This Data Processing Agreement (“DPA”) governs how Reykur AG (“Processor”, “we”) processes personal data on behalf of a customer (“Controller”, “you”) when you use the Reykur Service. It forms part of, and is incorporated into, the End User License Agreement / Terms between the parties (the “Agreement”). Where this DPA conflicts with the Agreement on the subject of personal data, this DPA prevails.
01Definitions
Capitalized terms not defined here have the meaning given in the Agreement.
- “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinance (collectively, “nFADP”), the EU General Data Protection Regulation 2016/679 (“GDPR”), and the United Kingdom GDPR and Data Protection Act 2018 (“UK GDPR”), in each case as applicable to a party's processing.
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is Processed by the Processor on behalf of the Controller under the Agreement.
- “Processing” (and “Process”) means any operation performed on Personal Data, as defined under Data Protection Laws.
- “Controller”, “Processor”, “Sub-processor”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given under the GDPR (and their equivalents under the nFADP and UK GDPR).
- “Standard Contractual Clauses” or “SCCs” means the standard data protection clauses adopted by the European Commission under Implementing Decision (EU) 2021/914, as supplemented by the Swiss addendum issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the UK International Data Transfer Addendum, as applicable.
02Roles and Scope
2.1 As between the parties, the Controller determines the purposes and means of Processing the Personal Data, and the Processor Processes the Personal Data on the Controller's behalf. Where the Controller is itself acting as a processor for a third-party controller, the Processor acts as a sub-processor and the parties' obligations apply accordingly.
2.2 The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
2.3 Each party shall comply with its respective obligations under Data Protection Laws. The Controller is responsible for the lawfulness of the Personal Data it submits and for having an appropriate legal basis for the Processing.
03Processing on Documented Instructions
3.1 The Processor shall Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to Process by applicable law — in which case the Processor shall, where legally permitted, inform the Controller of that legal requirement before Processing.
3.2 The Agreement, this DPA (including configuration of and instructions given through the Service), and the Controller's use of the Service constitute the Controller's complete and final documented instructions. Additional instructions outside the scope of the Service require prior written agreement and may incur fees.
3.3 The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).
04Confidentiality
The Processor shall ensure that persons authorized to Process the Personal Data are bound by an appropriate obligation of confidentiality (whether contractual or statutory) and Process the Personal Data only as necessary to provide the Service.
05Security
5.1 The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and the nFADP. The current measures are described in Annex II.
5.2 The Controller acknowledges that the Service is provided in closed beta and under active development (see the Agreement), that security measures may evolve, and that the Processor may update the measures in Annex II provided the overall level of protection is not materially reduced.
06Sub-processors
6.1 The Controller grants the Processor general authorization to engage Sub-processors to Process Personal Data, including the hosting, infrastructure, and AI model providers listed in Annex III.
6.2 The Processor shall: (a) impose data protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA; and (b) remain fully liable to the Controller for the performance of each Sub-processor's obligations.
6.3 The Processor shall give the Controller reasonable prior notice of any intended addition or replacement of a Sub-processor (for example via email or an updated Annex III / sub-processor page). The Controller may object on reasonable, documented data-protection grounds within fifteen (15) days of notice; the parties shall work in good faith to resolve the objection, and if they cannot, the Controller may, as its sole remedy, terminate the affected part of the Service.
07Data Subject Rights
Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organizational measures and insofar as reasonably possible, to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection). Where the Processor receives such a request directly, it shall not respond except on the Controller's instruction or as legally required, and shall promptly forward the request to the Controller.
08Personal Data Breach
8.1 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
8.2 The notification shall, to the extent then known and reasonably available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed. The Processor shall provide further information in phases as it becomes available and shall reasonably assist the Controller in meeting the Controller's own breach-notification obligations to Supervisory Authorities and Data Subjects.
8.3 The Processor's notification is not an acknowledgement of fault or liability.
09Data Protection Impact Assessments
Taking into account the nature of the Processing and the information available to it, the Processor shall provide reasonable assistance to the Controller with data protection impact assessments and any prior consultation with Supervisory Authorities that the Controller is required to carry out under Data Protection Laws.
10International Transfers
10.1 The Service is primarily hosted in Switzerland and/or the European Economic Area (EEA). The Processor shall not transfer Personal Data to a country outside Switzerland, the EEA, or the United Kingdom that is not recognized as providing an adequate level of protection unless it has implemented an appropriate transfer mechanism.
10.2 Where such a transfer occurs, the parties agree that the applicable Standard Contractual Clauses are incorporated into this DPA by reference and apply to that transfer, with: (a) the Controller as data exporter and the Processor (or relevant Sub-processor) as data importer; (b) Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) applying as appropriate; (c) the Swiss FDPIC addendum applying where the nFADP governs; and (d) the UK International Data Transfer Addendum applying where the UK GDPR governs. The information in Annexes I–III populates the corresponding annexes of the SCCs. Where the SCCs conflict with this DPA, the SCCs prevail for the relevant transfer.
11Deletion and Return
11.1 Upon expiry or termination of the Agreement, the Processor shall, at the Controller's choice, delete or return the Personal Data, and delete existing copies, except to the extent retention is required by applicable law.
11.2 The Processor shall make Personal Data available for export for thirty (30) days following termination, and shall delete or anonymize Personal Data in its production systems within ninety (90) days of termination. Deletion from routine backups occurs in the ordinary course of the Processor's backup-rotation cycle, during which such data remains protected and is not actively Processed.
12Audits
12.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
12.2 To minimize disruption, the Controller agrees that such information may first be provided through up-to-date certifications, third-party audit reports (e.g. SOC 2 / ISO 27001 where available), or a completed security questionnaire. On-site inspections shall be on reasonable prior written notice (at least thirty (30) days, except where a Supervisory Authority requires otherwise), during business hours, no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), subject to confidentiality, and at the Controller's expense.
13Liability
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement, and any reference to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits either party's liability to a Data Subject or to a Supervisory Authority to the extent such liability cannot be limited under mandatory Data Protection Laws.
14Term, Conflict, and Governing Law
14.1 This DPA takes effect on the Effective Date and continues for as long as the Processor Processes Personal Data on the Controller's behalf.
14.2 In case of conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA prevails. In case of conflict between this DPA and the SCCs regarding a restricted transfer, the SCCs prevail.
14.3 This DPA is governed by the laws of Switzerland, with the courts of the Canton of Zurich, Switzerland having exclusive jurisdiction, without prejudice to any mandatory Data Subject rights or Supervisory Authority competence and to the governing law/jurisdiction provisions of the SCCs where they apply.
IAnnex I — Description of the Processing
| Data exporter (Controller) | The Organization identified in the Agreement / Order Form |
|---|---|
| Data importer (Processor) | Reykur AG, c/o Hlynur Oskar Gudmundsson, Frauentalweg 117, 8045 Zürich, Switzerland |
| Subject matter | Provision of the Reykur AI-powered cybersecurity threat modeling Service |
| Duration | For the term of the Agreement and the retention/deletion periods in Section 11 |
| Nature and purpose | Hosting, storage, processing, and AI-assisted analysis of User Data to provide the Service, support, and security |
| Frequency of processing | Continuous, for the duration of the Controller's use of the Service |
Categories of Data Subjects (as determined and submitted by the Controller; may include):
- The Controller's authorized users / personnel of the Service (account and contact data).
- Individuals identified or referenced within the Controller's threat models, architecture diagrams, configurations, or uploaded content.
Types of Personal Data (as determined and submitted by the Controller; may include):
- Account / identity data: name, business email, job title, organization, authentication identifiers, IP address, audit/log data.
- Any Personal Data the Controller chooses to include in User Data submitted to the Service.
- Special categories of data: The Service is not intended for special-category (sensitive) Personal Data. The Controller should not submit such data; if it does, it does so at its own risk and remains responsible for any additional safeguards required by law.
Competent Supervisory Authority: The Swiss FDPIC, and/or the EU/UK supervisory authority applicable to the Controller, as relevant.
IIAnnex II — Technical and Organizational Measures
- Access control: Role-based access controls; unique accounts; multi-factor authentication for administrative access; least-privilege provisioning and timely de-provisioning.
- Encryption: Encryption of Personal Data in transit (TLS) and at rest.
- Network security: Firewalling/segmentation; restricted administrative access; secrets management.
- Pseudonymization/minimization: Data minimization in telemetry and logs; pseudonymization where feasible.
- Confidentiality: Confidentiality obligations for personnel; security-awareness practices.
- Integrity & availability: Backups and restoration procedures; infrastructure redundancy (note: not a substitute for the Controller's own backups during beta).
- Resilience & testing: Logging and monitoring; vulnerability management; periodic review and testing of measures.
- Incident response: Documented Personal Data Breach detection, escalation, and notification process (Section 8).
- Sub-processor governance: Contractual flow-down and review of Sub-processors (Section 6).
IIIAnnex III — Approved Sub-processors
| Sub-processor | Purpose | Location of processing | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS) | Cloud hosting & infrastructure — storage, compute, databases | Ireland — EU (eu-west-1), EEA | Processed within the EEA. AWS DPA and EU SCCs apply to any incidental non-EEA support access. |
| AWS EMEA SARL — Amazon Bedrock | AI inference for threat analysis. Anthropic Claude models are hosted and operated within AWS Bedrock in the EU; inputs are not used to train the models and are not shared with the model provider. | EU (AWS Bedrock EU region), EEA | Processed within the EEA. AWS DPA and EU SCCs apply to any incidental non-EEA support access. |
| Mailgun Technologies, Inc. (Sinch) | Transactional email & notifications — recipient email address and message content only; no threat model content | EU (Mailgun EU region), EEA | Processed within the EEA. EU SCCs (with Swiss FDPIC and UK addenda as applicable) apply to any incidental non-EEA support access. |
| PostHog, Inc. | Product analytics — anonymized user identifier and high-level usage events only; no page content, form inputs, or session replay | EU (PostHog EU Cloud, Frankfurt), EEA | Processed within the EEA. PostHog DPA and EU SCCs apply to any incidental non-EEA support access. |
Acceptance
Acceptance of the Agreement that incorporates this DPA, including by clicking “I Agree” at sign-up, constitutes acceptance of this DPA by the Controller. Reykur AG, c/o Hlynur Oskar Gudmundsson, Frauentalweg 117, 8045 Zürich, Switzerland.
Questions about this DPA?
Reach our team at legal@reykur.io. Reykur AG is registered in Zürich, Switzerland.