Order processing conditions

Gültig ab:
01.10.2023
Zuletzt aktualisiert: 
08.12.2025

1. Object

Exxas AG (hereinafter “Exxas”) and the other contracting party (hereinafter “Customer”) have concluded a contract (in its current version) under which the contract processing services are provided (hereinafter “Contract”). These order data processing conditions (hereinafter “data processing conditions” or “processing conditions”) supplement the contract and the general terms and conditions (GTC) of Exxas and are considered an integral part of the contract.

These data processing conditions come into force on the date the contract starts. If a representative of the customer concludes these data processing terms on behalf of the customer, the representative assures that he (a) is fully legally authorized to complete these data processing terms on behalf of the customer, (b) has read and understood these data processing terms and (c) provides the customer represented by the representative with the declaration of acceptance to complete these data processing conditions.

2. Introduction

These data processing conditions contain the agreement between the parties on the regulations that apply to the processing and security of the customer's personal data in connection with data protection regulations.

3. Definitions and Interpretation

In these data processing conditions, the following definitions apply:

  • Contract processing services means the following relevant Exxas services, which fall within the scope of the data processing conditions:
    • Exxas

Exxas is entitled to update this list in accordance with the provisions of the data processing conditions.

  • Data protection regulations means, where applicable: (a) the GDPR and/or (b) the Federal Data Protection Act (DSG, Switzerland) of 2023.
  • data incident means a security incident at Exxas that results in the accidental or illegal destruction, loss, alteration of, or unauthorized disclosure of or access to, personal data of the customer, affecting systems managed by Exxas or otherwise controlled by Exxas. The term “data incident” does not include unsuccessful access attempts or similar events that do not compromise the security of the customer's personal information, such as unsuccessful login attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems.
  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
  • DSG means Swiss Data Protection Act (235.1), which came into force on September 1, 2023. It aims to protect the personality and fundamental rights of natural persons through whom personal data is processed.
  • Email address for notifications means the email address (if available) provided by the customer via the data processing service user interface or other options provided by Exxas to receive certain notifications from Exxas regarding these data processing terms.
  • EEA means the European Economic Area.
  • Exxas means Exxas AG, which is the party to the contract.
  • Exxas group companies has the significance of companies associated with Exxas, such as parent, subsidiary and sister companies.
  • runtime means the period between the date of entry into force of the contract and the end of the provision of processor services by Exxas in accordance with the contract.
  • Customer's personal data means personal data that is processed by Exxas on behalf of the customer as part of the provision of contract processing services.
  • Sub-processor means third parties who are authorized under these data processing conditions to logically access and process the customer's personal data in order to provide parts of the data processing services and to provide related technical support.
  • Affiliated company means any legal entity that directly or indirectly controls, is controlled by one of the parties to the contract, or is under joint control with one of the parties to the contract.
  • additional product means a product, service, or application from Exxas or a third party that (a) is not part of the data processing services and (b) available for use via the user interface of the data processing services or is otherwise integrated into the data processing services.

The terms Responsible person, data subject, personal data, processing, processor and supervisory authority They each have the same meaning in these data processing conditions as assigned to them in the GDPR.

Phrases that start with words such as “including” or begin with a similar expression, must be interpreted in such a way that these formulations are only meant illustratively and are not intended to restrict the meaning of the preceding formulations. Any examples given in these data processing conditions are for illustrative purposes only and are not meant as exclusive examples of a particular concept.

References to laws or legal regulations refer to their current status and to the version valid at the time and possibly amended or revised.

4. Duration of these data processing conditions

These data processing conditions come into force on the specified date of the contract and remain in force — regardless of whether the term has expired — until Exxas has deleted all personal customer data in accordance with these data processing conditions, at which point these data processing conditions automatically expire.

5. Applicability of these data processing conditions

These data processing conditions apply only to the extent that data protection regulations apply to the processing of the customer's personal data, including when:

  • (a) Processing takes place as part of the activities of a customer's establishment in the EEA or in Switzerland and/or
  • (b) Customer personal data represents personal data relating to data subjects located in the EEA or Switzerland and the processing relates to offering goods or services or monitoring behavior in the EEA or Switzerland.

 

6. Processing of data

6.1 Distribution of roles and compliance with legal requirements; authorization.
6.1.1 Responsibilities of the order processor and the person responsible.

The contracting parties confirm and agree that:

  • (a) Annex 1 describes the subject matter and details of the processing of the customer's personal data,
  • (b) Exxas acts as a processor of customer personal data in accordance with data protection regulations,
  • (c) the customer acts as a controller or processor of the customer's personal data in accordance with data protection regulations, and
  • (d) each party is required to comply with the obligations that apply to the respective party in relation to the processing of the customer's personal data in accordance with data protection legislation.

6.1.2 Authorization by a third party as the responsible person.

If the customer himself is an order processor, he assures Exxas that his instructions and measures regarding the customer's personal data, including the use of Exxas as another processor, have been authorized by the responsible person concerned.

6.2 Customer instructions.

By agreeing to these data processing terms, the customer instructs Exxas to process the customer's personal data in accordance with applicable law, (a) to provide the data processing services and related technical support, and (b) to continue using the customer of the data processing services (including through the settings and functionalities of the data processing services) and related technical support, (c) as defined by the agreement, including these data processing conditions, is documented and (d) as is additionally documented in other written instructions given by the customer and formally accepted by Exxas as an instruction within the meaning of these data processing conditions.

6.3 Compliance with Exxas' instructions.

Exxas will follow the instructions set out in Section 6.2 (Customer Instructions) (including with regard to the transfer of data), unless laws of the EU, laws of an EU member state or laws of Switzerland applicable to Exxas require that Exxas otherwise process the customer's personal data by Exxas; in such a case, Exxas will inform the customer accordingly (unless the relevant law prohibits Exxas to do so for important reasons of public interest).

6.4 Additional products.

If the customer uses additional products, the order processing services may provide these additional products with access to the customer's personal data, insofar as this is necessary for the interaction between these additional products and the order processing services. To clarify, these data processing terms do not apply to the processing of personal data in connection with the provision of ancillary products used by the customer, including personal data submitted by or to these additional products.

7. Deletion of data

7.1 Deletion during the term.
7.1.1 Order processing services with deletion function.

If during the term:

  • (a) the software functionalities of contract processing services provide the customer with an opportunity to delete or anonymize the customer's personal data,
  • (b) the customer uses the order processing services to delete certain of the customer's personal data and
  • (c) the customer's deleted personal data cannot be recovered by the customer (e.g. from the 'recycle bin'),

Exxas will then delete the customer's personal data from its systems as early as is appropriate and practicable and at the latest after a period of 180 days, unless an EU law, the law of an EU member state or the law of Switzerland requires storage.

7.1.2 Contract processing services without deletion function.

If the software functionalities of the contract processing services do not provide an option that enables the customer to delete the customer's personal data during the runtime, then Exxas will:

  • (a) comply with any reasonable request from the customer to obtain such deletion, insofar as this is possible taking into account the nature and functioning of the data processing services and unless an EU law, the law of an EU member state or the law of Switzerland requires storage, and
  • b) comply with the data storage procedures of contract processing services.

Exxas is entitled to demand reimbursement of the costs of deleting data in accordance with Section 7.1.2 (a). Prior to such deletion, Exxas will provide the customer with further details of the costs arising in each case and the basis for calculating these costs.

7.2 Deletion after expiry of the term.

The customer instructs Exxas to delete all of the customer's personal data (including all existing copies) from Exxas systems at the end of the term in accordance with applicable law. Exxas will comply with this instruction as soon as is appropriate and practicable and at the latest after a period of 180 days, unless an EU law, the law of an EU member state or the law of Switzerland requires storage.

8. Data security

8.1 Security measures and assistance provided by Exxas.
8.1.1 Exxas Security Measures.

Exxas implements technical and organizational measures to protect the customer's personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Appendix 2 (Safety measures) and maintains it. As described in Annex 2, security measures include:

  • (a) to encrypt personal data,
  • (b) that help maintain or ensure the confidentiality, integrity, availability, and resiliency of Exxa's systems and services on an ongoing basis,
  • (c) that help restore access to personal data following an incident in a timely manner, and
  • (d) to regularly test effectiveness. Exxas may occasionally update or adjust security measures, provided that such update and adjustment does not result in a decrease in the overall security of the data processing services.

8.1.2 Compliance with safety regulations by Exxas personnel.

Exxas is required to take reasonable steps to ensure compliance with security measures by Exxas employees, contractors, and sub-processors to the extent appropriate for their respective areas of responsibility and to ensure that all persons authorized to process customer personal data have committed themselves to secrecy or comply with legal confidentiality obligations.

8.1.3 Assistance from Exxas.

The customer agrees that Exxas (taking into account the nature of the respective processing of the customer's personal data and the information available to Exxas) will assist the customer in complying with all of the customer's obligations with regard to the security of personal data and in the event of a data security breach, including, to the extent applicable, the customer's obligations under Articles 32 to 34 GDPR, or Art. 8 and Art. 9 DSG, by:

  • (a) Implement and maintain security measures in accordance with Section 8.1.1 (Exxas Security Measures),
  • (b) Compliance with Section 8.2 (Data Incidents) and
  • (c) Provision of security documentation to the customer in accordance with Section 8.5.1 (reviews of security documentation) and the information contained in these data processing conditions.

8.2 Data incidents
8.2.1 Reporting data incidents.

If Exxas becomes aware of a data incident, Exxas is required to:

  • (a) to immediately report the data incident to the customer; and
  • (b) to promptly take appropriate measures to minimize damage and secure the customer's personal data.

8.2.2 Detailed information on data incidents.

Reports in accordance with 8.2.1 include, as far as possible, details of the data incident and information about what measures have been taken to minimize the potential risk and what steps Exxas recommends to the customer to respond to the data incident.

8.2.3 Submission of notifications.

Exxas will send reports of data incidents to the email address for notifications, or, at Exxas' discretion (e.g. if the customer has not provided an email address for reports), via another direct means of communication (e.g. by telephone or a personal meeting). The customer is solely responsible for providing the email address for notifications and must ensure that the email address for notifications is always up to date and valid.

8.2.4 Reports to third parties.

The customer is solely responsible for complying with legal requirements for reporting incidents and for complying with corresponding reporting obligations to third parties in the event of data incidents.

8.2.5 Not accepted by Exxas.

The reporting of a data incident by Exxas or the response to a data incident by Exxas in accordance with this Section 8.2 (Data Incidents) cannot be interpreted as meaning that Exxas would already admit wrongdoing or would recognize liability for the data incident.

8.3 Customer's responsibility for safety and safety assessment.
8.3.1 Customer Responsibilities for Security.

Without prejudice to the obligation for Exxas under Sections 8.1 (Security Measures and Assistance from Exxas) and 8.2 (Data Incidents):

  • (a) The customer is solely responsible for the use of contract processing services, including:
    • to use the processor services in an appropriate manner to ensure a level of security that is appropriate in relation to the risk of processing the customer's personal data, and
    • protect authentication credentials and systems and devices that the customer uses to access the data processing services, and
  • (b) Exxas is not responsible for protecting customer personal data that customer chooses to store or transfer outside of Exxas systems or Exxas sub-processor systems.

8.3.2 Safety assessment by the customer.

The customer acknowledges and agrees that (taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing of the customer's personal data and the associated risks for individuals) the security measures implemented and maintained by Exxas in accordance with Section 8.1.1 (Exxas Security Measures) achieve a level of security that is commensurate with the risks associated with the processing of the customer's personal data.

8.4 Audits and compliance audits
8.4.1 Review of safety documentation.

In order to demonstrate compliance with Exxas' obligations under these data processing conditions, Exxas is required to make the security documentation available to the customer for review.

8.4.2 Customer's audit rights.

Exxas will enable the customer or an independent auditor appointed by the customer to carry out audits (including inspections) in accordance with Section 8.4.3 (Additional Terms for Audits) to verify that Exxas is meeting its obligations under the data processing conditions. Exxas will support such audits as described in this Section 8.4 (Audit and Compliance Audits).

8.4.3 Additional audit conditions.
  • (a) The customer is required to submit a request for an audit in accordance with Section 8.4.2 in accordance with Section 13.1 (contacting Exxas).
  • (b) Upon receipt of a request in accordance with Section 8.4.3 (a), Exxas and the Customer will jointly discuss and agree in advance on a reasonable start date, scope and duration, and security and confidentiality measures that are the subject of the respective audit in accordance with Section 8.4.2.
  • (c) Exxas is entitled to claim reimbursement of the costs of each audit in accordance with Section 8.4.2. Prior to each audit, Exxas will provide the customer with further details of the costs involved and the basis for calculating these costs. Any costs incurred in commissioning and carrying out an audit by an independent auditor commissioned by the customer are borne solely by the customer.
  • (d) Under these data processing terms, Exxas is not required to disclose to the customer or an independent auditor appointed by the customer the following, or to allow the customer or an independent auditor to access:


  • i. data from any other customer of an Exxas group company;
  • ii. internal accounting or financial information of an Exxas group company;
  • iii. Business secrets of an Exxas group company;
  • iv. Information that, in Exxas' reasonable assessment, could (A) jeopardize the security of systems or premises of an Exxas group company or (B) cause an Exxas group company to breach its obligations under data protection regulations or breaches its security or data protection obligations to the customer or third party; or
  • v. Information that the customer or its independent auditor wishes to access for reasons contrary to trust that are not necessary to fulfill the customer's obligations under data protection regulations.

9. Impact assessments and consultations

The customer agrees that Exxas (taking into account the nature of the processing and the information available to Exxas) will assist the customer in fulfilling its obligations for data protection impact assessments and prior consultations, including, where applicable, the obligations set out in Articles 35 and 36 GDPR, or Art. 22 and Art. 23 DSG, by:

  • (a) providing safety documentation in accordance with paragraph 8.4.1 (review of safety documentation);
  • (b) providing the information already included in these data processing terms; and
  • (c) Provision or otherwise making available, in accordance with Exxas' standard procedures, of other materials (such as help articles and customer center contributions) relating to the nature of the data processing services or the processing of the customer's personal data.

10. Rights of data subjects

10.1 Responding to inquiries from data subjects.

If Exxas receives a request from a data subject regarding the customer's personal data, Exxas will ask the data subject to submit their request to the customer; the customer will be solely responsible for responding to such request.

10.2 Assistance from Exxas with inquiries from data subjects.

The customer agrees that Exxas (taking into account the nature of the processing of the customer's personal data and, if applicable, Article 11 GDPR; or in accordance with Articles 25-29 DSG) will assist the customer in fulfilling its obligations to respond to inquiries from data subjects, including, where applicable, inquiries relating to the rights of data subjects under the third chapter of the GDPR, by Exxas:

  • (a) provides the functionalities of contract processing services, and
  • (b) the obligations set out in paragraph 10.1 (answering inquiries from data subjects) have been met

11. Data transfers

The customer agrees that Exxas may store and process the customer's personal data in Switzerland.

12. Sub-processor

12.1 Authorization to engage sub-processors.

The customer expressly approves the appointment of Exxas affiliated companies as sub-processors. In addition, the customer generally approves that Exxas may also engage third parties as sub-processors.

12.2 Requirements for hiring sub-processors.

If Exxas engages sub-processors, Exxas will:

  • (a) ensure, by means of a written contract, that:
    • (i) the sub-processor only accesses and uses the customer's personal data to the extent necessary to fulfill its obligations, to which it is required by means of subcontracting, and does so in each case in compliance with the agreement (including these data processing conditions), and
    • (ii) the data protection obligations set out in Article 28 (3) GDPR are imposed on the sub-processor if the GDPR applies to the processing of the customer's personal data, and
    • (iii) The requirements applicable in Art. 9 DSG are fully taken into account and implemented, and
  • (b) be fully liable for all obligations assigned to sub-processors and for all acts and omissions of their sub-processors.

12.3 Options for objecting to subcontracting changes.
  • (a) If a new third party sub-processor is engaged during the term, Exxas will notify the customer of the order at least 30 days before that new third party sub-processor is entrusted with the processing of the customer's personal data by sending an email to the email address for notifications of the order (including the name and location of the relevant sub-processor and the activities that it will perform).
  • (b) The customer may object to the use of a new third-party sub-processor by immediately terminating the contract in writing; this must be done within 90 days of receipt of notification of the appointment of the respective sub-processor, as described in Section 12.3 (a). This right of termination is the customer's sole and exclusive remedy if he does not agree to the use of a new third-party sub-processor.

 

13. Contacting Exxas; records of processing

13.1 Contacting Exxas.

The customer can send Exxas via email (info@exxas.net or datenschutz@exxas.net) to exercise its rights under these data processing conditions.

13.2 Exxas' data processing records.

Customer acknowledges that Exxas is required under the GDPR to: (a) make and maintain records of certain information, including the name and contact details of each processor and/or controller on whose behalf Exxas acts and (if applicable) information about the local representative and the data protection officer; and (b) to make this information available to regulatory authorities. Accordingly, the customer is required, upon request and to the extent applicable to the customer, to provide this information to Exxas via the data processing services user interface or through other options that Exxas may provide for this purpose and to use the user interface or any other means provided for this purpose to ensure that this information is always accurate and up-to-date.

14. liability

Liability under or under these data processing conditions is based on the liability limitations and exclusions of the contract.

15. Validity of these data processing conditions

In the event of an objection or discrepancy between these data processing conditions and the contract, the provisions of these data processing conditions shall prevail. Except as amended by these data processing terms, the agreement will otherwise remain in full force and effect.

16. Amendments to these data processing conditions

16.1 Changes to data processing conditions.

Exxas may change these data processing terms if such change:

  • (a) is expressly permitted by these data processing conditions,
  • (b) takes account of a change of company name or a change of legal form;
  • (c) is necessary to comply with applicable law, regulations, a court decision, or a requirement of a government regulatory or supervisory authority; or
  • (d)
    • (i) does not result in a decrease in the overall security of contract processing services,
    • (ii) does not expand the scope of these data processing conditions or remove restrictions as described in paragraph 6.3 (compliance with instructions by Exxas) with regard to the processing of customer personal data by Exxas, and
    • (iii) does not otherwise have any significant adverse effects on the customer's rights under these data processing conditions (this will be determined in an appropriate manner by Exxas).

16.2 Notification of changes.

If Exxas intends to change these data processing terms in accordance with Section 16.1 (c) or (d), Exxas will notify the customer in advance (or within a shorter period if required by applicable law, applicable regulations, a court decision or a requirement of a government regulatory or supervisory authority) by: (a) sending an email to the email address for notifications or (b) by notification via the user interface of the contract processing service. If the customer wishes to object to a change, the customer may cancel the contract by giving written notice to Exxas within 90 days of receipt of notification of the change by Exxas.

 

Appendix 1: Subject matter and details of data processing

subject

Provision of contract processing services and related technical support services to the customer by Exxas.

Duration of data processing

During the contract period and in addition for a period of time between the end of the contract period and until all of the customer's personal data is deleted by Exxas in accordance with these data processing conditions.

Type and purpose of data processing

Exxas processes the customer's personal data for the purpose of providing the customer with contract processing services and providing related technical support in accordance with these data processing conditions. Depending on whether the respective processor service and the instructions described in Section 6.2 (Customer Instructions) apply, data processing by Exxas includes collection, recording, organizing, arranging, modifying, reading, using, disclosing, linking, deleting or destroying.

Types of personal data

Customer personal data may include the following types of personal data:

  • Online identifiers (including cookie identifiers)
  • Names, email addresses, dates of birth, telephone numbers and other personal data
  • Identification numbers and provided IDs
  • Bank details such as account numbers
  • photos and images, audio and video recordings,
  • Internet protocol addresses and device identifiers
Categories of affected persons

Customer personal data concerns the following categories of data subjects:

  • data subjects about whom Exxas collects personal data as part of the provision of contract processing services; and/or
  • Data subjects who transfer personal data to Exxas at the instigation or on behalf of the customer in connection with contract processing services.

Depending on the type of processor service in question, data subjects may include the following individuals:

  • (a) for which support requests were made,
  • (b) for which services were provided,
  • (c) for which services were provided on behalf of the customer,
  • (d) have accessed certain websites or applications for which Exxas provided contract processing services and/or
  • (e) who are customers or users of the customer's products or services.

 

Appendix 2: Safety measures

Exxas is committed to implementing and maintaining the security measures contained in this Appendix 2 as of the specified date of the contract. Exxas may update or change these security measures from time to time, provided that such updates and changes do not result in a decrease in the overall security of the data processing services.

1. Data center and network security

 

(a) Infrastructure. Exxas operates geographically distributed data centers. Exxas stores all production data in physically secured data centers.

 

redundancy. The infrastructure was developed to eliminate single points of failure and to minimize the impact of expected environmental risks. Dual circuits, switches, networks, or other required devices help achieve this redundancy. The contract processing services are designed so that Exxas can carry out certain preventive and corrective maintenance measures without interruption. There are documented, preventive maintenance procedures for all plants and facilities, which describe in detail the process and frequency of implementation in accordance with manufacturer specifications or internal requirements. Preventive and corrective maintenance measures for the systems in the data center are planned using a standard process in accordance with documented procedures.

 

energy. Data center energy systems are designed in such a way that they should be redundant and can be maintained without affecting continuous operation (24 hours a day and 7 days a week). In most cases, both a primary and an alternative energy source, each with the same capacity, is available for critical infrastructure components in data centers. Reserve power is provided by various mechanisms, such as uninterruptible power supply batteries (UPS), which provide consistently reliable power protection in the event of voltage drops, power outages, overvoltage, undervoltage and frequency conditions by the energy supplier that are outside the tolerance values.

 

server operating systems. Exxas servers use hardened operating systems that are tailored to the specific operational requirements. Data is stored using proprietary algorithms to increase data security and redundancy. Exxas uses a code review process to increase the security of programming code used to provide contract processing services and improve security products in production environments.

 

Maintaining operations. Exxas replicates data across multiple systems to help protect data from accidental destruction or loss. Exxas has designed plans to keep operations running and disaster recovery programs. Exxas continues to develop and test them.

 

(b) Networking and transmission.

 

data transfer. Data centers are usually connected via high-speed direct connections (high-speed private links) to provide secure and fast data transfer between data centers. This method has been developed in such a way as to prevent unauthorised reading, copying, alteration or removal of data during electronic transmission or transport or when stored on data carriers. Exxas transmits data using standard Internet protocols.

 

External attack surface. Exxas maintains multiple layers of network devices and intrusion detection systems to secure the external attack surface. Exxas considers potential attack vectors and integrates appropriate, specially developed technologies into externally accessible systems.

 

Intrusion detection. The intrusion detection measures aim to provide insights into ongoing attack activity and provide appropriate information to respond to incidents. Exxas' measures to detect burglaries include:

  1. rigorously monitoring the size and development of Exxas' attack surface through preventive measures,
  2. the use of intelligent discovery control measures at data collection points, and
  3. the use of technologies that automatically stop certain hazardous situations.

Response to incidents.

Exxas monitors a variety of communication channels for security incidents. Exxa's staff will respond immediately to known incidents.

encryption technologies.

Exxas provides HTTPS encryption (also known as an SSL or TLS connection). Exxas servers support an Ephemeral Diffie-Hellman exchange of RSA and ECDSA signed keys based on elliptical curves. Perfect forwardsecrecy (PFS)) help protect data traffic and minimize the impact of a compromised key or encryption breach (cryptographic breakthrough).

2nd Access and access controls

 

(a) Access control.

 

  • On-site monitoring of data centers. Some Exxas' data centers have an on-site security service, which is responsible for all physical security measures of the data center 24 hours a day, 7 days a week. Security personnel on site check surveillance cameras and all alarm systems. Security personnel carry out regular on-site checks within and outside the data center. Passively monitored data centers have comprehensive video surveillance 24 hours a day, 7 days a week. Passively monitored data centers are alarm-protected and trigger immediate deployment in the event of an alarm.
  • procedures for access to data centers. Exxas has various access control procedures for physical access to data centers. The data centers are located in facilities that require keys and/or biometric access procedures for access. Only authorized employees, contractors and visitors are granted access to the data centers. Only authorized employees are allowed to apply for access rights to these facilities.
  • On-site security facilities for data centers. Exxas' data centers have a locking system and/or biometric access control system. Security cameras operate both inside and outside the data centers. The positioning of the cameras was planned so that they should monitor strategic areas. Secured cables connect surveillance camera technology throughout the data center. The cameras record on site 24 hours a day, 7 days a week. The recordings are kept for at least 7 days, depending on the respective activities.

 

(b) Access control.

 

Access control and rights management. Administrators and end users must authenticate themselves via a central authentication system or via a single sign-on system to use order processing services.

 

Internal data access processes and policies —Access policies. Exxas' internal data access processes and policies are designed to prevent access to systems that are used to process personal data by unauthorised persons and/or systems. Exxas strives to design the systems in such a way that: (i) only authorized persons have access to the data to which they are authorized to access; and (ii) ensures that personal data cannot be read, copied, modified, or deleted without appropriate authorization during processing, use, and after storage. The systems are designed to identify as many unauthorised access as possible. Exxas uses a centralized access management system to control employee access to production servers and only grants access to a limited number of authorized employees. LDAP, Kerberos, and a proprietary system that uses SSH certificates are designed so that Exxas should have secure and flexible access mechanisms. These mechanisms are designed in such a way that access to site hosts, log files, data, and configuration information should only be granted with appropriate permission. Exxas requires the use of singular user IDs and secure passwords; two-factor authentication; and carefully monitored access lists to minimize opportunities for unauthorized use of the account. The granting or changing of access rights for authorized personnel is based on the following factors: the professional responsibilities of the respective person, the necessary requirements of the respective position to perform authorized tasks, and a need-to-know basis. The granting or changing of access rights must also be in accordance with Exxas' internal data access policies. Where passwords are used for authentication (e.g. to log in to workstations), password guidelines have been set up that meet at least industry standards. These requirements include restrictions on password reuse and sufficient password strength.

 

3rd data

 

(a) Data storage, isolation, and authentication.

Exxas stores the data in a multi-tenant environment on servers owned by Exxas. The data, data processing services databases, and the architecture of the file management system are replicated in several geographically distributed data centers. Exxas logically isolates each individual customer's data from one another. A central authentication system is used across the board for all contract processing services in order to increase general data security.

 

(b) Decommissioning and hard drive destruction policies.

If certain hard drives that contain data are found to have reduced performance, errors, or hardware failures, the affected hard drives are shut down (“Decommissioned hard drive”) .Each decommissioned hard drive undergoes a series of destruction processes (“data destruction guidelines”) before it leaves Exxas' premises either for reuse or destruction. Decommissioned hard drives are deleted in a multi-stage process.

 

(c) Input control

The restrictive granting of rights to Exxas employees restricts the entry, change or removal of data from systems and applications to operate cloud services. Rights to enter, change and delete data are granted on the basis of an authorization concept. Exxas only carries out entries on customer systems on request (e.g.: on instruction, on mandate, by contract or through an SLA).

 

4. Staff safety

Exxas personnel are required to comply with company policies on confidentiality, corporate ethics and proper use, as well as professional standards. Exxas carries out reasonable background checks to the extent that this is done in accordance with applicable law and other mandatory laws.

 

Staff are required to sign a confidentiality agreement and confirm receipt and compliance with Exxas' confidentiality and privacy policy. Staff receive safety training. The personnel who handle customer data must meet additional requirements, depending on the respective area of responsibility. Exxas' personnel will not process any customer's personal data without being authorized to do so.

5. Security for sub-processors

Before using sub-processors, Exxas first conducts a review of the sub-processor's security and privacy practices to ensure that there is a level of security and privacy that is commensurate with data access and the scope of the contracted services. As soon as Exxas is able to assess the risks outlined by the sub-processor, the sub-processor is always required to enter into appropriate security, confidentiality and data protection agreements, subject to the requirements set out in Section 12.2 (Requirements for Engaging Sub-Processors) of these data processing conditions.

Exxas AG
Rietbachstrasse 10

8952 Schlieren-Zurich


+41 44 552 89 00
info@exxas.net
Industries
StartupAccountantIT & SoftwareLaw firmAgencyRetailTechnology & Plant engineeringArchitects & Engineers
Features
CentralSalesMarketingServiceProjectsProductsHuman ResourcesFinance
Platform
CustomersApps & integrationsTechnologyConsultant team
Partners
Find a partnerFind an AccountantBecome a partnerDevelopers
Services
Get startedService packagesImplementationSupport
About us
CompanyNews & EventsCareerContact
swiss made software
Cookies
Imprint
Data protection
Legal
© Exxas AG 2025

By clicking on ‘Accept’, you agree to the use of cookies to improve navigation on the website and to measure visitor numbers anonymously. Further information can be found in our privacy policy.

PreferencesSaveAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.