Data protection

DeepCloud AG

Abacus-Platz 1 9300 Wittenbach – St. Gallen Switzerland

T +41 58 854 14 14
info@deepcloud.swiss

We have appointed a data protection officer for DeepCloud. They are available at:

datenschutz@deepcloud.swiss

Insofar as DeepCloud processes personal data and the General Data Protection Regulation (“GDPR”) applies to such processing, we have designated as our representative in the EU:

Abacus Business Solutions GmbH

Mies-van-der-Rohe-Straße 6 Tower 1 – 10. OG 80807 Munich

datenschutz@abacus.eu

If you have any questions about data protection, please feel free to contact us at any time.

Personal data is any information relating to the personal or material circumstances of an identified or identifiable natural person (“data”). This includes, for example, the name, address, telephone number, or email address. This term does not include anonymous data or information whose content does not indicate or suggest the identity or factual circumstances of an identifiable individual, such as the number of visitors to a website. There are also so-called special categories of data (“sensitive data”). This includes data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data to uniquely identify you, health data, or data concerning your sex life or sexual orientation. We will only process such data – if at all – with your explicit consent, unless another legal basis makes such data processing necessary.

The content and information presented on our websites serve to provide you with general information about us as a company and about our DeepCloud Services. In the course of using our websites, it is possible that data may be disclosed by you or collected by us for certain purposes. Furthermore, as a company, we process data that you disclose to us or
transmit to us in other ways, for example by mail, email, telephone, during a business transaction, or personal contact. Our data processing includes, for example, the collection, storage, transmission, deletion, and other processing of your data. Only data that is necessary and appropriate for the intended purpose will be processed. Our data
processing is carried out for the purposes stated by us or for the purposes requested by you. Data processing outside of the intended purposes will only take place if we inform you accordingly and if a change of purpose is lawful.

In the following, we inform you about the individual data processing, its purpose, and its legal basis for us as a company.

You can provide your contact information and interest in our products and services in a contact form, an inquiry, through a personal contact during an event or web demo, or contact us in other ways so that we or partners we select can contact you, inform you about DeepCloud Services, conduct a web demo with you, or fulfill other offers. Furthermore, we store and process information that you select in lists and menus on our websites. When you send us an email we save the content of the email as such, and the data that is generated when inquiries are sent to our email servers, such as sender and recipient IDs, time stamps and, if necessary, reasons for errors or rejections if the transmission of an email fails. If you wish to receive information material, you can also provide us with your email address so that we can send you the requested information by email with your consent. We use your data ourselves or provide it to the relevant companies. This is done within the framework of data protection and competition law requirements. We process your data based on legitimate interests. Processing is done both in your interest – you have contacted us – and in ours, to establish the satisfaction of all inquirers, if necessary to fulfil a contract with you, or to carry out pre-contractual measures. We will only process your data for the purpose of contacting you. Your data may be stored in our CRM system and in other technical systems. When using website forms, your data will be transmitted in encrypted form according to the current state of the art. You provide us with your data voluntarily, and only as much data as necessary is requested (mandatory data are marked with *).  All other information is optional.

If we determine that we can only satisfactorily respond to your inquiry with the assistance of a selected partner, we may share your data based on legitimate interests or, if necessary, we will obtain your consent to share your data. Consent is given voluntarily and can be revoked at any time for the future.

In the course of providing our services, visiting our websites or using our support, there is the possibility of using online offers that require you to register, authenticate, and log in. This applies in particular to the opening of a DeepBox account, the use of our DeepBox Services, but also to the execution of a web demo so that you can get a better picture of our services in the context of an online presentation, remote access in a support case, the registration for events, or the scheduling of an appointment. This involves providing and transmitting to us a variety of data resulting from the respective form or our queries. When using such a form, your data will be transmitted in encrypted form according to the current state of the art. You provide us with your data voluntarily, and only as much data as necessary is requested (mandatory data are marked with *). All other information is optional. DeepCloud is free to choose their authentication methods. The data to be provided results directly from the specific procedure used.

You are required to choose strong passwords when choosing login credentials. You are responsible for the security of your login data and must not pass it on to unauthorised third parties. The processing of your data within the scope of our (registration and login required) offers is carried out with your consent when registering or logging in, based
on our legitimate interest in providing you with the information necessary to use our services satisfactorily, in order to be able to contact us, and for the proper processing of an existing contractual relationship.

To open a DeepBox account, a successful registration is required. The link sent to the email address provided must be used for this purpose. Registration opens a DeepBox account for the Owner, which offers certain functionalities. The registration form must be completed, indicating whether the DeepBox account is to be used privately or for a company, foundation or association (“Organization”). Before completing the registration process, a choice can be made between the two options. Depending on the choice, a “Private” DeepBox account will be opened for the Registrant as a contractual partner with DeepCloud or, if the necessary requirements are met, an “Organization” DeepBox account will be opened for the Organization as a contractual partner For a DeepBox account of an Organization, the authorization of the Registrant to enter into the contractual relationship for the Organization is required. When using certain DeepBox Services or extended functionalities of the DeepBox account, the unique identification of the Registrant and, if applicable, the verification of the Organization is required. For identification and verification purposes, the services of a third-party provider are integrated. The terms and conditions of the third-party provider apply. As part of these processes, relevant data about the Registrant and the Organization, as well as the results of the identification and
verification, are transmitted between DeepCloud and the third-party provider. The identification and verification processes may take place within a reasonable period of time. If the relevant process is not successfully completed within this time period, the DeepBox account will be deleted. After registration, an access-protected login can be used to log in to the DeepBox account and use various DeepBox Services. Two-factor authentication, possibly also from a third-party provider, can be activated for the login. The terms and conditions of the third party provider apply. After successful registration, you have the option of using the services located there (some of which are subject to a fee),
such as a deep, shared or special box, DeepO, DeepV, DeepPay, or DeepPoint.

We offer a DeepBox account and various DeepBox Services in the form of cloud-based software as a service. These are web-based software applications and applications (Apps) with various functionalities. The focus is on the storage, organization, and sharing of information and documents or on the optimization of internal company communication, processes and accounting, with the possibility of integrating employees and other third parties. The efficient analysis and use of information within the DeepBox account is also possible. If you have purchased subscriptions for certain DeepBox Services within the DeepBox account, these can also be used by your authorized users by releasing them in the DeepBox account and after they have registered for a DeepBox account. The person who opens a DeepBox account is responsible for the use of the DeepBox until an organization has been verified for the relevant DeepBox account. The respective Owner of the DeepBox account is responsible for the use and thereby processed data within the scope of the
DeepBox account and the DeepBox Services, to maintain data protection if personal data is collected in the process. It is possible to collect, store, modify, or delete data with a DeepBox. For the use of the DeepBox account and the DeepBox Services, all data will be stored and processed that accrue upon registration as well as all data and documents that are collected and processed in DeepBox and when using the DeepBox Services. This includes data related to address entry, accounting, invoices and quotations, time recording, expense receipts, payroll accounting, and all content provided by the user in the process. Furthermore, this also includes content that can be processed by a fiduciary or by additional services such as those of payment providers, when using mobile Apps, and exchanged between the respective parties involved. The data processed in the DeepBox account and the DeepBox Services include the following: personal master data such as name, address, date of birth, employer, contact data such as telephone and/or email address, time and wage recording data such as working hours, absences (sickness or holidays), overtime and extra hours, expense receipts, product master data, contractual relationship data and contractual data including delivery, payment and invoicing data, bank account and credit card data, and all data recorded within the DeepBox account and DeepBox Services.
This data may come from current and former employees and job applicants, service providers, suppliers, banks and other payment providers, customers, business partners, prospective customers, and all the employees of the companies who act as contacts for these companies. During the contractual relationship, DeepCloud shall back up the content stored in the Apps in accordance with standard backup procedures and shall endeavor to avoid data loss as far as possible. However, in general, the Owner of the DeepBox account is responsible for the preservation and archiving of its data and documents and acknowledges that they are not archived by DeepCloud. In the event of termination of the use of the DeepBox account (e.g. ending the contractual relationship, termination) or the DeepBox Services, the Owner of the DeepBox account is responsible for scheduling the termination of the use of the DeepBox account and the DeepBox Services. The latter can instruct DeepCloud to make their data available in an export file before deletion of the data in DeepBox takes place. The Customer shall, autonomously and in due time prior to termination, ensure that its data files are backed up and delete corresponding data or authorise DeepCloud to delete the data upon termination of the contractual relationship, as the data will be deleted at the latest upon expiry of the backup periods. Access to the Owner’s data files is excluded after termination of the contractual relationship. Data that Abacus is legally or contractually obliged to store for a limited period of time, and data that is still needed for the settlement or collection of the services provided, shall be excluded from the deletion. Your authorisation to use these services will end if you delete your account or lose your authorisation to use the services. Your login data will be deleted once you no longer have access authorisation.

DeepSign

DeepSign enables electronic signing of digital documents for individuals (signatories) and organisations (if their authorised representatives sign) as well as the use of timestamps. The simple electronic signature (SES), advanced electronic signature (AES) and qualified electronic signature (QES) are available. Depending on the type of signature, different data about the initiator (the person who invites another person to sign) and the signatory are processed.

Data processing performed in DeepID:

In order to be able to sign a document, the initiator collects the e-mail address so that the invitation can be sent to the signatory. The initiator may additionally write and send messages for the signatory. Likewise, the choice of the signature (SES/AES/QES) is recorded along with the certification or trust service (according to ZertES or the eIDAS Regulation) that is supposed to create a signature.

A SES requires the signatory’s E-mail address, which the signatory uses to confirm the SES. In addition, the signatory has the possibility to select further annexes when submitting his/her SES. They will be attached to the document to be signed and all documents will be signed together. DeepCloud stores and transmits the signed document to the initiator as instructed by the signatory. If the invited person does not provide a SES, the annexes will be deleted again.

Additional data is processed to use the AES and QES. Among other things, prior determination of identity and authentication of the signatory are necessary. DeepCloud provides its own identification service DeepID for this purpose (information on data processing in DeepID can be found in the Privacy Policy under “Data processing when our Mobile Apps are used”). At the signatory’s option, another third-party identification service accepted for DeepSign may also be used. That service’s data protection provisions will apply, for which DeepCloud is not responsible.

Since the DeepSign service is a native DeepBox application, the data protection provisions on DeepBox also apply.

There is no automated decision-making within the meaning of applicable data protection laws.

By whom is data processed?

• Customers and their employees or other users of the DeepCloud Services authorised by the Customer
• The signatory for the electronic signature
• Persons whose data is contained in the documents to be signed

What data is processed?
For the purpose of signing and to maintain the traceability of the confirmation of a signature, DeepCloud records the following data (insofar as it is collected and transmitted by the identification service used or disclosed by the initiator or signatory him/herself within the DeepSign service):

• DeepBox login data when the initiator or the signatory uses DeepSign
• Master and contact data (when opening a DeepBox)
• E-mail address for signatory invitations
• Telephone number if the relevant signature provides for its processing
• Selection of the electronic signature or the electronic time stamp and the certification or trust service
• Result of the prior identification and verification of the signatory (success, failure)
• Confirmation or rejection of signature
• Documents, their contents and annexes
• Log files on the signature process (such as business partner number, process number, process-related data), hash values, transaction history, signature/time stamp selection, signature ID
• Diagnosis and analysis data (e.g., product interaction, usage data)
• Data on the means of authentication personally used (such as device number) and technical data on the device
• Data on acceptance of the current terms of use of DeepCloud and of third-party providers as well as confirmation of the user’s place of residence in case of AES or QES
• Other information or documents collected or supplied by the user within the service regarding a requested signature, the user’s organisation, or other supporting documents concerning specific attributes for a certificate for AES or QES, as well as other relevant information such as the responsible registry (such as DeepCloud for DeepID), signature or authentication log files (such as business partner number, process number, process-related data) and hash values
• Information that the user provides in inquiries regarding DeepSign (as in the case of support)

To which recipients is data transmitted?
Recipients fulfilling legal obligations: DeepCloud may disclose personal data to recipients if this appears necessary or appropriate to comply with applicable laws and regulations or to verify compliance with them and to respond to requests from competent authorities. This concerns, in particular, state-accredited conformity assessment bodies, audit officers and the approving body for certification services for the purpose of checking the proper performance of the AES and QES service.

Third-party providers as recipients of data: DeepCloud may transfer personal data to third-party providers if the user makes use of a service provided by such a third-party provider, such as if the user uses an identification service other than DeepID for the release of a QES or AES. In addition, certification services are provided from a provider of certification services recognized in Switzerland according to the Swiss Federal Act on Qualified Electronic Signatures (ZertES) and a provider of trust services recognized in the EU according to the EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) (third-party provider). These third-party providers prepare the electronic signatures and timestamps according to the legal requirements and their certificate guidelines. Personal data of the signatory will be transferred to recipients within the EU that have an adequate level of data protection. These providers are subject to strict legal requirements when providing their services.
When using third-party provider services, the data protection provisions of these third-party providers will apply.

Service providers as recipients of data: DeepCloud is used to provide DeepSign to external service providers. These are hosting and service providers. They only process data for the purposes described by DeepCloud and are contractually bound to comply with the data protection obligations under the relevant data protection laws. They have been carefully selected, are bound by DeepCloud’s instructions and are regularly monitored. They use server locations in Switzerland for this purpose.

How long is data stored?

Fundamentally, data is stored for as long as necessary for the stated purpose and as required by contract or statute. In the area of certification and/or trust services, there are very long statutory retention obligations, which can amount to up to 36 years in order to be able to document the issue of your electronic signature(s). If there is no longer any purpose for storage or contractual or statutory retention obligations no longer exist, anonymisation or deletion will occur after expiration of existing backup periods.

What is the purpose of the data processing?

The data and information are processed by DeepCloud in order to provide the DeepSign electronic signature service, to allow secure and smooth use of the service, to contribute to its improvement, and to comply with legal obligations such as responding to official requests.

What are the legal bases/justification for data processing?
DeepCloud collects and processes data and information in accordance with your consent, based on overriding legitimate interests, a contract or legal obligations.

Within the DeepBox account, the web analytics service Matomo is used. Matomo makes it possible to analyse the use of the DeepBox account and the DeepBox Services and to improve the respective functions. To do so, different data and information about the use of DeepBox and its users is collected. Matomo uses cookies, which are stored on the end device and allow the use of DeepBox to be analyzed. The information collected and generated is then stored and analysed in Switzerland. Matomo is used with the extension “AnonymizeIP”. This means that IP addresses are processed in abbreviated form, which means that they cannot be directly linked to a person. The IP address transmitted by the browser via Matomo is not merged with other data collected by DeepCloud. DeepCloud automatically deletes the data in Matomo 14 months after its collection, once a month.

The storage of all cookies can be disabled by changing the corresponding setting in the browser software. If the storage of all cookies is disabled, it may not be possible to use the full functionality of all of the features of the DeepCloud websites or other websites. You can also prevent the transmission of the data generated by the cookies and related to the use of websites (including the IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link. This should then be done on all devices that are in use. Please note that if all cookies are deleted, you will need to perform steps outlined above again to prevent the use of Matomo. Matomo is an open source project and is hosted on premise at DeepCloud. Matomo’s current Privacy Policy is available on their website.

To send messages via DeepBox (invoices, offers, system notifications, etc.) we use the mail provider retarus GmbH (“retarus”), Aschauer Straße 30, 81549 Munich, Germany with a server solution in Switzerland. The current Privacy Policy of retarus is available on their website.

If additional services are used as part of DeepBox, the Owner agrees to their terms of use and data protection and authorises DeepCloud to enable the necessary data processing, data access, and data exchange so that these additional services can be integrated and used for DeepBox. Where the services of a fiduciary are used, the Owner shall grant the
fiduciary access to the data in the application in order to carry out the necessary data processing and data synchronization. The DeepBox account Owner is responsible for granting and restricting or revoking the fiduciary’s and also its other authorized users’ access rights to its data and whether they engage in lawful data processing activities
within DeepBox. The connection to the fiduciary’s DeepBox account is made either by the DeepBox account Owner themself or by the fiduciary. AbaNinja contains the option of connecting to services of different payment providers such as banks or payment service providers. When using DeepPay, third-party services (such as payment initiation and account
information services) are possible. DeepCloud merely provides the interface to these third-party providers for a data exchange so that the executed transactions can be displayed or triggered. For the execution of the transactions, an exchange of data takes place between the participants. For unique assignment, an application-relevant ID is used
together with additional access data for the respective participant. This can be bank or payment-specific data such as account information, IBAN, or the credit card number. Each party involved is responsible for the data processing taking place in its area of responsibility and for the security of the data in accordance with the agreed provisions.
The responsibility for the provision and processing of the additional services and the processing of data when using said services (including the payment and account information processed via these services) does not lie with DeepCloud, but with these third-party providers.

DeepCloud provides the “AbaElster” service to Customers for the transmission of information from the Customer’s Abacus ERP to a tax office in Germany in order to use the “Online Tax Office ELSTER” offer for the tax assessment procedure. AbaElster is exclusively intended for use in connection with the electronic submission of tax returns and transmission of tax data in accordance with legal requirements. In the process, information from the Customer’s Abacus ERP is transmitted in encrypted form to DeepCloud’s server in Switzerland. This information is transmitted to the respective tax office. After transmission, the information is automatically deleted from DeepCloud’s server.

The information transmitted includes all relevant personal data required for tax purposes, such as personal identification and contact details (first and last name, address, date and place of birth, tax number, identification number, e-mail address, telephone number; reporting data of the sales tax advance return, permanent extension and recapitulative statement (ZM), in detail: taxable sales, tax amount, company address, name of clerk, sales of customers in the EU with their names and VAT number; copies and details of identity and identification documents, income (e.g. wages, business income, income from renting and leasing, capital gains, pensions); expenses (e.g. income-related expenses, business expenses, special expenses and extraordinary expenses); taxes withheld by third parties (e.g. wage tax, capital gains tax, solidarity surcharge, church tax); marital status and children, ELStAM electronic tax deduction features (e.g. wage tax class); occupation; bank details; details of taxes paid or refunded; details of tax returns submitted and applications made as well as appeals; details of the period of the employment relationship for tax purposes (e.g. entry date, exit date, number of interruptions); technical information such as certificate, IP address, device information, MAC address, etc.; as well as any data that the Customer transmits to the tax office in the course of data processing. DeepCloud acts here as an order processor for the Customer, which fulfils its legal duty of tax declaration, such that requests for information are to be addressed directly to the respective customer. The respective tax authorities provide separate information on data processing around the taxation procedure and around “ELSTER”.

The content stored in DeepBox is processed within the framework of the existing contractual relationship with the DeepBox account holder. We process this data within the framework of commissioned data processing with the Owner of the DeepBox account. A commissioned data processing agreement is entered into with us for the use of the DeepBox account.
The aim is that data processing in the context of the use of the DeepBox account takes place mainly in Switzerland. If we engage contracted service providers in the EU (for example in Germany) for certain services, then we aim to arrange server solutions in Switzerland. Should it nevertheless become necessary for our commissioned service providers to process data in the EU (for example in a support case), the EU offers a level of data protection that is adequate for Switzerland. If we ourselves, as the responsible party, use contracted service providers for our own purposes, we also try to ensure that data is processed in Switzerland. In special cases, we may require the services of service providers who provide their services outside Switzerland. In such cases, we try to commission service providers in a country that has a level of data protection appropriate for Switzerland. Otherwise, we ensure with suitable guarantees such as standard data protection clauses or upon your consent that a legally compliant data transfer can take place.

In any case, our contracted service providers are carefully selected and commissioned. They are bound to our instructions and are regularly monitored. Only such data is transmitted that is necessary for the provision of the respective service.

This Privacy Policy applies to all DeepCloud Mobile Apps, regardless of the app store in which they are offered. For the sake of readability, all designations of persons apply equally to all genders.

DeepCloud’s Mobile Apps include:

• DeepBox (Android and iOS)
• DeepID (Android and iOS)

Here we provide information about the data processing performed by us when our Mobile Apps are used. Our Mobile Apps are primarily used for document management (DeepBox app), identification of persons, verification of organisations, and release of expressions of intent and actions, or for authentication and verification of a user (DeepID app).

The Mobile Apps are used either as a stand-alone solution or in combination with web applications. It is also possible for a Mobile App to be downloaded and data collected via the Mobile App without any data being transferred to a web application. In this case, the data collected by you via the Mobile App does not leave your device; the same applies to the use of the Mobile Apps in “offline mode.” The collected data remains locally in the Mobile App on your device unless it is switched to “online mode” or synchronised.

As a general rule, our Mobile Apps are either downloaded and used by you on a mobile device, or your employer (or its service provider) requests that you use the Mobile App. The use for data exchange with a web application may then exist within the framework of an existing contractual relationship with you, with your employer, or with another contractual partner.

You are under no obligation to provide your data to DeepCloud. However, it is possible that certain functions of a Mobile App may not be available or only be available to a limited extent if you do not provide data.

What data is processed when using the Mobile Apps?

Various data may be collected when the Mobile Apps are used, transmitted to the corresponding web application linked to the Mobile App, and processed by it. This is done using synchronisation. Some Mobile Apps require that synchronisation with the corresponding web application is permitted. The first step is a check of whether the Mobile App is accepted by this web application or whether any DeepCloud subscriptions exist (“DeepCloud Sub” at DeepBox). User information is transmitted to DeepCloud and compared with existing DeepCloud Subs.

In order to use a confirmed DeepID identity, an exchange of data between DeepCloud and a third-party provider may occur for you as a user of DeepID. For details, please refer to the “DeepID” section.

Depending on the Mobile App, different data of different categories of data subjects may be processed depending on which DeepCloud Service is used in order to synchronize or exchange this data between the Mobile App and a web application. How the data controller for the web application (third-party provider) processes this data is within that party’s area of responsibility and DeepCloud is not informed of it.

The following categories of data may be included depending on the Mobile App:

• Personal master data (e.g., name, company name, address)
• Communication data (e.g., telephone, e-mail address)
• Identification data (e.g., user ID or identity UID)
• Data from identification documents (e.g., ID cards and passports) such as name, maiden name, date of birth, nationality, photo, data and certificate of the NFC chip, ID data, date of issue, term of validity, country of issue, metadata, optical character recognition, security features, MRZ
• Documents and their content if they contain personal data
• Multimedia data (photos, videos such as challenge response videos and voice recordings)
• Location data
• Diagnosis and analysis data (e.g., product interaction, usage data)
• Data on data subjects’ devices used as means of authentication
• Confirmations, such as acceptance of the applicable GTCs or acknowledgement of the Privacy Policy

Depending on the Mobile App, these may be the following categories of data subjects:

• End customers and business customers
• General customers
• Employees of customers
• Users of an app, such as a person to be identified
• Signatory for an electronic signature
• Employees
• Business partners
• Subscribers
• Freelancers
• Contact persons (employees of a business partner/customer)

If support is needed, users may send error reports to DeepCloud if anything abnormal occurs when using the Mobile App. The crash logs do not contain any personal data.

When a Mobile App is downloaded, the data required for this purpose will additionally be transmitted to the respective app store (e.g., user name, e-mail address, customer number, time of download, any payment information from the app and the individual device number). We have no control over such data processing and are not responsible for it. This data is processed because it is necessary in order to download the Mobile App onto your device. Further information can be found in the privacy policy of the app store in question.

Where is the data stored?

Data that DeepCloud stores in a DeepBox is located in a cloud solution certified in accordance with ISO 27001 by a contracted service provider who only processes your data for the purposes described by us. The contracted service provider has been carefully selected and commissioned by us, is bound by our instructions and is subject to regular review. The server locations are in Switzerland.

Name of the App: DeepBox (iOS / Android)

Function of the DeepBox mobile App:

DeepBox (iOS and Android) allows documents from different sources (via the camera, from the photo album, or from another cloud service) to be transferred to a DeepBox.

Technical data and information that is processed and/or stored:

The App supports devices with iOS and Android (from Android version 5.0, exception: Huawei devices with their own operating system that do not support Google Services).

• (Static) URL for access to the DeepBox system
• Authentication factors (Access & Refresh Token) for access to the DeepBox Tokens are deleted after the user logs out within the App.
• App Version
• Model of the terminal device (iPhone/Android)
• Version of the operating system
• Indication of the countries/regions in which the App is used
• Android: CrashReports and StackTrace (Sentry). In the case of event logs, these are active by default (Matomo). The user can set restrictions or deactivate this via the settings.
• iOS: Logs are created by the Microsoft AppCenter for debugging purposes (CrashReports only). Information processed by the AppCenter can be found at https://docs.microsoft.com/en-us/appcenter/gdpr/faq.
• Documents and content captured via App

“Privacy/ Data Protection”: Display of a window with selection

• Required analysis data: CrashReports and StackTrace, specification of countries/regions, Microsoft AppCenter information (by default)
• Complete analysis data: Event logs (Android)

Saving:

Data, information, and documents for uploading to a DeepBox are (temporarily) stored in the App (storage also possible for offline use) or made available via access authorisation. DeepCloud only stores technical or statistical analysis data on the use of the App (such as crash reports, countries/regions) within the scope of App use, otherwise storage takes place in the user’s mobile device or after transfer of the data, information, and documents in the connected DeepBox.

Third-party services used:

iOS: Microsoft AppCenter services to make the App more secure and to analyse crash reports.

Android: Sentry, to analyse crash reports and Matomo to analyse the use of the App.

including the libraries listed within the App settings “Licences”.

Access authorisation/s:

The App requires access to the camera function (to be able to scan, store, and read the documents), the photo album (where documents are stored to be used), the calendar (iOS only, so that expiry dates of the documents can be determined by means of the calendar) and the activation of the location services (where the locations are recorded by code). Furthermore, access to the “Internet” is required to enable a corresponding transfer connection to the connected DeepBox. 

The access authorisations are requested when the App is installed and the respective function is used for the first time. They only become active when the user has agreed and can be deactivated at any time, after which certain functions of the App can no longer be used.

Android: On older devices (older than Android 6), permission is requested when the App is installed. 

Access protection:

Access protection can take place via the mobile terminal, in which the possible access restrictions are activated and the existing encryptions are used. No separate App access protection is implemented.

Network protocol:

As a network protocol, the App uses the HTTPS protocol with TLS encryption for communication. 

DeepID service and DeepID Mobile App (Android and iOS)

The DeepID service and the DeepID App (DeepID) are used to digitally identify individuals, e.g., in order to be able to use DeepCloud’s digital signature service—DeepSign—to verify organisations, to approve statements of intent and actions, or to enable users to authenticate themselves using DeepID for DeepCloud web applications or for services of third-party providers, with no user name or password, securely and easily.

This requires going through an online identification process using the DeepID app. This identification process has been developed and tested in accordance with the legal provisions of ZertES/VZertES in Switzerland and the eIDAS Regulation in Europe, as well as the requirements of recognised certification and trust service providers as part of an implementation plan for identification of persons for advanced and qualified electronic signatures (AES and QES). Verification of the secure online identification process using DeepID and the DeepID app is documented by KPMG and is available in the form of the corresponding documentation. The legal requirements provide for a regular review that audits and confirms the legal changes and functions of DeepID.

A user’s identification documents are checked and digitised as a DeepID. Each user can have only one confirmed DeepID. The process recognises whether the same user appears with different identification documents. Furthermore, each means of authentication must be registered in accordance with the implementation plan and assigned to the user. The user must be the authorised owner of the device and must have sole control over it so that it can be used for authentication. Identity verification and signature creation or other authorisation are linked in the same technical connection, until a new identity verification is carried out. The link between identity verification and the authentication method used is therefore clear and certain.

This ensures that the identified person is actually identical to the active user of the DeepID app and that the authenticated device is in his/her possession. The process required for this purpose is prescribed by the DeepID app. The authentication factors used also include verification of the submitted and approved identification document, the image material, and the challenge response video taken by the person him/herself.

DeepID has a wide range of applications; for instance, the confirmed identity can be used for various services for the authentication of a person in a system login, time recording, access solutions or the release of expressions of intent such as the commissioning of electronic signatures.

The user can change the overall configuration, such as the device used, at any time. However, this automatically leads to a new authentication of the device, possibly even making it necessary to go through parts of the identification process once again. The detailed procedure is described below.

What data is processed in DeepID?

DeepCloud records the following user data for identification purposes and to maintain the traceability of identification confirmation as well as for the use of the DeepID (insofar as this data is disclosed by the user in the identification process or within the DeepID app or is transmitted by a third-party provider for whom the DeepID is to be used):

• Nationality
• Place of residence (country information)
• Photos of the relevant pages (such as front and reverse) of the selected identification document (as permitted by the prescribed process) with the information contained therein (such as surname, first name, gender, date of birth, signature, date of validity and serial number of the identification document, nationality, place of origin, and any biometric data from the photo)
• If supported: Scan of the NFC chip of an identification document with the data read from it (such as surname, first name, date of birth, address, date of validity and serial number of the identification document, nationality, signature, and any biometric data from the photo)
• Distinguished Name: A statutory standard for the form of a name in certificates; the Subject DN includes the name of the signatory, and the Issuer DN the identification of the Trust Service Provider providing the service (in the case of DeepID, DeepCloud)
• Photos and challenge response video of the user from video identification, as specified in the process
• Email address
• Address
• Telephone number
• User ID
• Data on the means of authentication personally used (such as device number) and technical data on the device
• Result of identification and verification (success, failure)
• Information that the user provides in inquiries to DeepCloud (as in the case of support)
• Data on acceptance of DeepCloud’s and third-party providers’ current terms of use, as well as confirmation of the user’s place of residence for advanced and qualified electronic signatures (AES or QES)
• Other data, information or documents provided when using DeepID relating to a requested signature, or to organisations such as commercial register extracts, powers of attorney, shareholder contracts, address, e-mail address or other supporting documents relating to specific attributes for a certificate for AES or QES, other relevant information such as the responsible registration office (such as DeepCloud), signature or authentication log files (such as business partner number, process number, process-related data) and hash values

Data is temporarily stored in the DeepID app so that the user can continue the identification process after closing the Mobile App, but only for a limited period of time. If this time window has expired, the data must be recorded again. Once the identification process has been completed, the following data will continue to be stored locally in the DeepID app:

• User ID, device number
• Identity information such as user name, place of residence, place of origin, and date of birth
• Profile image if the user uses one for the DeepID app

The identity information is also deleted within the DeepID app and stored in DeepCloud for the use of DeepID as soon as the user has been confirmed in the DeepID app and the affected data can be accessed on a case-by-case basis.

Procedure for identification and the data processing that is carried out:

The user’s identity must be confirmed before using the functionalities of the DeepID App for the first time. To do so, the user follows the steps provided for in the DeepID App. In certain cases, a QR code or voucher can be used to start the identification process. He/she indicates their place of residence and nationality. The identification documents approved for identification are selected based on these choices. Certain third-party services and DeepCloud are restricted in this respect as the user’s place of residence is required to be in Switzerland, the EU, or the EEA, and only certain countries and their identification documents are accepted. Only those identification documents are permitted that the providers of the certification or trust services allow for this purpose. These are indicated during the identification process. The identification documents must be valid at the time of identification.

The user then photographs an identification document approved by DeepCloud twice. To make this possible, the user must allow the DeepID app to capture images and videos with their device. If a passport is used, the NFC chip contained therein is automatically read and stored with its certificate, the passport metadata and the passport photo. Data from other identification documents is collected and stored automatically using an image.

The user then performs facial recognition using a 3D selfie and Challenge Response Videos. The user’s biometric data is processed for this comparison to establish identity, which the user expressly consents to. A rating is generated by a test algorithm to determine whether the person named in the identification document is really the user. For this reason, photos and videos must be taken personally by and from the person being identified. If the test produces a positive result, the identification process can be continued. If an error report is made, the user can repeat the process and contact DeepID support if necessary.

The user then confirms his/her data (such as first name, last name, birth date, place of origin, gender), enters his/her residential address and provides his/her e-mail address so that DeepCloud can send him/her important messages such as his/her e-mail verification code. He/she will then receive this verification code using which he/she can confirm his/her e-mail address. The user will receive a recovery code, which he/she must keep in a safe place.

It is necessary that the device used to identify the user can be registered as his/her means of authentication and verified in accordance with a user authentication method recognised in accordance with DIN standards. By doing so, the user confirms that he/she has sole control over the means of authentication.

An AI-based user-centric authentication suite from a third-party provider is used to authenticate the device used to ensure secure communication between the DeepID App and the releases desired by the user, such as the provision of an electronic signature. As an additional security factor, the user specifies a six-digit PIN for access to the DeepID App or activates his/her device’s access protection (such as face ID) as well as the automatic screen lock to unlock the DeepID App in order to protect it from unauthorised access and to protect it from unintentional expressions of intent. The DeepID PIN must be confirmed in order to activate the DeepID App for use.

After that, the user is registered and the identity is verified, a process that can take some time. If the data entered by the user cannot be verified automatically, DeepCloud support endeavours to complete the process, together with the user if necessary. The user can be contacted for this purpose within a reasonable time frame or contacts DeepCloud support him/herself. After the verification is completed, the user will receive a push notification to this effect.

If the identification of the release of electronic signatures serves a certification or trust service provider in Switzerland or the EU, then once the user has submitted a request, his/her registration for such electronic signatures will only be granted if all prescribed requirements of these providers have been met. Users must therefore accept their terms of use and confirm their place of residence in Switzerland, the EU or the EEA.

The existence of a registration is checked before each electronic signature is approved; if necessary, the identification must be repeated. The data processing occurring thereby will be performed to the extent required by law for a signature process (identification of the signatory and authentication of the device before release of the signature).

Further data processing performed during use of the app

Within the DeepID App, the user has the option of selecting different functionalities as part of the dashboard. The user may manage his/her data in his/her profile and complete tasks such as releasing statements of intent or actions and starting the process for verification of an organisation. To this end, he/she may invite other persons to identify themselves so that they can subsequently verify an organisation. To do so, the user can use the communication tools available on his/her device, such as email or SMS, to invite the person in question for identification.

After logging out or if the PIN input is incorrect three times, the user must follow the steps provided by DeepCloud in order to be able to log in to his/her DeepID App again. This will require the following actions: The user inputs his/her date of birth, retakes a selfie and video, confirms his/her device with the PIN received by e-mail and specifies a six-digit PIN and registers with the access protection he/she chooses.

There is no automated decision-making within the meaning of applicable data protection laws.

To which recipients is data transmitted?

Recipients fulfilling legal obligations: DeepCloud may disclose personal data to recipients if this appears necessary or appropriate to comply with applicable laws and regulations or to verify compliance with them and to respond to requests from competent authorities. This concerns, in particular, state-accredited conformity assessment bodies, audit officers and the approving body for certification services for the purpose of checking the proper performance of the registration service.

Third-party providers as recipients of data: DeepCloud may transfer personal data to third-party providers if the user makes use of a service provided by such a third-party provider, such as if the user wishes to authorise a declaration of intent or action, or in order to enable an authentication for such a service.

Service providers as recipients of data: DeepCloud is used to provide DeepID to external service providers. These are hosting and service providers. They only process data for the purposes described by DeepCloud and are contractually bound to comply with the data protection obligations under the relevant data protection laws. They have been carefully selected, are bound by DeepCloud’s instructions and are regularly monitored. They use server locations in Switzerland for this purpose; their registered office is in Switzerland or the EU, which offers an adequate level of data protection for Switzerland.

What diagnostic data is transmitted to DeepCloud via the DeepID app?

Fundamental diagnostic data for diagnosing errors or problems within the DeepID app is collected using Firebase Crashlytics (Android) or Microsoft AppCenter (iOS), to which DeepCloud has access. These do not contain any personal data. How Firebase Inc. and Microsoft handle this information can be found in their respective privacy policies.

How long is data stored?

Fundamentally, data is stored for as long as necessary for the stated purpose and as required by contract or statute. In the area of identification and in the case of certification and/or trust services, there are very long statutory retention obligations—from completion of the identification process at least 17 years according to ZertES and at least 36 years according to the eIDAS Regulation—in order to be able to prove that a person was identified and that an electronic signature was granted. If there is no longer any purpose for storage or contractual or statutory retention obligations no longer exist, anonymisation or deletion will occur after expiration of existing backup periods.

Information that is necessary to enable users to log into the Mobile App, such as login data or a profile picture, remains stored for as long as the usage relationship with the user, retention obligations or any other purpose for their processing exists.

Diagnostic data is deleted as soon as it is no longer needed for its purpose.

What is the purpose of the data processing?

The data and information are processed by DeepCloud in order to provide the functionalities offered in DeepID, to allow secure and smooth use of the DeepID Service and the DeepID app, to contribute to their improvement, to provide support, and to comply with legal obligations such as responding to official requests.

What are the legal bases/justification for data processing?

DeepCloud collects and processes data and information in accordance with your express consent, based on overriding legitimate interests, a contract or legal obligations.

Register for a Webinar via LIVESTORM On some of our websites you can schedule an appointment with us on certain topics. To do this, select the topic that interests you from a variety of options and specify a date. To set up the appointment, the form asks for your email address, your name, and the location of the meeting. Your company name and whether you are interested in other topics are optional. Before you complete the appointment, you can check and adjust your data again. We need this data to be able to plan and conduct the meeting with you. We use LIVESTORM SAS, 24 rue Rodier, 75009 Paris, France, for the registration and implementation of the Webinar. This is a service provider commissioned by us, to whom your data will be passed on for the purposes described above. For its services, it uses Amazon Web Services LLC, P.O. Box 81226. Seattle. This is an American company, so there is the possibility that data might also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will endeavour to ensure that appropriate guarantees, such as standard data protection clauses, are in place or when using the service, you grant your consent for this in order to ensure legally compliant data transfer.

Registration and participation in an event

You have the opportunity to register for an event such as a course, workshop, forum, webinar, seminar, consultation, (online) event, training, or trade fair (“Event”) on our website. You can send your registration for an Event in writing by post or fax to the contact address given in each case or book participation in the event directly on our websites on the Internet or by telephone. The data provided by you will be stored by us and processed for the planning and implementation of the Event as well as for the follow-up support of the participants and, if necessary, passed on to our commissioned service providers. If you take part in an (online) event, a webinar or a survey, certain data such as your email address, name or the company you work for are required for the implementation of the (online) Event, the webinar or for the evaluation of the survey. In some cases, a survey is also conducted anonymously. Contracted service providers are used precisely for the implementation of such events. We are happy to provide information about our contracted service providers upon request. When participating in an Event, the General Terms and Conditions for Events apply. We reserve the right to publish your name, company and, if applicable, photo and company logo after an event (e.g. website, flyers, reports, company appearances in social media, etc.). We reserve the right to delete these
publications at any time without giving reasons.

Data processing due to legal requirements resulting from the Corona Virus

At events, we are obliged to comply with the legal requirements, for example by the Federal Office of Public Health (FOPH) (such as Safety Concept and Contact Tracing) and to collect corresponding data. These requirements can change constantly, which is why we reserve the right to adapt our safety concept at any time. You are required to follow this accordingly. For details on how we process data in such a case, please refer to the specific protection concept.

Participation in a raffle at an event

If participation in a raffle is possible at an event, we process your data so that you can participate in the raffle and a winner can be determined and notified at the end. We use your data within the scope of the raffle on the basis of your consent to participate in the raffle. You can revoke this at any time with effect for the future. You can find more information on a possible revocation under “Your rights”.

Video and photo recordings when participating in an event

We reserve the right to take photos and videos during an event in which you may also be featured. These photos and videos will be used exclusively for our own purposes (e.g. use for company websites, flyers, reports or via newsletters, for company appearances in social media, information to participants via email, etc.) to report on, or document the event. If you are shown as part of a larger group of people or are merely an “accessory” to a building or location where you are not the focus of the shots, we may take these photos and videos based on our legitimate interests for the purposes described above. You can object to their use at any time. If you are portrayed as an individual or are the
focus of any recording, we will seek your consent for such recording. You then have a right of withdrawal in relation to your consent. If photos and videos (sound and image) are taken of you, e.g. for testimonials, for giving presentations or training, for your support in improving or developing our services, this will only be done with your consent.
You can also revoke this consent at any time. Details can be found in the specific declaration of consent.

Online events and meetings

More and more events and meetings are being held online only to protect participants. This requires an invitation or registration, for which you will be sent an email with a participant link. There may be live presentations, video demonstrations and active information exchange. It is possible that we record an online event with sound and video and that participants can be heard and/or seen. These recordings are used exclusively for the company’s own purposes (e.g. use within a lecture or training series, webinars, for the company’s own websites, flyers, reports, for company appearances in social media, newsletters, information to participants by email), to report on it, to document it or to replay it. When participating in such an event, participants are set to “mute”, also, it is not necessary for the participant to activate their camera in order to send pictures of themselves. Sound and/or video activation is only carried out by the participant after their approval. By agreeing to this, the user gives their consent for sound and image recordings to be made of them in the event that the online event is recorded. No sound or images are edited out afterwards. If the participant does not want to be recorded, they should not activate their audio and video functions throughout the event. It will still be possible to send questions to the moderator(s) via the chat function. These will be answered by the moderator(s) as far as possible during the event or in person via the chat function. For the planning and implementation of such events and meetings (including the sending invitations and confirmations of participation, the analysis of the event or surveys relating to it) we use evenito AG, Limmatquai 122, 8001 Zurich, Switzerland.

This is a service provider commissioned by us which receives your data for the purposes described above and which itself uses commissioned service providers for this purpose. We also use software solutions from Zoom Video Communications (“Zoom”), Inc.,55 Almaden Blvd, Suite 600, 95113 San Jose, California/USA for meetings. These companies also process data in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will work to ensure that appropriate safeguards are in place in this regard, such as standard data protection clauses, or
you give your consent to this when using the services or attending such an event or meeting, in order to ensure that data is transferred in accordance with the law.

On our website and our company presence on LinkedIn, as well as on various job portals, you have the opportunity to find out about current vacancies at DeepCloud and to apply for them. If you would like to apply for a job at DeepCloud, you can find out about current vacancies and apply for them under “Jobs”. At the moment, applications, including unsolicited applications, are welcome to be sent by email to hr@deepcloud.swiss.

Note that unencrypted emails are not protected against unauthorised access when they are sent. You can encrypt your attachments to the application yourself, for example with a ZIP solution and communicate the corresponding password separately (by telephone). If you apply for an advertised position by email, the data you provide (e.g. title, name, postal address, email address, telephone number, languages, earliest start date, your cover letter, and other data and documents you provide) will be stored in order to process your application. This is done in order to carry out pre-contractual measures with you in relation to possible employment as an employee.

Other data processing in the context of your application

If you provide references as part of the application process, we will assume that, where the data relates to an individual, you have obtained their consent for us to contact them and you consent to us obtaining the reference from that individual. If we ask for a reference, we will only contact them with your consent. Consent is given voluntarily and can be revoked at any time for the future. To get a better picture of your professional history, we may visit your professional profiles on LinkedIn and Xing. We process this publicly available job-related data about you in our interest to find out whether you fit the advertised position and our company. If you do not want this, you can let us know.

We do not look at or process data from social networks or other websites that do not have a company or employment-oriented context.

Quality of your data when applying

The data you provide should be accurate, complete, not misleading, and up-to-date. Failure to do so may result in your application not being considered or appropriate legal consequences being drawn after you have already been recruited.

Storage period of your application

If the application procedure does not lead to a position being filled, your application will be deleted at the latest four months after completion of the application procedure, unless the data is needed to defend legal claims asserted against us from the application procedure (this is done on the basis of our legitimate interests), unless a different
period is provided for by law or you have expressly consented to further processing of your data. If your application leads to employment, all data required for this will be processed within the framework of your employment relationship in accordance with the statutory provisions.

With your consent, we publish on our websites and other places (such as in our Newsletter) personal recommendations from you or references by photo, video or written statements as a satisfied customer or how to use our services. In some cases we also use your company logo. This is done after you have given your consent. You can revoke your consent to this; details can be found in the specific declaration of consent.

We may conduct surveys on certain topics (e.g. to improve and expand our services). Your opinion is very important. A survey will help us determine customer satisfaction of current solutions and the needs of our customers. This is in our interest as well as yours when using our services. To do this, we send selected people an invitation email with the link to the survey, whereby we receive your name and email address as part of our contractual relationship with the company for which you work. Participation in a survey is always voluntary and only takes place with your consent. By closing the browser, it is possible to terminate the survey at any time without any adverse consequences for you.

We store and analyse the results of the survey on the basis of legitimate interests in order to improve our services. We may also share the results of surveys with our business partners or prospects, but no personal information will be disclosed. As part of a survey, you also provide us with data such as your name, email address or the company you work for, as well as data resulting from the survey that you can provide (in a free text) within the survey. To conduct surveys, we use the survey tool LimeSurvey from LimeSurvey GmbH, Papenreye 63, 22453 Hamburg, Germany with an on premise solution at our premises in Switzerland.

In progress.

In progress.

We use the services of contracted service providers in Switzerland for the purpose of designing and operating our website. If data is also processed outside Switzerland as a result, it is contractually ensured that a level of data protection appropriate for Switzerland is established, either through existing guarantees or through corresponding regulations. We are happy to provide information about our contracted service providers upon request. Through this data processing, contact data, content data, usage data, meta data, and communication data are processed by us or our service providers on our behalf when you use our website. This is done on the basis of our legitimate interests in the efficient and secure provision of our website, to protect against misuse and other unauthorised use, on the basis of a service requested by you or a contract to be concluded with you following an order by you or, in certain cases, following your consent.

Access data and server log files are collected for each access to the server on which a service used by us is located (so-called server log files). These include:

• the domain visited and the files accessed
• the IP address of the terminal device used
• date and time and duration of the visit
• website from which the access was made
• operating system of the end device used
• the browser used for access as well as all information from the ‘user-agent’, which the browser transmits to the server
• extent of the transmitted data volume

We use this information based on the following legitimate interests:

• to view our website
• to ensure the stability and security of our website
• for statistical evaluations of our websites
• to improve our web presence
• with clarification work of support cases
• for the analysis of technical problems
• for safety-relevant clarifications
• in suspected cases of unlawful use (e.g. to clarify acts of abuse or fraud)

This information is stored for a maximum of 90 days and then deleted, unless its retention beyond this period is necessary for evidential purposes, such as for use as evidence before authorities or courts for unlawful use of our website. We will then exempt them from deletion until the respective incident has been finally clarified and may keep them
until a legally binding decision or judgement has been reached. This information is stored in such a way that, as a rule, it cannot be assigned to any specific person by us, except if you register for a special offer on the website. As a matter of principle, the above-mentioned data will not be passed on to third parties, unless it is necessary for
the pursuit of our claims, for the fulfilment of the intended purposes, after your consent or there is a legal obligation to do so.

Here we would like to inform you which cookies or other technical means such as web beacons, pixels, other tracking technologies (hereinafter “cookies”) are used when using our website. Cookies are small text files that are stored on your terminal device. They do not cause any damage to your end device and do not contain viruses. The data obtained in this way may subsequently be evaluated by us or third parties and merged with other data. As a rule, they serve to make the internet offer as a whole secure, more user-friendly and more effective, which is in both your and our interest. For some cookies that are not essential for technical storage or access to our website, or that are not only used to enable the use of a service you have explicitly requested, we will ask for your consent by means of a so-called cookie consent banner.

Our websites may use cookies from us or third parties to fulfil certain purposes (such as displaying our website, improving functionality, statistical web analysis, product optimisation, personalisation of content). The cookies we use are either session cookies (they are automatically deleted after you close your browser) or so-called persistent
cookies (these remain stored on your end device until a specified expiry date).

The following cookies are generally possible:

Necessary including preferences

Necessary cookies are required for the secure operation of our website, to enable us to transmit and display our website content to you, to enable you to navigate the website or to enable us to quickly identify and rectify technical problems. Preference cookies allow you to use the website more comfortably by remembering options you have chosen (such as a language choice) or providing functionality you have requested (such as remembering a choice or performing a function). These cookies do not require your consent, but their use is based on justifiable interests.

Statistics

These cookies allow statistics and analyses to be created, whereby pseudonymized or anonymized data is collected in order to gain knowledge about website usage, to improve the our service or to quickly identify and solve technical problems.

Marketing

Enable the display of personalized content by recording and analyzing your usage behavior. This is also performed outside of our websites, as these cookies can follow you. Cookies from third-party providers are also used and (pseudonymised) data about your surfing habits are given to them for evaluation and further use.

You can find out which specific cookies are used on our websites by means of informative banners on the respective websites. If only functional cookies are used, we will inform you accordingly by means of a cookie info banner. If cookies, possibly also from third parties, are used that require your consent, we will obtain your consent in advance by means of a cookie consent banner before activating these cookies. For information on the data processing of possible third-party providers whose cookies you can consent to when using our websites, please refer to their data protection declarations. Please note that you can set the common browsers in such a way that you are informed about the setting of cookies and can decide individually about their acceptance or can exclude the acceptance of cookies for certain cases or generally. Each browser differs in the way it manages cookie settings. The help menu of each browser explains how you can change your cookie settings. We cannot guarantee that you will be able to access all functions of our
websites without restriction if you do not allow cookies. We recommend that you regularly delete your cookies and browser history manually.

To protect our systems from bots and possible spam, we have integrated reCAPTCHA from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 5, Ireland) on certain registration and login forms. This allows us to distinguish whether we are receiving a registration or login from a human or whether there is improper processing by an automated, machine program (e.g. a bot). For this purpose, certain entries are required before registration or login so that verification is possible. In addition, your IP address and, if applicable, other data such as the website that you visit with us and on which reCAPTCHA is integrated, the date and the time spent on our website, the identification data of the browser and operating system type, your Google account if you are logged into Google, mouse movements on the reCAPTCHA areas as well as the tasks in which you identify images are also required by Google for reCAPTCHA. They are sent to Google and processed by them. The analysis starts automatically as soon as you open the website with reCAPTCHA. We use reCAPTCHA from Google to ensure the security of our systems. Data and documents uploaded via a form are stored directly in our systems. If we did not install such a security tool, bots would be able to log on to our systems unhindered. This is how we protect ourselves from unwanted and dangerous automated calls. It is in our legitimate interest to protect our system security. If you would like to know more about reCAPTCHA or how Google processes data, you can find out more directly from Google on their website.

In the following, we will show you how we would like to address you in terms of advertising.

Newsletter

With us you have the possibility to subscribe to a newsletter. In the following we explain the procedure involving newsletters.

• Content of the individual newsletter: We only send emails with promotional information (hereinafter “newsletter”) with your consent. Our newsletters contain information on our services and benefits, also those of the companies of the Abacus Group.

Automated processing: Web beacons are used in our newsletters. These are small, unrecognisable embedded images or objects (such as clear GIF, pixel tags and single pixel GIFs) that return information from you after you open the email you receive. In this way, we can measure success in order to compile statistics for the popularity of our offer. It also allows us to evaluate your user behaviour accordingly. We also store information about the browser you are using and the settings you have made in the operating system you are using, as well as information about the internet connection you are using to access our website. Through the newsletter sent to you, we receive, among other things, receipt and read confirmations as well as information about the links you have clicked on in our newsletter. Through this data processing (performance measurement), we aim to align our advertising approach to your interests and optimise our offers on our website.

• Consent: The dispatch of the newsletter and the associated performance measurement is based on your consent when registering for the newsletter.
• Registration procedure and logging: To ensure that no one can register with other people’s email addresses, you will receive an email asking you to confirm your registration. This confirmation is necessary to receive the newsletter. If the registration is not confirmed within 4 days, the information will subsequently be deleted.
  Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements and to clarify any possible misuse of your data. This includes the storage of the login and confirmation time as well as the IP address. Changes to your stored data are also logged.
• Login data: To subscribe to the newsletter, all you need to do is enter your email address. Optionally, you can enter a name for the purpose of a personal address in the newsletter.
• Recall: You can stop receiving a newsletter at any time, i.e. withdraw your consent, by sending an email to marketing@deepcloud.swiss clicking on the unsubscribe link in the newsletter or by contacting the address given in the Impressum contact details given in the imprint. You will not incur any costs other than the transmission costs according to the basic rates. You will find a corresponding link for revocation at the end of each newsletter.
• Storage after revocation: We may store unsubscribed email addresses for up to three years to prove consent was previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. Your data will only be used for other purposes after you have withdrawn your consent if you have expressly consented to this or if further processing is justified, about which we will inform you.

Marketing measures by email to existing customers

If we have received your email address from you in connection with the provision of a service and you have not objected to its subsequent use, we reserve the right to use your email address for direct advertising for our own similar services already purchased. After considering our interests, these marketing measures serve our legitimate interests in addressing our existing customers in an advertising manner. The prerequisite is that we inform you when collecting the email address and each time it is used so that you can object to its use at any time (this does not incur any costs other than the transmission costs according to the basic rates).

Commissioned service providers for marketing measures

Marketing measures by email can be carried out by commissioned service providers. For this purpose, your data such as name and email address will be passed on. For sending Newsletters, we use, among others, the mailXpert GmbH, Schulstrasse 37, 8050 Zürich. The data required for this is transferred to a server at mailXpert GmbH Group in the U.S. Newsletters are sent with your consent or on the basis of our legitimate interests in addressing our existing customers in an advertising manner. Further information and the Privacy Policy of mailXpert GmbH can be found on their website.
We are happy to provide information about our other contracted service providers upon request. You can object to marketing measures at any time by sending an email to marketing@deepcloud.swiss, by clicking on the unsubscribe link in the email or by contacting the contact details given in the imprint. You will not incur any costs other than the transmission costs according to the basic rates. You will find a corresponding link for the objection at the end of each such email.

Telephone and postal advertising

We reserve the right to use your first and last name as well as your telephone number and postal address for our own advertising purposes in order to be able to send you interesting offers about us, our products, services or events organised by us by telephone or by post. Telephone advertising is only carried out with your presumed consent. After weighing up our interests, the advertising approach by letter serves our justified interests in addressing our customers and potential interested parties. We will check and respect a possible advertising objection (e.g. through a star entry in public telephone directories) in advance. Promotional letter mail can be processed and sent by a commissioned service provider. For this purpose we will pass on name and address data to them. We are happy to provide information about our contracted service provider upon request.

Objection to advertising and revocation of consent

You can revoke your consent to be contacted for advertising purposes or object to the storage and use of your data for the above-mentioned purposes at any time by sending a message to marketing@deepcloud.swiss or by contacting the contact details given in the imprint. You will not incur any costs other than the transmission costs according to the basic rates. After that, your contact details (e.g. from the newsletter) will be deleted. Further processing of your data remains possible insofar as its use is further permitted or permitted by law.

Passing on data for advertising purposes

Your contact details may be passed on to another company of the Abacus Group in Switzerland or Germany as well as to our solution partners. Promotional advertising will be carried out within the framework of legal requirements. If you have given your consent, if necessary, to a promotional approach (e.g. by newsletter), and also to a transfer of
personal data for this purpose to a company of the Abacus Group or one of our solution partners, this may be used for the corresponding promotional approach by the authorised party.

We maintain a company presence on LinkedIn and there are links to our LinkedIn company presence on our websites. There we can see all the information that visitors voluntarily provide to our corporate presence on this platform by either liking one of our posts or posting a comment. Your data will also be processed if you communicate with us within this platform, e.g. write articles on the various online presences or send messages. In addition, we are provided with statistical data of the visitors to our company website in our administrator account. This includes data evaluating visitors’ interactions with our respective posts, a follower demographic and its origin, as well as web traffic and activity on our corporate presence on the platform. We are not able to view any personal data of the visitors, but only general data without any personal reference. Further data processing carried out by the platform operator during your visit to the platform is not subject to this Privacy Policy, but to its own Privacy Policy. Nevertheless, we check our company presence on this platform at regular intervals for possible violations of the law in order to be able to take immediate action. We have no influence on the data collected and data processing operations by a platform operator. It stores the data collected about you as a usage profile and uses this for the purposes of advertising, market research, and/or designing the website to meet your needs. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the network about your activities on our website. You have a right to object to the creation of these user profiles, whereby you must contact the platform operator directly to exercise this right. Data processing by the platform operator after use of a link on our website takes place regardless of whether you have a user account there and are logged in there. If you are logged in, your data will be directly assigned to your user account. We recommend that you log out regularly after using such a platform, as this allows you to avoid being assigned to your profile. For further information on the purpose and scope of data collection and processing, please refer to LinkedIn’s Privacy Policy. There you will also find further information on your rights and setting options to protect your privacy.

LinkedIn: LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA http://www.linkedin.com/legal/privacy-policy

Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out LinkedIn is an American company, so there is the possibility that data might also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security
authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will endeavor to ensure that appropriate guarantees, such as standard data protection clauses, are in place or your consent is obtained to ensure that data is transferred in accordance with the law.

We use the services of Vimeo, Inc. 555 West 18th Street, 10011 New York, USA (“Vimeo”) to host online events. In addition, we have integrated the Vimeo video player on some of our web pages in order to offer videos for the presentation of editorial content. These are stored on Vimeo so that they can be played on our websites. This is done for the optimal provision of our services, which is in our legitimate interest. When you call up such a video, a connection is established to the Vimeo servers. Vimeo receives the information that you have accessed the corresponding subpage of our website with the embedded video as well as the IP address. Vimeo is set so that your user activity is not tracked and no cookies are set. For more information on the purpose and scope of data collection, its processing and your rights and settings options to protect your privacy, please refer to the Vimeo Privacy Policy. Vimeo, Inc. is an American company, so there is the possibility that data might also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we work to ensure that appropriate guarantees are in place in this regard, such as standard data protection clauses, or you give your consent when using these services to ensure that data is transferred in accordance with the law.

Our websites may contain links to external websites of other companies outside DeepCloud. This Privacy Policy does not extend to the websites of these other companies. When using these websites, the data protection declarations of these companies must be observed as far as their data processing is concerned. Nevertheless, we check these websites at
regular intervals in order to remove the link immediately in the event of possible infringements. If you have any indications of possible legal violations on the pages linked by us, we ask you to inform us so that we can stop a possible connection. If you click on such links, your data may be transferred to companies in countries outside Switzerland,
the EU or the EEA that do not ensure an adequate level of protection for the processing of personal data. Please remember this before clicking on a link and thereby triggering a possible transfer of data.

In the following, we would like to inform you about the data processing that we carry out as a company within the scope of our business operations.

What data is processed and where does it come from?

We process data from our employees, customers, suppliers, applicants, interested parties, other business partners, or third parties and their employees. This data is either provided by the data subject or the respective company itself or we receive it from another company of the Abacus Group, from third parties such as other business partners (e.g. customers, suppliers or other service providers), public authorities or from publicly accessible sources (e.g. public telephone, address and trade directories, public notices or databases, the Internet, trade, cooperative or association registers). The data provided by you or the relevant company, for example when making an enquiry, registering, obtaining a quote, entering into a contract, completing a questionnaire or otherwise communicating with us, may be as follows:

• Contact details including full name, position, company, address, telephone, email address
• Contractual data arising from pre-contractual measures or the fulfilment of a contract, including delivery data
• Payment data, including bank details, payment history, credit card data, debit card data, access data, as well as other data for smooth payment transactions
• Content data including entries in our CRM or project system, in contact forms, data of a conducted communication via email or another form of communication
• Registration data (such as user name and password) when using offers requiring registration or login
• Data for the prevention of fraud, money laundering or other criminal offences
• All data in connection with an application or employment as an employee with regard to the profession, the previous employer, the professional career including certificates and further training, all data that are provided or may be legitimately collected and processed in the context of an application procedure or employment relationship
• Sensitive data such as health data, which is only collected by us with the explicit, prior consent of the data subject, which can be revoked at any time, or where there is a legal obligation to process it
• Data on the company for which a person works
• Data as described above when using one of our websites

Data obtained through other companies, public authorities or publicly available sources, such as:

• Credit information
• Contact data (name, company, postal addresses, email addresses, telephone numbers, publicly accessible data as can be seen in the commercial register) from credit agencies that are used within the legal framework for an advertising approach
• Data from banks or insurance companies in connection with the fulfilment of a legal or contractual obligation
• Data from judicial or official proceedings
• References from previous employers or business partners
• Data related to fraud and money laundering prevention or screening related to export restrictions
• Data from publicly accessible sources such as the internet, the press or public registers such as the commercial register

For what purposes is data processed and on what legal basis?

Data is processed for different purposes and on the basis of different legal bases:

• Carrying out pre-contractual measures in the context of an application or in connection with the conclusion of contracts with customers or other business partners, such as when preparing an offer. Due to their function at the contractual partner, data of their employees is also processed, in which we have the legitimate interest of a successful business development
• Processing of employee data based on contract, legal obligation, given consent or legitimate interests
• Provision of contractual services and customer care in the fulfilment of contracts, implementation of contractual measures, payments and accounting, guarantee of contractual claims. Due to their function at the contractual partner, data of their employees is also processed, in which we have the legitimate interest of a successful business development
• Processing of contact requests based on the legitimate interest of customer satisfaction or pre-contractual measures
• Communication with the media based on a legitimate interest in successful business development
• Sending personalised newsletters, carrying out other marketing measures, sending Christmas mail/gifts as well as internal market and opinion research to address customers in an advertising manner with regard to our companies and services in order to increase sales after consent has been granted or in special cases due to justified interests in direct marketing within the framework of existing legal requirements
• Exchange information and maintain contact with the press on the basis of legitimate interests of successful business development
• Improvement of our online offers, products, and services due to legitimate interests of a successful business development
• Collection of data from publicly accessible sources on the basis of legitimate interests for customer acquisition
• To establish, maintain and protect the operation and security of our IT, online offering, products, services and other offerings, based on legitimate interests to prevent potential security threats, criminal offences, or other adverse activities
• Video surveillance to safeguard domiciliary rights and damage prevention and other IT security measures to protect persons, intangible assets and tangible assets
• Compliance with internal policies or industry standards due to legitimate interests to comply with specified regulations
• Enforcing contracts, settling, asserting or defending legal claims in judicial or official proceedings based on our legitimate business interests
• Mergers, transfers, and acquisitions of companies, parts thereof or business divisions, as well as other transactions under company law, including the transfer of data on the basis of legitimate interests of successful business development or after consent has been granted
• Provision of certain online services for the management of customers and business partners and communication in the context of the use of online services requiring registration (including orders, payments, document management, other information) on the basis of legitimate business interests
• Enabling participation in interactive functions of our online offer due to legitimate interests upon request
• Obtaining references as part of an application procedure after consent has been given
• Verification of identity in order to be able to fulfil rights and obligations under data protection law, due to legal obligation
• Credit assessments based on (pre-) contractual relationships or after consent has been given
• Other data processing after consent has been given
• Fulfilment of legal obligations and due diligence for the prevention or investigation of criminal offences, economic crime or money laundering
• To fulfil the purposes you specified when you provided the data or that we notified you of when we collected the data
• In addition, data from different sources are brought together, which can also be processed for the purposes listed above. This allows us to compare, match and use customer or sales partner data from the individual companies within the Abacus Group and manage it in a central system. For current and correct delivery and address data, we may match existing data with other sources, correct it if necessary and use it; this is due to legitimate business interests

As a company, we use various tools from companies in the U.S., whereby we take care to contractually agree storage locations in Switzerland or the EU with these companies wherever possible. Nevertheless, it is possible that data will be transmitted to their servers in the U.S. during use or in support cases. If you are resident in Switzerland or in a member state of the EU/EEA, we expressly point out that the U.S. does not have an adequate level of data protection from the point of view of Switzerland and the EU and EEA. In the case of data transfers to a company in the U.S., there is a possibility that data could also be processed in the U.S. In this regard, we inform you that companies in the U.S. may be obliged to hand over data to security authorities due to regulations in force there. In this respect, data subjects currently do not have sufficient legal remedies to take action. We therefore cannot rule out the possibility that U.S. authorities (such as intelligence services) may process, evaluate or store such data in the U.S. for monitoring purposes without us being able to influence For data processed in a third country that does not have an adequate level of data protection, DeepCloud provides appropriate safeguards such as the conclusion of standard data protection clauses (adapting necessary contractual and technical measures) to ensure legally compliant data
transfer abroad. Only in individual cases is recourse made to the legally possible exceptions, such as the explicit consent of the data subject for a data transfer to a third country without an adequate level of data protection.

In principle, we process and store your data for as long as is necessary and permissible for the purposes for which we received the data. Specifically, this means that we will retain your data for as long as we have a (business) relationship with you or the company for which you work, when you use our website, when you are employed, when you send us newsletters, when we perform a contract or a continuing obligation, for as long as you have given us permission to store the data, for as long as any obligations exist or are owed to us, for as long as a particular legal situation requires, such as with regard to legal disputes, limitation periods or official investigations, or for as long as you were notified when the data was collected. In addition, legislation has provided for a variety of documentation and retention obligations and periods, so that if such a legal obligation for retention or documentation exists, we also store data – possibly limited – for a correspondingly long period of time. In Switzerland, for example, there are retention obligations under tax or commercial law of up to 10 years, as well as possible retention obligations of 30 years due to existing statutes of limitation, plus obligations under special laws. For this reason, an examination of the respective storage period takes place in each individual case for the corresponding data processing. After exercising your right of revocation or objection, after the stated purposes have been achieved or after the expiry of existing tax or commercial law, other legal or contractual documentation and storage obligations and periods, we will delete your data or, if permissible, restrict its processing, unless you have consented to further use of your
data or we have expressly reserved the right to use data beyond this, as permitted by law or contract, about which we will inform you accordingly.

If you use areas that require registration or login, you should store the login data carefully and protect it from access by third parties. If you log in from computers or other devices that are used by multiple people, please remember to properly log out after each session and close the browser window you are using. We take data security very seriously and treat your data confidentially and in accordance with the statutory regulations. To this end, we have taken technical and organisational measures to ensure a level of protection appropriate to the risk. These measures may include the pseudonymisation and encryption of data, security measures relating to the confidentiality, integrity, availability and resilience of systems, the ability to rapidly restore the availability of and access to data in the event of a physical or technical incident, and the regular review, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing. We want to protect your data from loss, misuse, alteration or destruction and unauthorised access in accordance with the state of the art. The safety standard is continuously adapted to the latest technological developments. Our employees and contracted service providers are bound to confidentiality and act within the framework of our instructions. It is possible that emails are sent in unencrypted form (i.e. that they are immediately readable without any required prior decryption), especially if you cannot access encrypted emails yourself. Such unencrypted emails are exposed to a greater risk than encrypted emails, which is why we hereby expressly advise you not to send any confidential information such as application documents without encryption. When using website forms or in the context of email communication with us, your data will be transmitted encrypted according to the current state of the art when it is sent. Our website including the areas requiring registration and login are secured (https). Keep in mind that security gaps can never be completely ruled out when transmitting data on the Internet. We cannot guarantee 100% security of all systems, especially when using our websites. We accept no liability for unauthorised actions by unauthorised third parties.

In the application procedure, data is used in the context of partially automated processing according to certain criteria in order to evaluate personal aspects of an applicant (profiling). We use these assessments to make a prediction of suitability for employment. However, the decision on employment is made by the respective line managers and employees in the HR department. As a matter of principle, when concluding a contract or executing it, no decisions are made exclusively on the basis of automated processing which would produce legal effects against you or which would significantly affect you in a similar way. We will inform you in advance if this should take place in individual cases and ensure that data processing is lawful.

It is possible that different law applies to certain data processing. Thus, it must be examined in each individual case whether the Federal Act on Data Protection (FADP) und Ordinance to the Federal Act on Data Protection (DPO) as well as national law of Switzerland or another, foreign law such as the General Data Protection Regulation and in each case national law of another state is applicable to data subjects. DeepCloud will review this on a case-by-case basis and will carry out the data processing that takes place within the framework of the respective legal requirements.

You are entitled to the following rights with regard to your data, insofar as we have been able to duly establish your identity and the respective conditions for this are met:

• Right to access
• Right of rectification
• Right to erasure
• Right to restriction of processing
• Right to object
• Right to data portability

Furthermore, you have the right to assert your claims in court and to complain to a data protection supervisory authority about the processing of your data by us. We will comply with your request for deletion unless it conflicts with an obligation to retain data or we need the data to assert, exercise or defend our legal claims. You can revoke your consent to the processing of your data at any time for the future. Such a revocation shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. If we base the processing of your data on our legitimate interests or those of a third party following a balancing of interests, you may object to such processing. In such a case, we will review your objection and either stop or adapt the data processing or show you our compelling interests worthy of protection why we want to continue the processing. These must override your interests, rights and freedoms or the processing must serve the assertion, exercise or defence of legal claims. Should we process your data in order to conduct direct advertising with it, you have the right to object to this processing of your data for the purpose of direct advertising at any time. This also applies to any profiling that may take place if it is connected with such direct advertising. In such a case, we will stop this data processing. You are not obliged to provide us with your data. However, it is possible that certain functions of our website will not be available or will only be available to a limited extent if you do not provide any data. Furthermore, it is possible that no contractual relationship can be entered into with you without the corresponding data. If you have any questions about data protection or if you wish to exercise your rights, withdraw consent or object to data processing, please contact us using the contact details provided above under “Responsible party”. We have appointed a data protection officer for DeepCloud. They are available at:

datenschutz@deepcloud.swiss

If you have any questions about data protection, please feel free to contact us at any time.

This Privacy Policy is subject to periodic review and may be amended, if necessary, in the event of legal or technical changes or due to new or revised services, at any time with effect for the future without prior notice. For this reason, we ask you to read this Privacy Policy at regular intervals in order to be aware of possible changes.