Data Processing Agreement

Data Processing Agreement

Last updated November 2025

Introduction

This Data Processing Agreement (DPA) forms part of the Luminocity AG (“GeoVision”, “We”, “Us”, “Our”) Terms and Conditions (the “MSA”).

WHEREAS, GeoVision shall provide the Software and the Services as set forth in the MSA for you (collectively, “You”, “Your”); and

WHEREAS, in the course of providing the Software and the Services pursuant to the MSA, GeoVision may process Personal Data on your behalf, in the capacity of a “Data Processor”, and the Parties wish to set forth the arrangements regarding such processing.

NOW THEREFORE, in consideration of the foregoing, the Parties agree as follows:

1. INTERPRETATION AND DEFINITIONS

1. The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or Sections are references to the clauses or Sections of this DPA unless stated otherwise. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined in this Section 1.2 or elsewhere in this DPA shall have the meanings assigned to such terms elsewhere in the MSA.
2. Definitions:
1. “Data Protection Laws” means all applicable data protection and privacy laws governing the Processing of Personal Data under this Agreement, including the Swiss Federal Act on Data Protection (FADP), the General Data Protection Regulation (EU) 2016/679 (GDPR), and any implementing laws of the European Economic Area, its Member States, each as amended, replaced or superseded from time to time.
2. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
3. “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
4. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
5. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, and shall include information as defined under the FADP where applicable.
6. “Customer Data” means Personal Data that is provided to us by You or on Your behalf or otherwise obtained or processed by or on behalf of us throughout Your and Your personnel’s use of the Software and the Services, e.g. when uploading or creating Personal Data throughout one of Your projects that we host on our Platform. Customer Data excludes Customer Relationship Data.
7. “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
8. “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
9. “Customer Relationship Data” means all data provided to us by You or on Your behalf or otherwise obtained or processed by or on behalf of us through an engagement with GeoVision to obtain the Software and the Services, including pseudonymized, aggregated and/or statistical data relating to or derived from Your and Your personnel’s use of the Software and the Services, such as analytics, metadata and audit logs.
10. “Sub-processor” means any Processor engaged by GeoVision and/or GeoVision’s Affiliates.
11. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or by the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland pursuant to the FADP.
12. “Swiss Standard Contractual Clauses” or “Swiss SCCs” means, where applicable, the standard contractual clauses recognized by the FDPIC or otherwise adopted to govern international data transfers under the FADP, as updated, amended, replaced or superseded from time to time.

2. PROCESSING OF PERSONAL DATA

1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Data, GeoVision is a Data Processor.
2. Your Processing of Personal Data. You shall, in Your use of the Software and Services, Process Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations set out therein. You shall have the sole responsibility for how You acquire Personal Data and for ensuring that Your instructions for the Processing of Personal Data and Your and Your users’ use of the Software and the Services shall at all times comply with Data Protection Laws. Without limitation, You shall comply with all transparency-related obligations (including displaying any and all relevant and required privacy notices or policies) and shall have all required legal bases to collect, Process and transfer to GeoVision the Personal Data for Processing in accordance with this DPA.

3. GEOVISION’S PROCESSING OF CUSTOMER DATA

1. GeoVision shall Process Customer Data solely in accordance with Your documented instructions, as necessary for the provision of the Software and the Services, and for the performance of the MSA, this DPA and Data Protection Laws, unless otherwise required by law; in such a case, GeoVision shall inform You of the legal requirements before Processing, unless applicable law prohibits such information on important grounds of public interest. The duration, nature and purpose of the Processing, as well as the types of Customer Data Processed and categories of Data Subjects are also specified in Schedule 1 to this DPA.
2. If and to the extent GeoVision cannot comply with an instruction from You or where GeoVision considers such an instruction to be unlawful, (i) GeoVision shall inform You providing reasonable details of the issue, (ii) GeoVision may, without any kind of liability towards You, temporarily cease all Processing of the affected Customer Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the contract relating to the affected Software and Services and this DPA with respect to the affected Processing, and You shall pay to GeoVision all unpaid amounts owed to GeoVision up to termination effective date. You will have no further claims against GeoVision (including, without limitation, requesting refunds for Software or Services) due to the termination of the contract relating to the affected Software and Services and the DPA in the situation described in this paragraph.
3. We shall notify You without undue delay if, in our opinion, your instructions do not comply with Data Protection Legislation. GeoVision will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of GeoVision, to the extent that such is a result of Your instructions.

4. GEOVISION PERSONNEL

Confidentiality. GeoVision shall grant access to the Customer Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. GeoVision may disclose and Process Customer Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, GeoVision shall inform You of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.

5. SECURITY

1. Controls for the Protection of Customer Data. GeoVision shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR and the corresponding provisions of the Swiss Federal Act on Data Protection (FADP) to ensure the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data, as set forth in the Security Documentation, which is hereby approved by You. GeoVision regularly monitors compliance with these measures and shall notify You of any material changes to the Security Documentation. Upon Your request, GeoVision shall demonstrate the implementation of such measures. GeoVision will reasonably assist You in complying with Articles 32 to 36 of the GDPR and the relevant provisions of the FADP, taking into account the nature of the processing and the information available to GeoVision.
2. Third-Party Certifications and Audits. Upon Your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, GeoVision shall allow for and contribute to audits at Your cost and expense, and make available to You a copy of GeoVision’s then most recent third-party audits or certifications, as applicable, provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by You to assess compliance with this DPA and/or with applicable Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without GeoVision’s prior written approval and, upon GeoVision’s first request, You shall return all records or documentation in Your possession or control provided by GeoVision in the context of the audit and/or the certifications. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to You. If and to the extent You commission third parties to carry out such audits, such third parties must (i) not be competitors of GeoVision and (ii) be subject to at least industry standard confidentiality obligations for the protection of GeoVision’s trade and business secrets.

6. TRANSFERS OF DATA TO THIRD COUNTRIES

1. Customer Data may be transferred from Switzerland or the European Economic Area (EEA) to countries that offer an adequate level of data protection pursuant to an adequacy decision issued by the European Commission or the Swiss Federal Council, without any additional safeguards being required.
2. Transfers to Third Countries. If the Processing of Customer Data involves transfers from Switzerland or the EEA to countries that do not offer an adequate level of data protection (“Third Countries”), the Parties shall comply with Articles 44 et seq. of the GDPR and the corresponding provisions of the Swiss Federal Act on Data Protection (FADP). This includes, where necessary, the execution of the applicable Standard Contractual Clauses adopted by the European Commission, or the use of any other valid transfer mechanism recognized under the GDPR or the FADP for such transfers of Personal Data to Third Countries.

7. RIGHTS OF DATA SUBJECTS

Data Subject Request. If GeoVision receives a request from a Data Subject to exercise its data subject rights (” Data Subject Request “), GeoVision shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to You. Taking into account the nature of the Processing, GeoVision shall use commercially reasonable efforts to assist You by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Your obligations to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from GeoVision’s provision of such assistance.

8. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

To the extent required under applicable Data Protection Laws, GeoVision shall notify You without undue delay, if feasible within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, transmitted, stored or otherwise Processed by GeoVision or its Sub-processors of which GeoVision becomes aware (a ” Data Incident “). GeoVision shall make reasonable efforts to identify the cause of such Data Incident and take those steps as GeoVision deems necessary, possible and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within GeoVision’s reasonable control. Except for the notification, the obligations herein shall not apply to Data incidents caused by You or Your users. In any event, You will be the responsible for notifying Supervisory Authorities and/or Data Subjects (where required by Data Protection Laws and Regulations).

9. RETURN AND DELETION OF CUSTOMER DATA

GeoVision shall, at Your choice, after the end of the provision of the Software and/or Services, delete or return the Customer Data to You and shall delete existing copies unless applicable law requires further storage of the Customer Data. In any event, to the extent permitted by applicable law, GeoVision may retain one copy of the Customer Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. The Customer Data shall be returned in the format generally available for GeoVision’s customers. The obligations to delete or return Customer Data pursuant to this Section 9 shall not apply if and to the extent You can retrieve and/or delete Your Customer Data yourself using the features of the Software and/or Services provided in this regard.

10. TERMINATION

This DPA shall automatically terminate upon the termination or expiration of the agreement under which the Software and/or the Services are provided. Sections 2.2 and 11 shall survive the termination or expiration of this DPA for any reason.

11. LIABILITY LIMITATIONS

The liability limitations set out in the MSA shall apply accordingly to this DPA. For the avoidance of doubt, the liability of GeoVision towards data subjects under applicable Data Protection Laws shall not be limited.