existence of the exceptions referred to in this paragraph.

14.4           The obligation to maintain confidentiality shall apply for the term of the Order and for a period of 10 years after termination of the Order.

15. Governing Law

The Order and this DPA are governed by Swiss law. The place of jurisdiction for all disputes arising out of or in connection with the Order and this DPA - insofar as the agreement on a place of jurisdiction is permitted by law - shall be the courts at the place of the office of the defendant.


Annex 1 - Processing of Personal Data

1. Processing activities

The Processing activities related to the Personal Data of the Controller are the following:

Processing activities

Collect/ record

Adapt / change

Organize/ structure



Combine / link


Transmit/ transfer

Delete/ destruct




Align/ combine

Disclose/ disseminate/ make otherwise available


Send/ receive


Erase/ destruct


Readout/ query


2. Nature of Personal Data

Nature of Personal Data

Special categories of Personal Data

Personal contact data (e.g. address, telephone, e-mail)

Personal data revealing religious belief

Contract data (for example, contractual relationship, product interest)

Personal data revealing racial or ethnic origin

Customer history

Health data

Contract billing and payment data

Biometric data

Agents, consultants and other professionals (Processors) of the responsible person





3. Categories of Data Subjects

Categories of Data Subjects

(Potential) customers


Interested parties

Sales representatives


Contact persons


Agents, consultants and other service providers of the responsible person

Business Partner



Annex 2 - Technical and Organisational Measures

The applicable TOM are as follows:

1. Confidentiality (Article 32 Paragraph 1 lit. b GDPR)
  • Physical Access Control

No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems.

  • Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media.

  • Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events.

  • Isolation Control

The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Controller support, sandboxing.

  • Pseudonymisation (Article 32 Paragraph 1 lit. a GDPR; Article 25 Paragraph 1 GDPR)

The Processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

2. Integrity (Article 32 Paragraph 1 lit. b GDPR)
  • Data Transfer Control

No unauthorised Reading, Copying, Change or Deletion of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature.

  • Data Entry Control

Verification, whether and by whom Personal Data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management.

3. Availability and Resilience (Article 32 Paragraph 1 lit. b GDPR)
  • Availability Control

Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning.

  • Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 lit. c GDPR).
4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 lit. d GDPR; Article 25 Paragraph 1 GDPR)
  • Data Protection Management
  • Incident Response Management
  • Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
  • Order or Contract Control

No Third Party data Processing as per Article 28 GDPR without corresponding instructions from the Controller, e.g.: clear and unambiguous contractual arrangements, formalised order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.


Annex 3 – Subprocessors

Name of Subprocessor

Address of Subprocessor

Service of Subprocessor



If you have any questions regarding this Privacy Policy do email us at:


© 2021 Interprefy AG