Data Processing Agreement (DPA)
Version 1.0. Effective January 1, 2026.
This Data Processing Agreement (“DPA”) applies if you use the systems, software, platform, APIs and/or purchase Cuspar GmbH’s products and services (collectively “Services”) and, in doing so, Cuspar processes Personal Data on your behalf. YWT (Your Web Tech) is Cuspar’s customer portal and service management platform.
In this DPA, the terms “Cuspar,” “we,” “us,” or “our” refer to Cuspar GmbH, Bachtobelstrasse 38, 8123 Ebmatingen, Switzerland. The terms “you,” “your,” “Customer,” or “Controller” refer to any individual or entity who accepts this DPA and/or uses the Services and acts as controller for the relevant Personal Data.
This DPA forms part of and is incorporated into our Terms of Service. If there is a conflict between this DPA and the Terms of Service regarding Processing of Personal Data on behalf of the Customer, this DPA prevails for that subject matter.
Cuspar may modify this DPA from time to time and such modifications are effective immediately upon posting to the YWT website. We may notify you upon such modifications if required by law. Your continued use of the Services constitutes your agreement to this DPA as last revised.
1. Definitions and roles
For purposes of this DPA:
- “Personal Data”, “Processing”, “Controller”, “Processor”, “Subprocessor”, “Supervisory Authority”, and “Personal Data Breach” have the meanings given in the GDPR and/or the Swiss Federal Act on Data Protection (FADP), as applicable.
- The Customer is the Controller and Cuspar is the Processor for Personal Data processed by Cuspar on behalf of the Customer in connection with providing the Services.
- Cuspar may also process certain data as an independent controller (for example, account administration, billing, fraud prevention, legal compliance, and security). Such processing is governed by our Privacy Policy.
2. Subject matter, duration, nature and purpose of Processing
Cuspar provides Services to the Customer, which may include domain name registration and management services, website hosting services, and related technical services. The Customer instructs Cuspar to process Personal Data as necessary to provide the Services.
Processing begins when the Customer starts using the Services and continues until termination of the applicable Services and completion of Cuspar’s return or deletion obligations under this DPA.
Cuspar will process Personal Data solely to the extent necessary:
- To provide, operate, maintain, and support the Services;
- To ensure security, stability, and availability of the Services;
- To respond to the Customer’s requests and documented instructions; and
- To meet applicable legal or registry obligations (for example, where required for .ch and .li domain registrations).
3. Categories of data, data subjects, and instructions
Depending on the Services, Personal Data may include:
- Account data (name, address, email, phone);
- Domain registration data (registrant, administrative and technical contacts, and related metadata);
- Service usage data (logs, configurations, and content stored or transmitted through the Services by the Customer); and
- Payment and billing metadata (transaction identifiers, billing contact details).
Data subjects may include the Customer’s employees, customers, partners, and end-users.
The Customer’s instructions to Cuspar for Processing are set out in this DPA and the Customer’s use and configuration of the Services. Any additional instructions must be documented. If Cuspar reasonably believes an instruction infringes applicable data protection law, Cuspar will inform the Customer.
4. Customer obligations
The Customer is responsible for the lawfulness of Processing and for ensuring appropriate legal bases and notices, including as required by applicable data protection law.
- The Customer remains responsible for the accuracy, quality, and legality of the Personal Data and the means by which the Customer acquired it.
- The Customer is responsible for responding to data subject requests, unless the Services enable the Customer to address such requests directly.
- The Customer will not provide Cuspar with Personal Data it is not authorized to process and will configure the Services to avoid unlawful Processing.
5. Cuspar obligations
Cuspar will:
- Process Personal Data only on documented instructions of the Customer as described in this DPA;
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations;
- Implement appropriate technical and organizational measures to protect Personal Data (see Section 8);
- Assist the Customer, taking into account the nature of Processing, with data subject requests to the extent legally required and reasonably possible;
- Provide reasonable assistance with security, breach notifications, and data protection impact assessments where required by law; and
- Make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security requirements.
6. Subprocessors
The Customer provides general authorization for Cuspar to engage Subprocessors to process Personal Data on behalf of the Customer, provided that Cuspar imposes data protection obligations on each Subprocessor that are materially no less protective than those set out in this DPA.
At the effective date of this DPA, Cuspar may use the following Subprocessors depending on the Services:
- Google Cloud (infrastructure and hosting services, potentially EU/US);
- Stripe (payment processing, potentially global);
- SWITCH (required for .ch and .li domain registrations).
Cuspar will notify the Customer of material changes concerning the addition or replacement of Subprocessors where required by law. The Customer may object on reasonable grounds related to data protection. If the Customer objects, the parties will work in good faith to address the objection, including by providing an alternative where reasonably available.
7. International transfers
Where Personal Data is transferred outside Switzerland or the EEA, Cuspar will ensure appropriate safeguards in accordance with applicable law, such as standard contractual clauses, adequacy decisions, or other recognized safeguards.
8. Security measures
Cuspar implements technical and organizational measures appropriate to the risk, which may include measures such as encryption in transit and at rest, access controls, authentication, monitoring, backup and recovery procedures, and incident response processes. Specific measures may evolve over time to address industry standards and security risks.
9. Personal Data Breach
Cuspar will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer. Such notification will include, to the extent reasonably available, information about the nature of the breach, likely consequences, and measures taken or proposed to address it.
10. Return and deletion
Upon termination or expiration of the Services, Cuspar will, at the Customer’s choice and to the extent available through the Services, delete or return Personal Data processed on behalf of the Customer, unless retention is required by applicable law. The Customer is responsible for exporting or retrieving Personal Data from the Services prior to termination where applicable.
11. Audit and compliance information
The Customer may request reasonable documentation describing Cuspar’s technical and organizational measures and compliance with this DPA. Where required by law and where documentation is insufficient, on-site audits may be conducted no more than once per year with reasonable prior notice, during normal business hours, and subject to confidentiality and security requirements. The Customer bears its audit costs unless an audit is required by a Supervisory Authority.
12. Liability
The liability provisions and limitations in the Terms of Service apply to this DPA. Nothing in this DPA limits liability that cannot be limited under applicable law.
13. General
This DPA is governed by Swiss substantive law. The exclusive place of jurisdiction is the courts of the Canton of Zurich, Switzerland, unless mandatory provisions of applicable data protection law provide otherwise.
14. Contact
If you have any questions about this DPA, contact us at: support@ywt.ch, or Cuspar GmbH, Bachtobelstrasse 38, 8123 Ebmatingen, Switzerland. We aim to respond to all requests and inquiries as soon as possible.
