Agreement on Order Processing

Order Processing Agreement (“Agreement”) between Rocky Capital AG (“ROCKY”) and Customers pursuant to the GTC Hosting


1. Preamble

As part of the performance of the contract for hosting services concluded between the parties (“Hosting Agreement”), ROCKY processes personal data of the Client. This Agreement contains the provisions to be complied with by ROCKY when processing such Personal Data and forms an integral part of ROCKY’s General Terms and Conditions for Hosting Services (“Hosting T&C”). It applies when ROCKY acts as an order processor on behalf of the customer.

2. Processing of Personal Data for the Performance of the Contract

ROCKY processes the Personal Data exclusively on behalf of the Customer for the performance of the Hosting Contract. The duration of the processing corresponds to the term of the hosting contract. ROCKY is prohibited from processing personal data in any other way, in particular from processing personal data for its own purposes. ROCKY guarantees that it will process the personal data in accordance with the provisions of this agreement and the Swiss Data Protection Act (DSG).

3. Use of Subcontractors by ROCKY

Subcontractors engaged by ROCKY for the provision of services must be approved in advance by the client. For the provision of hosting services, Sora uses the following subcontractors:

If ROCKY involves a new subcontractor for the provision of services (or if one is replaced), ROCKY will notify the customer in the administrative area of Sora’s website. If the customer does not agree with the subcontractor, he has the right to terminate the hosting contract by e-mail within 30 calendar days after the notification of the subcontractor. If no notice of termination is given, the contract shall be deemed to have been approved.

ROCKY will only use subcontractors for the processing of personal data who guarantee compliance with the provisions of this agreement. ROCKY will carefully select, instruct and monitor these subcontractors during the term of the Agreement. ROCKY shall ensure that the obligations of this agreement are imposed on these subcontractors mutatis mutandis.

4. Powers of the Client to Issue Instructions

ROCKY may process the Personal Data exclusively in accordance with the Client’s instructions, unless ROCKY is required by law to process it otherwise. ROCKY shall ensure that the client can also exercise the right to issue instructions in relation to subcontractors engaged in accordance with section 3.

5. Place of Processing of Personal Data

The processing of personal data by ROCKY takes place exclusively within the territory of Switzerland. Processing outside Switzerland requires the client’s prior consent (by e-mail or by means of an electronic form) and may only take place if the legal requirements for the disclosure of personal data abroad are met.

6. Compliance with Confidentiality

ROCKY confirms that all persons and subcontractors pursuant to section 3 who process personal data are obliged to maintain confidentiality with regard to the processing of personal data and to comply mutatis mutandis with the provisions of this agreement. ROCKY shall ensure that natural persons under its control and third parties who have access to Personal Data shall only process it on ROCKY’s instructions, unless they are required by law to process it.

7 Requirements Systems and Security of Processing

ROCKY ensures that it only uses systems for the processing of Personal Data that are designed to support data protection through technical system design appropriate to the processing situation. ROCKY shall implement and maintain for the duration of the processing of Personal Data all appropriate technical and organizational measures necessary to ensure a level of protection of the Personal Data appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, circumstances and purposes of the processing of the Personal Data, as well as the varying likelihood and severity of the risk to the rights and freedoms of the Data Subjects. ROCKY is entitled to change the technical and organizational measures, provided that it is ensured that the contractually agreed level of protection is not undercut.

8. Rights of Data Subjects

ROCKY will support the client with technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of data subjects. ROCKY is entitled to invoice for the time spent in connection with this in accordance with the then current rates. Insofar as a data subject submits a request to exercise his/her rights directly to ROCKY, ROCKY will forward this request to the client without delay.

9. Obligation to Notify and Assist in the Event of Breaches of Personal Data Protection

ROCKY shall notify the client immediately after becoming aware of any breach of personal data protection, in particular incidents resulting in the destruction, loss, alteration or unauthorized disclosure of or access to personal data (“data security incident”).

In the event of a Data Security Incident, ROCKY will support the client in its related clarification, remedial and information measures to the extent reasonable. In particular, ROCKY will immediately take all reasonable measures to minimize and eliminate the threats to the integrity or confidentiality of the personal data that have arisen, to secure the personal data and to prevent possible adverse consequences for data subjects or to limit their effects as far as possible. If the data security incident was not caused by ROCKY, ROCKY is entitled to invoice for the time spent in connection with it in accordance with the then current rates.

10. Checks and Support by ROCKY

The client is entitled to verify compliance with the provisions of this agreement himself or through a third party designated by him, who is trustworthy and bound to secrecy. The client must give ROCKY at least 30 days’ notice of a request for verification. The review must take place during normal business hours and take into account SORA’s business activities. Unless otherwise ordered by the regulatory authority, the review may be requested by the client no more than once a year.

If the client is obliged to provide information to a governmental authority regarding the personal data or its processing, ROCKY shall assist the client in providing such information upon request, in particular by providing information and documents regarding the contractual processing of personal data, including the technical/organizational measures taken by ROCKY and the locations of the processing of personal data.

ROCKY is entitled to invoice for the time spent in connection with the services under this clause 10 in accordance with the then current rates.

11. Deletion and Return of Data

The provisions of the Hosting GTC and the SLA apply to the deletion of personal data. ROCKY ensures that the client can download or delete the personal data at any time.

12. Duration of this Agreement

The duration of this agreement corresponds to the duration of the hosting contract. Upon termination of the Hosting Agreement, this Agreement shall also terminate without the need to terminate this Agreement.