Protecting your privacy.
We protect your data
with the associated subpages, as well as for our corporate presence on LinkedIn. Access to our website is free, although some of our online services are restricted to certain users and require registration. Our online offers are not aimed at children or the general public. Our websites are structured so that you can visit them without having to disclose any
comprehensive information about the data processing performed by us and applies to all data processing by DeepCloud, regardless of whether we receive your personal data online or offline and regardless of the communication channel (such as company website, other company websites on the Internet, by telephone, email, post, or personal contact).
Abacus-Platz 1 9300 Wittenbach – St. Gallen Switzerland
We have appointed a data protection officer for DeepCloud. They are available at:
Insofar as DeepCloud processes personal data and the General Data Protection Regulation (“GDPR”) applies to such processing, we have designated as our representative in the EU:
Abacus Business Solutions GmbH
Mies-van-der-Rohe-Straße 6 Tower 1 – 10. OG 80807 Munich
If you have any questions about data protection, please feel free to contact us at any time.
Personal data is any information relating to the personal or material circumstances of an identified or identifiable natural person (“data”). This includes, for example, the name, address, telephone number, or email address. This term does not include anonymous data or information whose content does not indicate or suggest the identity or factual circumstances of an identifiable individual, such as the number of visitors to a website. There are also so-called special categories of data (“sensitive data”). This includes data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data to uniquely identify you, health data, or data concerning your sex life or sexual orientation. We will only process such data – if at all – with your explicit consent, unless another legal basis makes such data processing necessary.
The content and information presented on our websites serve to provide you with general information about us as a company and about our DeepCloud Services. In the course of using our websites, it is possible that data may be disclosed by you or collected by us for certain purposes. Furthermore, as a company, we process data that you disclose to us or
transmit to us in other ways, for example by mail, email, telephone, during a business transaction, or personal contact. Our data processing includes, for example, the collection, storage, transmission, deletion, and other processing of your data. Only data that is necessary and appropriate for the intended purpose will be processed. Our data
processing is carried out for the purposes stated by us or for the purposes requested by you. Data processing outside of the intended purposes will only take place if we inform you accordingly and if a change of purpose is lawful.
In the following, we inform you about the individual data processing, its purpose, and its legal basis for us as a company.
You can provide your contact information and interest in our products and services in a contact form, an inquiry, through a personal contact during an event or web demo, or contact us in other ways so that we or partners we select can contact you, inform you about DeepCloud Services, conduct a web demo with you, or fulfill other offers. Furthermore, we store and process information that you select in lists and menus on our websites. When you send us an email we save the content of the email as such, and the data that is generated when inquiries are sent to our email servers, such as sender and recipient IDs, time stamps and, if necessary, reasons for errors or rejections if the transmission of an email fails. If you wish to receive information material, you can also provide us with your email address so that we can send you the requested information by email with your consent. We use your data ourselves or provide it to the relevant companies. This is done within the framework of data protection and competition law requirements. We process your data based on legitimate interests. Processing is done both in your interest – you have contacted us – and in ours, to establish the satisfaction of all inquirers, if necessary to fulfil a contract with you, or to carry out pre-contractual measures. We will only process your data for the purpose of contacting you. Your data may be stored in our CRM system and in other technical systems. When using website forms, your data will be transmitted in encrypted form according to the current state of the art. You provide us with your data voluntarily, and only as much data as necessary is requested (mandatory data are marked with *). All other information is optional.
If we determine that we can only satisfactorily respond to your inquiry with the assistance of a selected partner, we may share your data based on legitimate interests or, if necessary, we will obtain your consent to share your data. Consent is given voluntarily and can be revoked at any time for the future.
In the course of providing our services, visiting our websites or using our support, there is the possibility of using online offers that require you to register, authenticate, and log in. This applies in particular to the opening of a DeepBox account, the use of our DeepBox Services, but also to the execution of a web demo so that you can get a better picture of our services in the context of an online presentation, remote access in a support case, the registration for events, or the scheduling of an appointment. This involves providing and transmitting to us a variety of data resulting from the respective form or our queries. When using such a form, your data will be transmitted in encrypted form according to the current state of the art. You provide us with your data voluntarily, and only as much data as necessary is requested (mandatory data are marked with *). All other information is optional. DeepCloud is free to choose their authentication methods. The data to be provided results directly from the specific procedure used.
You are required to choose strong passwords when choosing login credentials. You are responsible for the security of your login data and must not pass it on to unauthorised third parties. The processing of your data within the scope of our (registration and login required) offers is carried out with your consent when registering or logging in, based
on our legitimate interest in providing you with the information necessary to use our services satisfactorily, in order to be able to contact us, and for the proper processing of an existing contractual relationship.
To open a DeepBox account, a successful registration is required. The link sent to the email address provided must be used for this purpose. Registration opens a DeepBox account for the Owner, which offers certain functionalities. The registration form must be completed, indicating whether the DeepBox account is to be used privately or for a company, foundation or association (“Organization”). Before completing the registration process, a choice can be made between the two options. Depending on the choice, a “Private” DeepBox account will be opened for the Registrant as a contractual partner with DeepCloud or, if the necessary requirements are met, an “Organization” DeepBox account will be opened for the Organization as a contractual partner For a DeepBox account of an Organization, the authorization of the Registrant to enter into the contractual relationship for the Organization is required. When using certain DeepBox Services or extended functionalities of the DeepBox account, the unique identification of the Registrant and, if applicable, the verification of the Organization is required. For identification and verification purposes, the services of a third-party provider are integrated. The terms and conditions of the third-party provider apply. As part of these processes, relevant data about the Registrant and the Organization, as well as the results of the identification and
verification, are transmitted between DeepCloud and the third-party provider. The identification and verification processes may take place within a reasonable period of time. If the relevant process is not successfully completed within this time period, the DeepBox account will be deleted. After registration, an access-protected login can be used to log in to the DeepBox account and use various DeepBox Services. Two-factor authentication, possibly also from a third-party provider, can be activated for the login. The terms and conditions of the third party provider apply. After successful registration, you have the option of using the services located there (some of which are subject to a fee),
such as a deep, shared or special box, DeepO, DeepV, DeepPay, or DeepPoint.
We offer a DeepBox account and various DeepBox Services in the form of cloud-based software as a service. These are web-based software applications and applications (Apps) with various functionalities. The focus is on the storage, organization, and sharing of information and documents or on the optimization of internal company communication, processes and accounting, with the possibility of integrating employees and other third parties. The efficient analysis and use of information within the DeepBox account is also possible. If you have purchased subscriptions for certain DeepBox Services within the DeepBox account, these can also be used by your authorized users by releasing them in the DeepBox account and after they have registered for a DeepBox account. The person who opens a DeepBox account is responsible for the use of the DeepBox until an organization has been verified for the relevant DeepBox account. The respective Owner of the DeepBox account is responsible for the use and thereby processed data within the scope of the
DeepBox account and the DeepBox Services, to maintain data protection if personal data is collected in the process. It is possible to collect, store, modify, or delete data with a DeepBox. For the use of the DeepBox account and the DeepBox Services, all data will be stored and processed that accrue upon registration as well as all data and documents that are collected and processed in DeepBox and when using the DeepBox Services. This includes data related to address entry, accounting, invoices and quotations, time recording, expense receipts, payroll accounting, and all content provided by the user in the process. Furthermore, this also includes content that can be processed by a fiduciary or by additional services such as those of payment providers, when using mobile Apps, and exchanged between the respective parties involved. The data processed in the DeepBox account and the DeepBox Services include the following: personal master data such as name, address, date of birth, employer, contact data such as telephone and/or email address, time and wage recording data such as working hours, absences (sickness or holidays), overtime and extra hours, expense receipts, product master data, contractual relationship data and contractual data including delivery, payment and invoicing data, bank account and credit card data, and all data recorded within the DeepBox account and DeepBox Services.
This data may come from current and former employees and job applicants, service providers, suppliers, banks and other payment providers, customers, business partners, prospective customers, and all the employees of the companies who act as contacts for these companies. During the contractual relationship, DeepCloud shall back up the content stored in the Apps in accordance with standard backup procedures and shall endeavor to avoid data loss as far as possible. However, in general, the Owner of the DeepBox account is responsible for the preservation and archiving of its data and documents and acknowledges that they are not archived by DeepCloud. In the event of termination of the use of the DeepBox account (e.g. ending the contractual relationship, termination) or the DeepBox Services, the Owner of the DeepBox account is responsible for scheduling the termination of the use of the DeepBox account and the DeepBox Services. The latter can instruct DeepCloud to make their data available in an export file before deletion of the data in DeepBox takes place. The Customer shall, autonomously and in due time prior to termination, ensure that its data files are backed up and delete corresponding data or authorise DeepCloud to delete the data upon termination of the contractual relationship, as the data will be deleted at the latest upon expiry of the backup periods. Access to the Owner’s data files is excluded after termination of the contractual relationship. Data that Abacus is legally or contractually obliged to store for a limited period of time, and data that is still needed for the settlement or collection of the services provided, shall be excluded from the deletion. Your authorisation to use these services will end if you delete your account or lose your authorisation to use the services. Your login data will be deleted once you no longer have access authorisation.
DeepSign enables electronic signing of digital documents for individuals (signatories) and organisations (if their authorised representatives sign) as well as the use of timestamps. The simple electronic signature (SES), advanced electronic signature (AES) and qualified electronic signature (QES) are available. Depending on the type of signature, different data about the initiator (the person who invites another person to sign) and the signatory are processed.
Data processing performed in DeepID:
In order to be able to sign a document, the initiator collects the e-mail address so that the invitation can be sent to the signatory. The initiator may additionally write and send messages for the signatory. Likewise, the choice of the signature (SES/AES/QES) is recorded along with the certification or trust service (according to ZertES or the eIDAS Regulation) that is supposed to create a signature.
A SES requires the signatory’s E-mail address, which the signatory uses to confirm the SES. In addition, the signatory has the possibility to select further annexes when submitting his/her SES. They will be attached to the document to be signed and all documents will be signed together. DeepCloud stores and transmits the signed document to the initiator as instructed by the signatory. If the invited person does not provide a SES, the annexes will be deleted again.
Since the DeepSign service is a native DeepBox application, the data protection provisions on DeepBox also apply.
There is no automated decision-making within the meaning of applicable data protection laws.
By whom is data processed?
- Customers and their employees or other users of the DeepCloud Services authorised by the Customer
- The signatory for the electronic signature
- Persons whose data is contained in the documents to be signed
What data is processed?
For the purpose of signing and to maintain the traceability of the confirmation of a signature, DeepCloud records the following data (insofar as it is collected and transmitted by the identification service used or disclosed by the initiator or signatory him/herself within the DeepSign service):
- DeepBox login data when the initiator or the signatory uses DeepSign
- Master and contact data (when opening a DeepBox)
- E-mail address for signatory invitations
- Telephone number if the relevant signature provides for its processing
- Selection of the electronic signature or the electronic time stamp and the certification or trust service
- Result of the prior identification and verification of the signatory (success, failure)
- Confirmation or rejection of signature
- Documents, their contents and annexes
- Log files on the signature process (such as business partner number, process number, process-related data), hash values, transaction history, signature/time stamp selection, signature ID
- Diagnosis and analysis data (e.g., product interaction, usage data)
- Data on the means of authentication personally used (such as device number) and technical data on the device
- Other information or documents collected or supplied by the user within the service regarding a requested signature, the user’s organisation, or other supporting documents concerning specific attributes for a certificate for AES or QES, as well as other relevant information such as the responsible registry (such as DeepCloud for DeepID), signature or authentication log files (such as business partner number, process number, process-related data) and hash values
- Information that the user provides in inquiries regarding DeepSign (as in the case of support)
To which recipients is data transmitted?
Recipients fulfilling legal obligations: DeepCloud may disclose personal data to recipients if this appears necessary or appropriate to comply with applicable laws and regulations or to verify compliance with them and to respond to requests from competent authorities. This concerns, in particular, state-accredited conformity assessment bodies, audit officers and the approving body for certification services for the purpose of checking the proper performance of the AES and QES service.
Third-party providers as recipients of data: DeepCloud may transfer personal data to third-party providers if the user makes use of a service provided by such a third-party provider, such as if the user uses an identification service other than DeepID for the release of a QES or AES. In addition, certification services are provided from a provider of certification services recognized in Switzerland according to the Swiss Federal Act on Qualified Electronic Signatures (ZertES) and a provider of trust services recognized in the EU according to the EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) (third-party provider). These third-party providers prepare the electronic signatures and timestamps according to the legal requirements and their certificate guidelines. Personal data of the signatory will be transferred to recipients within the EU that have an adequate level of data protection. These providers are subject to strict legal requirements when providing their services.
When using third-party provider services, the data protection provisions of these third-party providers will apply.
Service providers as recipients of data: DeepCloud is used to provide DeepSign to external service providers. These are hosting and service providers. They only process data for the purposes described by DeepCloud and are contractually bound to comply with the data protection obligations under the relevant data protection laws. They have been carefully selected, are bound by DeepCloud’s instructions and are regularly monitored. They use server locations in Switzerland for this purpose.
How long is data stored?
Fundamentally, data is stored for as long as necessary for the stated purpose and as required by contract or statute. In the area of certification and/or trust services, there are very long statutory retention obligations, which can amount to up to 36 years in order to be able to document the issue of your electronic signature(s). If there is no longer any purpose for storage or contractual or statutory retention obligations no longer exist, anonymisation or deletion will occur after expiration of existing backup periods.
What is the purpose of the data processing?
The data and information are processed by DeepCloud in order to provide the DeepSign electronic signature service, to allow secure and smooth use of the service, to contribute to its improvement, and to comply with legal obligations such as responding to official requests.
What are the legal bases/justification for data processing?
DeepCloud collects and processes data and information in accordance with your consent, based on overriding legitimate interests, a contract or legal obligations.
fiduciary access to the data in the application in order to carry out the necessary data processing and data synchronization. The DeepBox account Owner is responsible for granting and restricting or revoking the fiduciary’s and also its other authorized users’ access rights to its data and whether they engage in lawful data processing activities
within DeepBox. The connection to the fiduciary’s DeepBox account is made either by the DeepBox account Owner themself or by the fiduciary. AbaNinja contains the option of connecting to services of different payment providers such as banks or payment service providers. When using DeepPay, third-party services (such as payment initiation and account
information services) are possible. DeepCloud merely provides the interface to these third-party providers for a data exchange so that the executed transactions can be displayed or triggered. For the execution of the transactions, an exchange of data takes place between the participants. For unique assignment, an application-relevant ID is used
together with additional access data for the respective participant. This can be bank or payment-specific data such as account information, IBAN, or the credit card number. Each party involved is responsible for the data processing taking place in its area of responsibility and for the security of the data in accordance with the agreed provisions.
The responsibility for the provision and processing of the additional services and the processing of data when using said services (including the payment and account information processed via these services) does not lie with DeepCloud, but with these third-party providers.
DeepCloud provides the “AbaElster” service to Customers for the transmission of information from the Customer’s Abacus ERP to a tax office in Germany in order to use the “Online Tax Office ELSTER” offer for the tax assessment procedure. AbaElster is exclusively intended for use in connection with the electronic submission of tax returns and transmission of tax data in accordance with legal requirements. In the process, information from the Customer’s Abacus ERP is transmitted in encrypted form to DeepCloud’s server in Switzerland. This information is transmitted to the respective tax office. After transmission, the information is automatically deleted from DeepCloud’s server.
The information transmitted includes all relevant personal data required for tax purposes, such as personal identification and contact details (first and last name, address, date and place of birth, tax number, identification number, e-mail address, telephone number; reporting data of the sales tax advance return, permanent extension and recapitulative statement (ZM), in detail: taxable sales, tax amount, company address, name of clerk, sales of customers in the EU with their names and VAT number; copies and details of identity and identification documents, income (e.g. wages, business income, income from renting and leasing, capital gains, pensions); expenses (e.g. income-related expenses, business expenses, special expenses and extraordinary expenses); taxes withheld by third parties (e.g. wage tax, capital gains tax, solidarity surcharge, church tax); marital status and children, ELStAM electronic tax deduction features (e.g. wage tax class); occupation; bank details; details of taxes paid or refunded; details of tax returns submitted and applications made as well as appeals; details of the period of the employment relationship for tax purposes (e.g. entry date, exit date, number of interruptions); technical information such as certificate, IP address, device information, MAC address, etc.; as well as any data that the Customer transmits to the tax office in the course of data processing. DeepCloud acts here as an order processor for the Customer, which fulfils its legal duty of tax declaration, such that requests for information are to be addressed directly to the respective customer. The respective tax authorities provide separate information on data processing around the taxation procedure and around “ELSTER”.
The content stored in DeepBox is processed within the framework of the existing contractual relationship with the DeepBox account holder. We process this data within the framework of commissioned data processing with the Owner of the DeepBox account. A commissioned data processing agreement is entered into with us for the use of the DeepBox account.
The aim is that data processing in the context of the use of the DeepBox account takes place mainly in Switzerland. If we engage contracted service providers in the EU (for example in Germany) for certain services, then we aim to arrange server solutions in Switzerland. Should it nevertheless become necessary for our commissioned service providers to process data in the EU (for example in a support case), the EU offers a level of data protection that is adequate for Switzerland. If we ourselves, as the responsible party, use contracted service providers for our own purposes, we also try to ensure that data is processed in Switzerland. In special cases, we may require the services of service providers who provide their services outside Switzerland. In such cases, we try to commission service providers in a country that has a level of data protection appropriate for Switzerland. Otherwise, we ensure with suitable guarantees such as standard data protection clauses or upon your consent that a legally compliant data transfer can take place.
In any case, our contracted service providers are carefully selected and commissioned. They are bound to our instructions and are regularly monitored. Only such data is transmitted that is necessary for the provision of the respective service.
DeepCloud’s Mobile Apps include:
- DeepBox (Android and iOS)
- DeepID (Android and iOS)
Here we provide information about the data processing performed by us when our Mobile Apps are used. Our Mobile Apps are primarily used for document management (DeepBox app), identification of persons, verification of organisations, and release of expressions of intent and actions, or for authentication and verification of a user (DeepID app).
The Mobile Apps are used either as a stand-alone solution or in combination with web applications. It is also possible for a Mobile App to be downloaded and data collected via the Mobile App without any data being transferred to a web application. In this case, the data collected by you via the Mobile App does not leave your device; the same applies to the use of the Mobile Apps in “offline mode.” The collected data remains locally in the Mobile App on your device unless it is switched to “online mode” or synchronised.
As a general rule, our Mobile Apps are either downloaded and used by you on a mobile device, or your employer (or its service provider) requests that you use the Mobile App. The use for data exchange with a web application may then exist within the framework of an existing contractual relationship with you, with your employer, or with another contractual partner.
You are under no obligation to provide your data to DeepCloud. However, it is possible that certain functions of a Mobile App may not be available or only be available to a limited extent if you do not provide data.
What data is processed when using the Mobile Apps?
Various data may be collected when the Mobile Apps are used, transmitted to the corresponding web application linked to the Mobile App, and processed by it. This is done using synchronisation. Some Mobile Apps require that synchronisation with the corresponding web application is permitted. The first step is a check of whether the Mobile App is accepted by this web application or whether any DeepCloud subscriptions exist (“DeepCloud Sub” at DeepBox). User information is transmitted to DeepCloud and compared with existing DeepCloud Subs.
In order to use a confirmed DeepID identity, an exchange of data between DeepCloud and a third-party provider may occur for you as a user of DeepID. For details, please refer to the “DeepID” section.
Depending on the Mobile App, different data of different categories of data subjects may be processed depending on which DeepCloud Service is used in order to synchronize or exchange this data between the Mobile App and a web application. How the data controller for the web application (third-party provider) processes this data is within that party’s area of responsibility and DeepCloud is not informed of it.
The following categories of data may be included depending on the Mobile App:
- Personal master data (e.g., name, company name, address)
- Communication data (e.g., telephone, e-mail address)
- Identification data (e.g., user ID or identity UID)
- Data from identification documents (e.g., ID cards and passports) such as name, maiden name, date of birth, nationality, photo, data and certificate of the NFC chip, ID data, date of issue, term of validity, country of issue, metadata, optical character recognition, security features, MRZ
- Documents and their content if they contain personal data
- Multimedia data (photos, videos such as challenge response videos and voice recordings)
- Location data
- Diagnosis and analysis data (e.g., product interaction, usage data)
- Data on data subjects’ devices used as means of authentication
Depending on the Mobile App, these may be the following categories of data subjects:
- End customers and business customers
- General customers
- Employees of customers
- Users of an app, such as a person to be identified
- Signatory for an electronic signature
- Business partners
- Contact persons (employees of a business partner/customer)
If support is needed, users may send error reports to DeepCloud if anything abnormal occurs when using the Mobile App. The crash logs do not contain any personal data.
Where is the data stored?
Data that DeepCloud stores in a DeepBox is located in a cloud solution certified in accordance with ISO 27001 by a contracted service provider who only processes your data for the purposes described by us. The contracted service provider has been carefully selected and commissioned by us, is bound by our instructions and is subject to regular review. The server locations are in Switzerland.
Name of the App: DeepBox (iOS / Android)
Function of the DeepBox mobile App:
DeepBox (iOS and Android) allows documents from different sources (via the camera, from the photo album, or from another cloud service) to be transferred to a DeepBox.
Technical data and information that is processed and/or stored:
The App supports devices with iOS and Android (from Android version 5.0, exception: Huawei devices with their own operating system that do not support Google Services).
- (Static) URL for access to the DeepBox system
- Authentication factors (Access & Refresh Token) for access to the DeepBox Tokens are deleted after the user logs out within the App.
- App Version
- Model of the terminal device (iPhone/Android)
- Version of the operating system
- Indication of the countries/regions in which the App is used
- Android: CrashReports and StackTrace (Sentry). In the case of event logs, these are active by default (Matomo). The user can set restrictions or deactivate this via the settings.
- iOS: Logs are created by the Microsoft AppCenter for debugging purposes (CrashReports only). Information processed by the AppCenter can be found at https://docs.microsoft.com/en-us/appcenter/gdpr/faq.
- Documents and content captured via App
“Privacy/ Data Protection”: Display of a window with selection
- Required analysis data: CrashReports and StackTrace, specification of countries/regions, Microsoft AppCenter information (by default)
- Complete analysis data: Event logs (Android)
Data, information, and documents for uploading to a DeepBox are (temporarily) stored in the App (storage also possible for offline use) or made available via access authorisation. DeepCloud only stores technical or statistical analysis data on the use of the App (such as crash reports, countries/regions) within the scope of App use, otherwise storage takes place in the user’s mobile device or after transfer of the data, information, and documents in the connected DeepBox.
Third-party services used:
iOS: Microsoft AppCenter services to make the App more secure and to analyse crash reports.
Android: Sentry, to analyse crash reports and Matomo to analyse the use of the App.
including the libraries listed within the App settings “Licences”.
The App requires access to the camera function (to be able to scan, store, and read the documents), the photo album (where documents are stored to be used), the calendar (iOS only, so that expiry dates of the documents can be determined by means of the calendar) and the activation of the location services (where the locations are recorded by code). Furthermore, access to the “Internet” is required to enable a corresponding transfer connection to the connected DeepBox.
The access authorisations are requested when the App is installed and the respective function is used for the first time. They only become active when the user has agreed and can be deactivated at any time, after which certain functions of the App can no longer be used.
Android: On older devices (older than Android 6), permission is requested when the App is installed.
Access protection can take place via the mobile terminal, in which the possible access restrictions are activated and the existing encryptions are used. No separate App access protection is implemented.
As a network protocol, the App uses the HTTPS protocol with TLS encryption for communication.
DeepID service and DeepID Mobile App (Android and iOS)
The DeepID service and the DeepID App (DeepID) are used to digitally identify individuals, e.g., in order to be able to use DeepCloud’s digital signature service—DeepSign—to verify organisations, to approve statements of intent and actions, or to enable users to authenticate themselves using DeepID for DeepCloud web applications or for services of third-party providers, with no user name or password, securely and easily.
This requires going through an online identification process using the DeepID app. This identification process has been developed and tested in accordance with the legal provisions of ZertES/VZertES in Switzerland and the eIDAS Regulation in Europe, as well as the requirements of recognised certification and trust service providers as part of an implementation plan for identification of persons for advanced and qualified electronic signatures (AES and QES). Verification of the secure online identification process using DeepID and the DeepID app is documented by KPMG and is available in the form of the corresponding documentation. The legal requirements provide for a regular review that audits and confirms the legal changes and functions of DeepID.
A user’s identification documents are checked and digitised as a DeepID. Each user can have only one confirmed DeepID. The process recognises whether the same user appears with different identification documents. Furthermore, each means of authentication must be registered in accordance with the implementation plan and assigned to the user. The user must be the authorised owner of the device and must have sole control over it so that it can be used for authentication. Identity verification and signature creation or other authorisation are linked in the same technical connection, until a new identity verification is carried out. The link between identity verification and the authentication method used is therefore clear and certain.
This ensures that the identified person is actually identical to the active user of the DeepID app and that the authenticated device is in his/her possession. The process required for this purpose is prescribed by the DeepID app. The authentication factors used also include verification of the submitted and approved identification document, the image material, and the challenge response video taken by the person him/herself.
DeepID has a wide range of applications; for instance, the confirmed identity can be used for various services for the authentication of a person in a system login, time recording, access solutions or the release of expressions of intent such as the commissioning of electronic signatures.
The user can change the overall configuration, such as the device used, at any time. However, this automatically leads to a new authentication of the device, possibly even making it necessary to go through parts of the identification process once again. The detailed procedure is described below.
What data is processed in DeepID?
DeepCloud records the following user data for identification purposes and to maintain the traceability of identification confirmation as well as for the use of the DeepID (insofar as this data is disclosed by the user in the identification process or within the DeepID app or is transmitted by a third-party provider for whom the DeepID is to be used):
- Place of residence (country information)
- Photos of the relevant pages (such as front and reverse) of the selected identification document (as permitted by the prescribed process) with the information contained therein (such as surname, first name, gender, date of birth, signature, date of validity and serial number of the identification document, nationality, place of origin, and any biometric data from the photo)
- If supported: Scan of the NFC chip of an identification document with the data read from it (such as surname, first name, date of birth, address, date of validity and serial number of the identification document, nationality, signature, and any biometric data from the photo)
- Distinguished Name: A statutory standard for the form of a name in certificates; the Subject DN includes the name of the signatory, and the Issuer DN the identification of the Trust Service Provider providing the service (in the case of DeepID, DeepCloud)
- Photos and challenge response video of the user from video identification, as specified in the process
- Email address
- Telephone number
- User ID
- Data on the means of authentication personally used (such as device number) and technical data on the device
- Result of identification and verification (success, failure)
- Information that the user provides in inquiries to DeepCloud (as in the case of support)
- Other data, information or documents provided when using DeepID relating to a requested signature, or to organisations such as commercial register extracts, powers of attorney, shareholder contracts, address, e-mail address or other supporting documents relating to specific attributes for a certificate for AES or QES, other relevant information such as the responsible registration office (such as DeepCloud), signature or authentication log files (such as business partner number, process number, process-related data) and hash values
Data is temporarily stored in the DeepID app so that the user can continue the identification process after closing the Mobile App, but only for a limited period of time. If this time window has expired, the data must be recorded again. Once the identification process has been completed, the following data will continue to be stored locally in the DeepID app:
- User ID, device number
- Identity information such as user name, place of residence, place of origin, and date of birth
- Profile image if the user uses one for the DeepID app
The identity information is also deleted within the DeepID app and stored in DeepCloud for the use of DeepID as soon as the user has been confirmed in the DeepID app and the affected data can be accessed on a case-by-case basis.
Procedure for identification and the data processing that is carried out:
The user’s identity must be confirmed before using the functionalities of the DeepID App for the first time. To do so, the user follows the steps provided for in the DeepID App. In certain cases, a QR code or voucher can be used to start the identification process. He/she indicates their place of residence and nationality. The identification documents approved for identification are selected based on these choices. Certain third-party services and DeepCloud are restricted in this respect as the user’s place of residence is required to be in Switzerland, the EU, or the EEA, and only certain countries and their identification documents are accepted. Only those identification documents are permitted that the providers of the certification or trust services allow for this purpose. These are indicated during the identification process. The identification documents must be valid at the time of identification.
The user then photographs an identification document approved by DeepCloud twice. To make this possible, the user must allow the DeepID app to capture images and videos with their device. If a passport is used, the NFC chip contained therein is automatically read and stored with its certificate, the passport metadata and the passport photo. Data from other identification documents is collected and stored automatically using an image.
The user then performs facial recognition using a 3D selfie and Challenge Response Videos. The user’s biometric data is processed for this comparison to establish identity, which the user expressly consents to. A rating is generated by a test algorithm to determine whether the person named in the identification document is really the user. For this reason, photos and videos must be taken personally by and from the person being identified. If the test produces a positive result, the identification process can be continued. If an error report is made, the user can repeat the process and contact DeepID support if necessary.
The user then confirms his/her data (such as first name, last name, birth date, place of origin, gender), enters his/her residential address and provides his/her e-mail address so that DeepCloud can send him/her important messages such as his/her e-mail verification code. He/she will then receive this verification code using which he/she can confirm his/her e-mail address. The user will receive a recovery code, which he/she must keep in a safe place.
It is necessary that the device used to identify the user can be registered as his/her means of authentication and verified in accordance with a user authentication method recognised in accordance with DIN standards. By doing so, the user confirms that he/she has sole control over the means of authentication.
An AI-based user-centric authentication suite from a third-party provider is used to authenticate the device used to ensure secure communication between the DeepID App and the releases desired by the user, such as the provision of an electronic signature. As an additional security factor, the user specifies a six-digit PIN for access to the DeepID App or activates his/her device’s access protection (such as face ID) as well as the automatic screen lock to unlock the DeepID App in order to protect it from unauthorised access and to protect it from unintentional expressions of intent. The DeepID PIN must be confirmed in order to activate the DeepID App for use.
After that, the user is registered and the identity is verified, a process that can take some time. If the data entered by the user cannot be verified automatically, DeepCloud support endeavours to complete the process, together with the user if necessary. The user can be contacted for this purpose within a reasonable time frame or contacts DeepCloud support him/herself. After the verification is completed, the user will receive a push notification to this effect.
The existence of a registration is checked before each electronic signature is approved; if necessary, the identification must be repeated. The data processing occurring thereby will be performed to the extent required by law for a signature process (identification of the signatory and authentication of the device before release of the signature).
Further data processing performed during use of the app
Within the DeepID App, the user has the option of selecting different functionalities as part of the dashboard. The user may manage his/her data in his/her profile and complete tasks such as releasing statements of intent or actions and starting the process for verification of an organisation. To this end, he/she may invite other persons to identify themselves so that they can subsequently verify an organisation. To do so, the user can use the communication tools available on his/her device, such as email or SMS, to invite the person in question for identification.
After logging out or if the PIN input is incorrect three times, the user must follow the steps provided by DeepCloud in order to be able to log in to his/her DeepID App again. This will require the following actions: The user inputs his/her date of birth, retakes a selfie and video, confirms his/her device with the PIN received by e-mail and specifies a six-digit PIN and registers with the access protection he/she chooses.
There is no automated decision-making within the meaning of applicable data protection laws.
To which recipients is data transmitted?
Recipients fulfilling legal obligations: DeepCloud may disclose personal data to recipients if this appears necessary or appropriate to comply with applicable laws and regulations or to verify compliance with them and to respond to requests from competent authorities. This concerns, in particular, state-accredited conformity assessment bodies, audit officers and the approving body for certification services for the purpose of checking the proper performance of the registration service.
Third-party providers as recipients of data: DeepCloud may transfer personal data to third-party providers if the user makes use of a service provided by such a third-party provider, such as if the user wishes to authorise a declaration of intent or action, or in order to enable an authentication for such a service.
Service providers as recipients of data: DeepCloud is used to provide DeepID to external service providers. These are hosting and service providers. They only process data for the purposes described by DeepCloud and are contractually bound to comply with the data protection obligations under the relevant data protection laws. They have been carefully selected, are bound by DeepCloud’s instructions and are regularly monitored. They use server locations in Switzerland for this purpose; their registered office is in Switzerland or the EU, which offers an adequate level of data protection for Switzerland.
What diagnostic data is transmitted to DeepCloud via the DeepID app?
Fundamental diagnostic data for diagnosing errors or problems within the DeepID app is collected using Firebase Crashlytics (Android) or Microsoft AppCenter (iOS), to which DeepCloud has access. These do not contain any personal data. How Firebase Inc. and Microsoft handle this information can be found in their respective privacy policies.
How long is data stored?
Fundamentally, data is stored for as long as necessary for the stated purpose and as required by contract or statute. In the area of identification and in the case of certification and/or trust services, there are very long statutory retention obligations—from completion of the identification process at least 17 years according to ZertES and at least 36 years according to the eIDAS Regulation—in order to be able to prove that a person was identified and that an electronic signature was granted. If there is no longer any purpose for storage or contractual or statutory retention obligations no longer exist, anonymisation or deletion will occur after expiration of existing backup periods.
Information that is necessary to enable users to log into the Mobile App, such as login data or a profile picture, remains stored for as long as the usage relationship with the user, retention obligations or any other purpose for their processing exists.
Diagnostic data is deleted as soon as it is no longer needed for its purpose.
What is the purpose of the data processing?
The data and information are processed by DeepCloud in order to provide the functionalities offered in DeepID, to allow secure and smooth use of the DeepID Service and the DeepID app, to contribute to their improvement, to provide support, and to comply with legal obligations such as responding to official requests.
What are the legal bases/justification for data processing?
DeepCloud collects and processes data and information in accordance with your express consent, based on overriding legitimate interests, a contract or legal obligations.
Register for a Webinar via LIVESTORM On some of our websites you can schedule an appointment with us on certain topics. To do this, select the topic that interests you from a variety of options and specify a date. To set up the appointment, the form asks for your email address, your name, and the location of the meeting. Your company name and whether you are interested in other topics are optional. Before you complete the appointment, you can check and adjust your data again. We need this data to be able to plan and conduct the meeting with you. We use LIVESTORM SAS, 24 rue Rodier, 75009 Paris, France, for the registration and implementation of the Webinar. This is a service provider commissioned by us, to whom your data will be passed on for the purposes described above. For its services, it uses Amazon Web Services LLC, P.O. Box 81226. Seattle. This is an American company, so there is the possibility that data might also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will endeavour to ensure that appropriate guarantees, such as standard data protection clauses, are in place or when using the service, you grant your consent for this in order to ensure legally compliant data transfer.
Registration and participation in an event
You have the opportunity to register for an event such as a course, workshop, forum, webinar, seminar, consultation, (online) event, training, or trade fair (“Event”) on our website. You can send your registration for an Event in writing by post or fax to the contact address given in each case or book participation in the event directly on our websites on the Internet or by telephone. The data provided by you will be stored by us and processed for the planning and implementation of the Event as well as for the follow-up support of the participants and, if necessary, passed on to our commissioned service providers. If you take part in an (online) event, a webinar or a survey, certain data such as your email address, name or the company you work for are required for the implementation of the (online) Event, the webinar or for the evaluation of the survey. In some cases, a survey is also conducted anonymously. Contracted service providers are used precisely for the implementation of such events. We are happy to provide information about our contracted service providers upon request. When participating in an Event, the General Terms and Conditions for Events apply. We reserve the right to publish your name, company and, if applicable, photo and company logo after an event (e.g. website, flyers, reports, company appearances in social media, etc.). We reserve the right to delete these
publications at any time without giving reasons.
Data processing due to legal requirements resulting from the Corona Virus
At events, we are obliged to comply with the legal requirements, for example by the Federal Office of Public Health (FOPH) (such as Safety Concept and Contact Tracing) and to collect corresponding data. These requirements can change constantly, which is why we reserve the right to adapt our safety concept at any time. You are required to follow this accordingly. For details on how we process data in such a case, please refer to the specific protection concept.
Participation in a raffle at an event
If participation in a raffle is possible at an event, we process your data so that you can participate in the raffle and a winner can be determined and notified at the end. We use your data within the scope of the raffle on the basis of your consent to participate in the raffle. You can revoke this at any time with effect for the future. You can find more information on a possible revocation under “Your rights”.
Video and photo recordings when participating in an event
We reserve the right to take photos and videos during an event in which you may also be featured. These photos and videos will be used exclusively for our own purposes (e.g. use for company websites, flyers, reports or via newsletters, for company appearances in social media, information to participants via email, etc.) to report on, or document the event. If you are shown as part of a larger group of people or are merely an “accessory” to a building or location where you are not the focus of the shots, we may take these photos and videos based on our legitimate interests for the purposes described above. You can object to their use at any time. If you are portrayed as an individual or are the
focus of any recording, we will seek your consent for such recording. You then have a right of withdrawal in relation to your consent. If photos and videos (sound and image) are taken of you, e.g. for testimonials, for giving presentations or training, for your support in improving or developing our services, this will only be done with your consent.
You can also revoke this consent at any time. Details can be found in the specific declaration of consent.
Online events and meetings
More and more events and meetings are being held online only to protect participants. This requires an invitation or registration, for which you will be sent an email with a participant link. There may be live presentations, video demonstrations and active information exchange. It is possible that we record an online event with sound and video and that participants can be heard and/or seen. These recordings are used exclusively for the company’s own purposes (e.g. use within a lecture or training series, webinars, for the company’s own websites, flyers, reports, for company appearances in social media, newsletters, information to participants by email), to report on it, to document it or to replay it. When participating in such an event, participants are set to “mute”, also, it is not necessary for the participant to activate their camera in order to send pictures of themselves. Sound and/or video activation is only carried out by the participant after their approval. By agreeing to this, the user gives their consent for sound and image recordings to be made of them in the event that the online event is recorded. No sound or images are edited out afterwards. If the participant does not want to be recorded, they should not activate their audio and video functions throughout the event. It will still be possible to send questions to the moderator(s) via the chat function. These will be answered by the moderator(s) as far as possible during the event or in person via the chat function. For the planning and implementation of such events and meetings (including the sending invitations and confirmations of participation, the analysis of the event or surveys relating to it) we use evenito AG, Limmatquai 122, 8001 Zurich, Switzerland.
This is a service provider commissioned by us which receives your data for the purposes described above and which itself uses commissioned service providers for this purpose. We also use software solutions from Zoom Video Communications (“Zoom”), Inc.,55 Almaden Blvd, Suite 600, 95113 San Jose, California/USA for meetings. These companies also process data in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is the possibility that U.S. companies are obliged to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. Abacus cannot therefore exclude that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will work to ensure that appropriate safeguards are in place in this regard, such as standard data protection clauses, or
you give your consent to this when using the services or attending such an event or meeting, in order to ensure that data is transferred in accordance with the law.
On our website and our company presence on LinkedIn, as well as on various job portals, you have the opportunity to find out about current vacancies at DeepCloud and to apply for them. If you would like to apply for a job at DeepCloud, you can find out about current vacancies and apply for them under “Jobs”. At the moment, applications, including unsolicited applications, are welcome to be sent by email to email@example.com.
Note that unencrypted emails are not protected against unauthorised access when they are sent. You can encrypt your attachments to the application yourself, for example with a ZIP solution and communicate the corresponding password separately (by telephone). If you apply for an advertised position by email, the data you provide (e.g. title, name, postal address, email address, telephone number, languages, earliest start date, your cover letter, and other data and documents you provide) will be stored in order to process your application. This is done in order to carry out pre-contractual measures with you in relation to possible employment as an employee.
Other data processing in the context of your application
If you provide references as part of the application process, we will assume that, where the data relates to an individual, you have obtained their consent for us to contact them and you consent to us obtaining the reference from that individual. If we ask for a reference, we will only contact them with your consent. Consent is given voluntarily and can be revoked at any time for the future. To get a better picture of your professional history, we may visit your professional profiles on LinkedIn and Xing. We process this publicly available job-related data about you in our interest to find out whether you fit the advertised position and our company. If you do not want this, you can let us know.
We do not look at or process data from social networks or other websites that do not have a company or employment-oriented context.
Quality of your data when applying
The data you provide should be accurate, complete, not misleading, and up-to-date. Failure to do so may result in your application not being considered or appropriate legal consequences being drawn after you have already been recruited.
Storage period of your application
If the application procedure does not lead to a position being filled, your application will be deleted at the latest four months after completion of the application procedure, unless the data is needed to defend legal claims asserted against us from the application procedure (this is done on the basis of our legitimate interests), unless a different
period is provided for by law or you have expressly consented to further processing of your data. If your application leads to employment, all data required for this will be processed within the framework of your employment relationship in accordance with the statutory provisions.
With your consent, we publish on our websites and other places (such as in our Newsletter) personal recommendations from you or references by photo, video or written statements as a satisfied customer or how to use our services. In some cases we also use your company logo. This is done after you have given your consent. You can revoke your consent to this; details can be found in the specific declaration of consent.
We may conduct surveys on certain topics (e.g. to improve and expand our services). Your opinion is very important. A survey will help us determine customer satisfaction of current solutions and the needs of our customers. This is in our interest as well as yours when using our services. To do this, we send selected people an invitation email with the link to the survey, whereby we receive your name and email address as part of our contractual relationship with the company for which you work. Participation in a survey is always voluntary and only takes place with your consent. By closing the browser, it is possible to terminate the survey at any time without any adverse consequences for you.
We store and analyse the results of the survey on the basis of legitimate interests in order to improve our services. We may also share the results of surveys with our business partners or prospects, but no personal information will be disclosed. As part of a survey, you also provide us with data such as your name, email address or the company you work for, as well as data resulting from the survey that you can provide (in a free text) within the survey. To conduct surveys, we use the survey tool LimeSurvey from LimeSurvey GmbH, Papenreye 63, 22453 Hamburg, Germany with an on premise solution at our premises in Switzerland.
Coming soon… German Version
We use the services of contracted service providers in Switzerland, which we use for the purpose of designing and operating our website. If data is also processed outside Switzerland, it is contractually ensured that an appropriate level of data protection is established according to Swiss standards, either through existing guarantees or through corresponding regulations. We are happy to provide information about our contracted service providers on request.
In these data processing procedures, your contact data, content data, usage data, metadata, and communication data are processed by us or our service providers on our behalf when using our website. This happens because of our legitimate interests in the efficient and secure provision of our website, to protect against abuse and other unauthorized use, because of a service requested by you or a contract to be concluded with you after you have placed an order, or in certain cases after you have given your consent.
Access data and server log files are collected by us or our service provider about every access to the server on which a service used by us is located (called server log files). These include:
- The domain visited and the files accessed.
- The IP address of the end device used.
- Date, time, and duration of the visit.
- Web page from which the server was accessed.
- Operating system of the end device used.
- The browser used for access and all information from the “user-agent”’ that the browser transfers to the server.
- Scope of the data volume transferred.
We use this information for the following legitimate interests:
- To display our website.
- To guarantee the stability and security of our website.
- For statistical evaluations of our websites.
- To improve our website.
- For clarification purposes in support cases.
- To analyze technical problems.
- To clarify safety issues.
- In suspected cases of illegal use (such as to clarify acts of abuse or fraud).
This information will be stored for a maximum period of 90 days and then deleted, unless its retention beyond this period is necessary for purposes of evidence, for example to be used as evidence before authorities or courts to prove our website has been used illegally. We will then remove this data from the data to be deleted until final clarification of the respective incident and may retain them until a legally binding decision or judgment has been issued.
The above-mentioned data will not be passed on to third parties, unless it is necessary to pursue our claims, to fulfil the intended purposes, after you have given your consent, or if there is a legal obligation to do so.
This information is stored in such a way that, as a rule, it cannot be assigned by us to any particular person, except when you register for a special offer on the website.
In this section, we would like to inform you about which cookies or other technical means, such as web beacons, pixels, and other tracking technologies (hereinafter referred to as “cookies”), are used when using our website. Cookies are small text files that are stored on your end device. They do not cause any damage to your end device and do not contain viruses. The data obtained by these cookies can then be evaluated by us or third parties and merged with other data. As a rule, they serve to make the Internet offering more user-friendly and effective overall, which is in both your interest and ours.
We will ask you for your consent via a cookie content banner for some cookies that are not required for technical storage purposes, to access to our website, or that serve more purposes than just to enable the use of a service you have expressly requested.
The cookies we use are either session cookies (these are automatically deleted when you close your browser) or persistent cookies (these remain stored on your end device until a specified expiry date).
The following cookies are generally possible:
Strictly necessary incl. preferences
Strictly necessary cookies are essential for the safe and reliable operation of our website, in order to be able to transfer and display our website content, to allow you to navigate on the website, or to be able to quickly identify and solve technical problems.
Preference cookies allow you to make the site more enjoyable to use by remembering options you choose (such as language selection) or by providing functionalities you request (such as remembering a selection or performing a function).
These cookies do not require your consent, but their use is based on legitimate interests.
These cookies enable us to compile statistics and analyses, whereby pseudonymized or anonymized data is collected in order to gain knowledge about the use of the website, to improve our offering, or to quickly detect and remedy technical problems.
They enable the display of personalized content by recording and analyzing your usage behavior. This is also done outside our websites, in that these cookies can track you. As part of this, cookies of third-party providers are also used and (pseudonymized) data of your surfing behavior is passed on, evaluated, and used by them.
You can find out which specific cookies are used on our websites by means of informative banners on the respective websites. If only functional cookies are used, we will inform you accordingly by means of a cookie info banner. If cookies, possibly also from third-party providers, are used that require your consent, we will obtain your consent in advance by means of a cookie consent banner before activating these cookies. Please refer to the privacy policies of any third-party providers whose cookies you may consent to when using our websites to find out how they process your data. Please note that you can set the most common browsers so that you are informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. The help menu of each browser explains how you can change your cookie settings. There is no guarantee that you will be able to access all functions of our websites without restrictions if your browser does not allow cookies. We recommend that you regularly delete your cookies and browser history manually.
To protect our systems from bots and potential spam, we have included Google reCAPTCHA (Google Ireland Limited, Gordon House, Barrow Street, Dublin 5, Ireland) in certain registration and login forms. This enables us to determine whether we receive a registration or login from a human being or whether the registration or login attempt stems from abusive processing by an automated, machine program (such as a bot). For this purpose, certain information must be entered before registration or login so that the attempt can be verified. In addition, your IP address and, if applicable, other data such as the website of ours that you are visiting on which reCAPTCHA is integrated, the date and the duration of your visit to our website, the identification data of the browser and operating system type, your Google account if you are logged in with Google, mouse movements on the reCAPTCHA surfaces, as well as the tasks in which you identify images, are required by Google for reCAPTCHA. This data is sent to Google and processed by them. The analysis starts automatically as soon as you open the website with reCAPTCHA. We use Google reCAPTCHA to ensure the security of our systems. Data and documents uploaded via a form are stored directly in our systems. If we did not install this type of security tool, bots would be able to freely log into our systems. This enables us to protect ourselves from unwanted and dangerous automated accesses. It is in our legitimate interest to protect our system security.
In the following section, we will explain you how we intend to contact your for advertising purposes within the framework of legal requirements.
We offer a newsletter, which you can register to receive. Below, we explain how the newsletter works.
- Content of the individual newsletter: We only send e-mails containing advertising information (hereinafter referred to as the “newsletter”) with your consent. Our newsletters contain information about our products and services, as well as achievements of the companies of the Abacus Group.
Automated processing: web beacons are used for our newsletters. These are small, invisible embedded images or objects (such as clear gifs, pixel tags, and single-pixel gifs) that send your information back to us after you open the e-mail you have received. This allows us to measure success in order to generate statistics for the popularity of our offer. It also enables us to evaluate your user behaviour accordingly. We also store information about the browser you use and the settings in the operating system you use, as well as information about your Internet connection with which you reach our website. Through the newsletter sent to you, we receive, among other things, confirmation that you have read and received the newsletter, as well as information about the links you have clicked in our newsletter. We intend to use this data processing (success measurements) to align how we contact you for advertising purposes to your interests and optimize our offers on our website.
- Consent: The sending of the newsletter and the associated measurement of success is based on you giving your consent when you register for the newsletter.
- Login procedure and logging: In order to ensure that nobody can register with external e-mail addresses, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary to receive the newsletter. If the registration is not confirmed within four days, the information will be deleted after this period has expired. Newsletter registrations are logged in order to be able to prove the registration process according to the legal requirements and to clarify a possible misuse of your data. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your stored data are also logged.
- Login data: To subscribe to the newsletter, you only need to enter your e-mail address. Optionally, you can enter a name to be addressed personally in the newsletter.
- Revocation: You can stop receiving a newsletter at any time, that is, revoke your consent by sending an e-mail to firstname.lastname@example.org, by clicking the unsubscribe link in the newsletter, or via the contact details given in the imprint [link with imprint]. You will not incur any costs other than the transmission costs pursuant to the basic tariffs. You will find the link to revoke your consent at the bottom of each newsletter.
- Storage after revocation: We may store the unsubscribed e-mail addresses for up to three years to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for cancellation is possible at any time, provided that the existence of the previously given consent is confirmed at the same time. After you have revoked your consent, your data will only be used in any other way if you have expressly consented to it or if further processing is justified, about which we will inform you.
Other E-mail Marketing Measures
If we have received your e-mail address from you in connection with the sale of a product or the provision of a service, and you have not objected to the following use, we reserve the right to use your e-mail address for direct marketing of our own similar products or services already purchased. These marketing measures serve our legitimate interests in contacting our existing customers for advertising purposes, after a balancing of interests.
We are obliged to expressly point out that you can object to the use at any time when we collect your e-mail address and for each use (no other costs than the transmission costs according to the basic tariffs are incurred for this).
Contracted Service Providers for Marketing Measures
Marketing measures can be sent via e-mail by contracted service providers. To send newsletters, we use, among others, the mailXpert service provided by mailXpert GmbH, Schulstrasse 37, 8050 Zürich, Schweiz.
The data required for this is transferred to a server at mailXpert GmbH in Switzerland. Newsletters are sent out with your consent or to contract our existing customers for advertising purposes on the basis of our legitimate interests. For this purpose, we will pass on your data such as your e-mail address to them. These contracted service providers have been carefully selected and commissioned by us; they are bound by our instructions and are checked regularly. They only receive data to the extent necessary for the performance of the specifically agreed order processing. Appropriate safeguards to ensure an adequate level of data protection will be applied to data transfers abroad.
You can opt out of these marketing measures by sending an e-mail to email@example.com, by clicking the unsubscribe link in the e-mail, or via the contact details given in the imprint. You will not be charged any costs other than the transmission costs according to the basic rates. You will find the link to opt out at the bottom of each of these e-mails.
Telephone and Postal Advertising
In order to be able to announce interesting offers about us, our products, services, or events organized by us either by telephone or to send them to you by post, we reserve the right to use your first and last name as well as your telephone number and postal address for such advertising purposes. We will only contact you for advertising purposes via telephone after you have given your presumed consent to this. The advertising material we send by post serves our legitimate interests in contacting our existing customers for advertising purposes, after a balancing of interests. We will check for and respect any possible objections to receiving advertising material (also by checking for starred entries in public telephone directories) in advance.
Advertising material sent by post can be processed and sent by a contracted service provider. We will pass on your name and address data to them for this purpose. This contracted service provider has been carefully selected and commissioned by us; it is bound by our instructions and is checked regularly. On request, we will gladly provide information about our contracted service providers.
Objection to Advertising and Revocation of Consent
You can revoke your consent to being contacted for advertising purposes or object to the storage and use of your data for the above-mentioned purposes at any time by sending an e-mail to firstname.lastname@example.org or via the contact details given in the imprint. You will not incur any costs other than the transmission costs according to the basic rates. Your contact data will then be deleted (from the newsletter, for example). Your data may still be subject to further processing as far as the use of this data is still possible or permitted by law.
Passing On of Data for Advertising Purposes
Your contact details may be passed on to another company of the Abacus Group in Switzerland or Germany as well as to sales or solution partners. We will contact you for advertising purposes within the framework of legal requirements. If you have, if necessary, given your consent to being contacted for advertising purposes (by newsletter, for example), and also personal data to be transferred to a company of the Abacus Group or one of our sales or solution partners, then this data may be used by the entitled partner to contact you for advertising purposes.
We maintain a company page on LinkedIn and our websites contain links to our company pages on these LinkedIn.
On these pages, we can see all the information that visitors voluntarily provide to our company on these platforms by either liking one of our posts or posting a comment. Your data will also be processed if you communicate with us within these platforms, for example by posting on the company pages or sending messages.
In addition, the statistical data of visitors to our company pages are made available to us in our admin account for the respective platform. This includes data to evaluate the interactions of visitors with our respective posts, a follower demographic and its origin, as well as Internet traffic and activity on our company page on the platform. We cannot see any visitors’ personal data, only general data without any personal reference.
We have no influence on the collected data and how the platform operators process the data. They store the data collected about you as user profiles and use these for the purposes of advertising, market research, and/or design the website to meet your needs. This sort of an evaluation is carried out in particular (also for users who are not logged in) for the purpose of displaying advertising that meets the needs of the users and to inform other users of the network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective platform operator directly to exercise this right.
Data is processed by the platform operator after using a link on our website regardless of whether you have a user account on that platform and are logged in. If you are logged in, your data will be directly assigned to your user account. We recommend that you log out regularly after using such a platform, as this allows you to avoid being assigned to your profile.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, U.S.
LinkedIn is an American company, so there is a chance that data could also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is a possibility that U.S. companies are obligated to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. We therefore cannot rule out that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will endeavor to ensure that appropriate guarantees, such as standard data protection clauses, are in place or your consent is obtained to ensure that data is transferred in accordance with the law.
We have embedded the Vimeo video player from Vimeo. (Vimeo, Inc. 555 West 18th Street, 10011 New York, U.S., hereinafter “Vimeo”) into some of our websites to present editorial content in the form of videos, which are also stored on Vimeo and can be played directly from our websites. This is done for the optimal presentation of our products and services, which is in our legitimate interest.
A connection to the Vimeo servers is established when you view one of these videos. In doing so, Viemo receives the information that you have accessed the corresponding subpage of our website containing the embedded video and the IP address. Vimeo is set up so that your user activities are not tracked and no cookies are set.
Vimeo, Inc. is an American company, so there is a chance that data could also be processed in the U.S. Abacus hereby expressly points out that the U.S. is not a safe third country in the sense of Swiss data protection law and that due to existing regulations, there is a possibility that U.S. companies are obligated to hand over data to security authorities. In this respect, data subjects currently do not have sufficient legal remedies to take action. We therefore cannot rule out that U.S. authorities (such as intelligence services) process, evaluate, or store such data in the U.S. for monitoring purposes. We have no control over that. However, we will endeavor to ensure that appropriate guarantees, such as standard data protection clauses, are in place or your consent is obtained to ensure that data is transferred in accordance with the law.
If you click one of these links, your data may be transferred to companies in countries outside Germany, Switzerland, the EU, and the EEA that do not ensure an adequate level of protection for the processing of personal data. Please remember this before you click a link and thereby trigger a possible transfer of your data.
In the following section, we would like to inform you about the data processing that we as a company perform in the course of our business operations.
What Data Is Processed and Where Does it Come From?
We process data from our employees, customers, suppliers, applicants, interested parties, other business partners or third parties, and their employees. This data is either provided by the data subject or the respective company itself, or we receive it from another company of the Abacus Group, from third parties such as other business partners (such as customers, suppliers, or other service providers), authorities, or from publicly accessible sources (such as public telephone, address, and industry directories, public notices or databases, the Internet, trade, cooperative, or association registers).
The data provided by you or the respective company, for example, by making an inquiry, registering for a platform or service, receiving a quote, concluding a contract, filling out a questionnaire, or communicating with us in any other way, can be the following:
- Contact information including full name, position, company, address, telephone number, e-mail address
- Contract data, which arise during pre-contractual measures or during the fulfilment of a contract, including delivery data
- Payment data, including bank details, payment history, credit card data, debit card data, access data, and other data required for smooth payment transactions
- Content data including input in our CRM or project system, in contact forms, data contained in communication via e-mail, or any other form of communication
- Registration data (such as username and password) when using services requiring registration or login
- Data for the prevention of fraud, money laundering, or other criminal offences
- All data in connection with an application or employment as an employee in relation to the profession, previous employer, professional career including certificates and further training, all data that is made available in the context of an application procedure or employment relationship, or that may be legitimately collected and processed
- Sensitive data such as health data, which is collected by us exclusively with the express, prior, and at any time revocable consent of the data subject, or in the case of a legal obligation to process this
- Data on the company for which a person works
- Data when using one of our websites as described above
Data obtained from other companies, authorities, or publicly available sources, such as
- Credit reports
- Contact data (name, company, postal addresses, e-mail addresses, telephone numbers, publicly accessible data as shown in the commercial register) of credit agencies, which are used within the legal framework for advertising purposes
- Data held by banks or insurance companies in connection with the fulfilment of a legal or contractual obligation
- Data from judicial or administrative proceedings
- References from previous employers or business partners
- Data relating to fraud and money laundering prevention or screening in relation to export restrictions
- Data from publicly available sources, such as the Internet, the press, or public registers such as the commercial register
For What Purposes is Data Processed and on What Legal Basis?
The data is processed for different purposes and on different legal bases:
- Execution of pre-contractual measures in the context of an application or in connection with the conclusion of contracts with customers or other business partners as in the preparation of offers. Due to their function with the contractual partner, the data of their employees is also processed because we have a legitimate interest in successful business development
- Processing of employee data on the basis of contract, legal obligation, given consent, or legitimate interests
- Provision of contractual services and customer care in the performance of contracts, implementation of contractual measures, payments and accounting, guarantee of contractual claims. Due to your function at the contractual partner, data of your employees will also be processed, in which we have the legitimate interest of a successful business development. Processing of contact inquiries based on the legitimate interest of customer satisfaction or pre-contractual measures
- Communication with the media due to our legitimate interest in successful business development
- Sending personalized newsletters, carrying out other marketing measures, sending Christmas mail/gift items, as well as internal market and opinion research to address customers with regard to our companies, products, and services to increase sales after consent has been given or in special cases due to justified interests in direct marketing within the framework of existing legal requirements
- Exchange of information and maintaining contacts with the press on the basis of legitimate interests in successful business development
- Improvement of our online offers, products, and services on the basis of legitimate interests in successful business development
- Collection of data from publicly available sources on the basis of legitimate interests for customer acquisition
- To establish, maintain, and protect the operation and security of our IT, our online offer, our products, services, and other offers to prevent possible security threats, criminal offences, or other detrimental activities based on legitimate interests
- Video surveillance to safeguard property rights, to prevent damage, and ensure other measures for IT security to protect persons, as well as tangible and intangible assets
- Compliance with internal guidelines or industry standards based on legitimate interests to comply with specified regulations
- Enforcement of contracts, settlement, assertion or defense of legal claims in court or official proceedings based on our legitimate business interests
- Mergers, transfers, and acquisitions of companies, parts thereof or business units, as well as other transactions under company law, including the transfer of data on the basis of legitimate interests in successful business development or after consent has been given
- Provision of certain online offers for the management of customers and business partners, and communication within the scope of the use of online offers requiring registration (including orders, payments, document management, other information) on the basis of legitimate business interests
- Enabling the participation in interactive functions of our online offer upon request based on the legitimate interests
- Obtaining references within the framework of an application procedure after consent has been given
- Verification of identity to be able to fulfil rights and obligations under data protection law due to legal obligation
- Credit assessments due to (pre-)contractual relationships or after consent has been given
- Other data processing after consent has been given
- Fulfilment of legal obligations and duties of care to prevent or solve criminal offences, economic crime, or money laundering
- Fulfilment of the purposes that you specified when you provided the data or that we communicated when collecting the data
- In addition, data from different sources are merged together, which can also be processed for the purposes listed above. This means that within the Abacus Group we can compare, match, use, and manage customer or sales partner data of the individual companies in a central system. We may compare existing data with other sources, and correct and use them, if necessary, to ensure up-to-date and correct delivery and address data; this is based on legitimate business interests
As a business, we use various tools from US companies. We endeavour, whenever possible, to contractually agree with those companies to store data in locations in Switzerland or the EU. Nevertheless, data may be sent to their servers in the USA during use or in cases of support. Both the EU and Switzerland issued positive adequacy decisions concerning the USA after entering into the corresponding Swiss/EU-US Data Privacy Frameworks, so that a data transfer to the USA is lawful following certification of such companies.
For data processed in a Third Country that lacks an adequate level of data protection, we provide suitable safeguards, such as entering into standard data protection clauses (with adjustment of the necessary contractual and technical measures), to ensure lawful data transmission to foreign countries. We resort to legally permissible exceptions only in isolated cases, such as allowing data transmission to a Third Country that lacks an adequate level of data protection based on express consent by the data subject.
In principle, we process and store your data for as long as it is necessary and permissible for the purposes for which we have received the data. Specifically, this means that we retain your data for as long as we have a (business) relationship with you or the company for which you work, when you use our website, when you are employed, when sending newsletters, when we perform a contract or a continuing obligation, as long as you have given us your consent to store the data, as long as there are any obligations or which exist vis-á-vis us, as long as this requires a special legal situation, as in the case of legal disputes, limitation periods, or official investigations, or as long as you were informed when the data was collected.
In addition, the legislator has provided for various documentation and retention obligations and periods, so that if such a legal obligation to retain or document exists, we also store data – possibly with restrictions – for a period corresponding to the length of the obligation. For example, in Switzerland there are obligations pertaining to tax or commercial law to retain records for a period of up to 10 (ten) years and possible retention obligations of 30 (thirty) years due to existing limitation periods, in addition to special legal obligations. For this reason, the respective storage period is reviewed in individual cases for the corresponding data processing.
After you have exercised your right of revocation or objection, after the stated purposes have been achieved, or after the expiry of existing tax or commercial law, other legal, or contractual documentation and retention obligations and periods, we will delete your data or, if permissible, restrict its processing, unless you have consented to the further use of your data or unless we have expressly reserved the right to use your data in a manner that goes beyond this, which is permitted by law or contract, and we will inform you accordingly.
If you use areas requiring registration or that you log in, you should keep your login data in a safe place and ensure it is protected from access by third parties. If you are logging in via computers or other devices that are used by several people, please do not forget to log out properly after each session and close the browser window used.
We take data security very seriously and treat your data confidentially and in accordance with the legal regulations. To this end, we have taken technical and organizational measures to ensure a level of protection appropriate to the risk. Such measures may include the pseudonymization and encryption of data, security measures relating to the confidentiality, integrity, availability, and capacity of the systems, the ability to rapidly restore the availability of and access to the data in the event of a physical or technical incident, and the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing. This is how we intend to protect your data from loss, misuse, alteration or destruction, and unauthorized access in accordance with the current state of technology. The security standard is continuously adapted to current technological developments. Our employees and contracted service providers are bound to confidentiality and act in accordance with our instructions.
There is a chance that e-mails are sent in unencrypted form (that is, they are immediately readable without the need for prior decryption), especially if you cannot access encrypted e-mails yourself. Such unencrypted e-mails are exposed to a greater risk than encrypted e-mails, which is why it is hereby expressly advised out not to send confidential information such as application documents without encryption.
When you use a website form or communicate with us via e-mail, your data will be transmitted encrypted according to the current state of technology. Our website including the areas requiring registration and login are secured (https). Please remember that security gaps can never be completely ruled out when transferring data over the Internet. It cannot be guaranteed that all systems are 100% secure, especially when using our websites. We do not assume any liability for unauthorized actions of unauthorized third parties.
During the application procedure, data is used in the context of partially automated processing according to certain criteria to evaluate personal aspects of an applicant (profiling). We use these evaluations to make a prediction about suitability for employment. However, the decision on employment is made by the respective line managers and employees of the Human Resources department.
As a matter of principle, no decisions based exclusively on automated processing will be made when concluding a contract or its execution, which would have legal effect on you, or which would significantly affect you in a similar way. We will inform you in advance should such an event occur in individual cases and ensure that data is processed lawfully.
It is possible that different law applies to certain data processing. Thus, it must be examined in each individual case whether the Federal Act on Data Protection (FADP) und Ordinance to the Federal Act on Data Protection (DPO) as well as national law of Switzerland or another, foreign law such as the General Data Protection Regulation and in each case national law of another state is applicable to data subjects. DeepCloud will review this on a case-by-case basis and will carry out the data processing that takes place within the framework of the respective legal requirements.
You are entitled to the following rights with regard to your data, insofar as we have been able to duly establish your identity and the respective conditions for this are met:
- Right to access
- Right of rectification
- Right to erasure
- Right to restriction of processing
- Right to object
- Right to data portability
Furthermore, you have the right to assert your claims in court and to complain to a data protection supervisory authority about the processing of your data by us. We will comply with your request for deletion unless it conflicts with an obligation to retain data or we need the data to assert, exercise or defend our legal claims. You can revoke your consent to the processing of your data at any time for the future. Such a revocation shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. If we base the processing of your data on our legitimate interests or those of a third party following a balancing of interests, you may object to such processing. In such a case, we will review your objection and either stop or adapt the data processing or show you our compelling interests worthy of protection why we want to continue the processing. These must override your interests, rights and freedoms or the processing must serve the assertion, exercise or defence of legal claims. Should we process your data in order to conduct direct advertising with it, you have the right to object to this processing of your data for the purpose of direct advertising at any time. This also applies to any profiling that may take place if it is connected with such direct advertising. In such a case, we will stop this data processing. You are not obliged to provide us with your data. However, it is possible that certain functions of our website will not be available or will only be available to a limited extent if you do not provide any data. Furthermore, it is possible that no contractual relationship can be entered into with you without the corresponding data. If you have any questions about data protection or if you wish to exercise your rights, withdraw consent or object to data processing, please contact us using the contact details provided above under “Responsible party”. We have appointed a data protection officer for DeepCloud. They are available at:
If you have any questions about data protection, please feel free to contact us at any time.