Features Pricing FAQ Contact Try Free

Data Processing Agreement

Our standard DPA for cloud and on-premise customers. FADP and GDPR compliant.

Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller: The customer identified in the applicable CookieAI service agreement (hereinafter "Controller")

Processor: CookieAI, operated by Teodor Petrica, Wallisellen, Switzerland (hereinafter "Processor" or "CookieAI")

Together referred to as the "Parties". This DPA forms an integral part of the service agreement between the Parties (the "Service Agreement").

Scope: This DPA applies exclusively to on-premise deployments of CookieAI. Cloud trial services are provided under separate terms and are not covered by this agreement.

2. Subject Matter and Duration

This DPA governs the processing of personal data by CookieAI on behalf of the Controller through the CookieAI platform. The duration of data processing under this DPA corresponds to the term of the Service Agreement, unless otherwise specified herein.

3. Nature and Purpose of Processing

The Processor processes personal data on behalf of the Controller for the following purposes:

  • AI-assisted document analysis and processing
  • Conversation processing and response generation
  • Team knowledge base management and retrieval
  • User authentication and access management

The purpose of processing is to provide the private AI services described in the Service Agreement.

4. Types of Personal Data

The following categories of personal data may be processed under this DPA:

  • Chat messages and conversation history
  • Uploaded documents and their contents
  • User account data (name, email address)
  • Usage logs and access records

5. Categories of Data Subjects

The personal data processed concerns the following categories of data subjects:

  • Employees and authorized users of the Controller
  • Clients and third parties of the Controller (through uploaded documents)

6. Obligations of the Processor

CookieAI shall:

  1. Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case CookieAI shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  2. Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Take all measures required pursuant to Article 32 of the GDPR and Article 8 of the Swiss Federal Act on Data Protection (FADP), as further specified in Section 7 of this DPA.
  4. Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, CookieAI shall inform the Controller of any intended changes and provide the Controller the opportunity to object.
  5. Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights.
  6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to CookieAI.
  7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7. Technical and Organizational Security Measures

CookieAI implements and maintains the following security measures to protect personal data:

  • Encryption at rest: All stored data is encrypted using AES-256-GCM.
  • Encryption in transit: All data transmitted between systems is protected with TLS 1.3.
  • Authentication: Two-factor authentication (2FA) is available and enforced for administrative access.
  • Access control: Role-based access control (RBAC) ensures that only authorized personnel can access personal data, limited to what is necessary for their function.
  • Intrusion detection: Automated intrusion detection systems monitor for unauthorized access attempts.
  • Security audits: Regular security audits and vulnerability assessments are conducted.
  • On-premise option: For on-premise deployments, data never leaves the Controller's network. All processing occurs locally on the Controller's own infrastructure.

8. Sub-processors

On-premise deployments: No sub-processors are used. All data processing occurs on the Controller's own infrastructure.

Cloud deployments: CookieAI uses the following sub-processor for infrastructure services:

  • Oracle Cloud Infrastructure (OCI) — European data center region. Purpose: server hosting and compute infrastructure. Data location: European Union.

CookieAI will notify the Controller before adding or replacing any sub-processor, providing the Controller with the opportunity to object.

9. International Data Transfers

For on-premise deployments, all data processing occurs within the customer’s own infrastructure. No data is transferred to CookieAI or any third party.

For on-premise deployments, no data transfer occurs at all — all data remains on the Controller's local infrastructure.

Should any transfer outside the EEA/Switzerland become necessary in the future, CookieAI will ensure appropriate safeguards are in place (such as Standard Contractual Clauses) and obtain the Controller's prior written consent.

10. Data Breach Notification

CookieAI shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach. The notification shall include:

  1. A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
  2. The name and contact details of CookieAI's point of contact for further information.
  3. A description of the likely consequences of the breach.
  4. A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

11. Data Subject Rights

CookieAI shall assist the Controller in fulfilling its obligations to respond to data subject requests, including:

  • Right of access: Providing the Controller with the data subject's personal data held by CookieAI.
  • Right to rectification: Correcting inaccurate personal data upon instruction from the Controller.
  • Right to erasure: Deleting personal data upon instruction from the Controller, subject to legal retention obligations.
  • Right to data portability: Providing personal data in a structured, commonly used, machine-readable format upon request.

CookieAI shall respond to the Controller's instructions regarding data subject requests without undue delay and within the timeframes required by applicable law.

12. Audit Rights

The Controller has the right to audit CookieAI's compliance with this DPA. Audits may be conducted by the Controller or an independent third-party auditor appointed by the Controller, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice prior to any audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt CookieAI's operations.
  • The Controller shall bear its own costs associated with the audit.
  • Audit findings and reports shall be treated as confidential by both Parties.

13. Term and Termination

This DPA shall remain in effect for the duration of the Service Agreement. Upon termination or expiry of the Service Agreement:

  • CookieAI shall, at the Controller's election, return or delete all personal data within 30 days.
  • CookieAI shall provide written confirmation of deletion upon request.
  • Obligations under this DPA that by their nature should survive termination (including confidentiality and audit rights) shall continue to apply.

14. Governing Law

For customers domiciled in Switzerland, this DPA shall be governed by and construed in accordance with Swiss law, with exclusive jurisdiction in the courts of Zurich, Switzerland.

For customers domiciled within the EEA, this DPA shall be governed by the law of the customer's jurisdiction, insofar as mandatory provisions of that jurisdiction apply. In all other respects, Swiss law shall apply.

15. Signatures

By signing below, the Parties agree to the terms set forth in this Data Processing Agreement.

Controller

Company name: _________________________

Name and title of authorized signatory

Signature

Date and place

Processor — CookieAI

CookieAI / Teodor Petrica

Name and title of authorized signatory

Signature

Date and place

Download as PDF

PDF version available on request — contact@cookieai.ch

Last updated: March 2026

Questions about our DPA?

We are happy to discuss data processing terms or customize the DPA for your organization.

Contact Us