Nectos logo
Back

Data Processing Agreement (DPA)

Version: January 2026*

Parties: Adopt-AI SA ("Processor") and any Data Controller using the Nectos platform

Preamble

This Data Processing Agreement ("DPA") supplements the Nectos Terms of Service and governs the processing of personal data by Adopt-AI SA as a Processor on behalf of professional users (Data Controllers) of the Nectos platform.

This DPA complies with the requirements of the Swiss Federal Act on Data Protection (nDSG/FADP), the GDPR (where applicable), and Swiss nDSG standards.

1. Definitions

"Data Controller": any natural or legal person using the Nectos platform in a professional capacity and determining the purposes and means of personal data processing.

"Processor": Adopt-AI SA, Rue du Pré-de-la-Bichette 1, 1202 Geneva, Switzerland, CHE-147.175.593.

"Personal Data": any information relating to an identified or identifiable natural person.

"Processing": any operation performed on personal data.

2. Subject and Processing Instructions

The Processor processes personal data only:

  • On documented instructions from the Data Controller
  • For the exclusive purpose of providing the Nectos service
  • In accordance with this DPA and the Terms of Service

3. Data Residency

All data is processed and stored exclusively in Switzerland on Hidora SA infrastructure, an ISO 27001 certified Swiss cloud provider.

No transfer of personal data outside Switzerland will be made without prior written consent from the Data Controller, except where legally required.

4. Zero Training Commitment — Contractual Guarantee

Adopt-AI SA formally and contractually commits to never using the Data Controller's or its users' personal data to:

  • Train, pre-train or re-train any artificial intelligence model
  • Fine-tune any AI model
  • Improve, evaluate or test any AI model
  • Compose training datasets

This commitment is absolute and applies at all levels of the processing chain.

5. Technical and Organizational Measures (TOMs)

Technical measures:

  • Data in transit: TLS 1.3 encryption
  • Data at rest: AES-256 encryption
  • MFA for all administrative access
  • Role-based access control (RBAC)
  • 80+ offensive security tests per release
  • Regular independent penetration testing

Organizational measures:

  • Least-privilege access for all staff
  • Confidentiality obligations for all staff with data access
  • Documented incident response procedures
  • Business continuity plan

6. Sub-Processors

Sub-ProcessorRoleLocation
Hidora SAInfrastructure hostingSwitzerland
Payrexx AGPayment processingSwitzerland (Thun)

The Processor will notify the Data Controller 30 days in advance of any sub-processor change, allowing the right to object.

7. Data Breach Notification

In the event of a personal data breach, the Processor will:

  • Notify the Data Controller within 72 hours of becoming aware
  • Provide details of the breach, data categories, volumes affected, and remediation steps

8. Data Deletion

Upon termination of the main contract:

  • The Data Controller has 30 days to export data
  • After this period, all data is securely and irreversibly deleted
  • A deletion certificate is available on request

9. Governing Law

This DPA is governed by Swiss law. Disputes are subject to the exclusive jurisdiction of the Tribunal de première instance of the Canton of Geneva.

10. Contact

Adopt-AI SA — contact@nectos.ch

Rue du Pré-de-la-Bichette 1, 1202 Geneva, Switzerland

To receive a signed, customized DPA for your organization, contact us at contact@nectos.ch.