Data Processing Addendum

The Controller determines the purposes and means of the processing. The Processor processes Personal Data on the Controller's behalf strictly to provide the Switchy service. This DPA applies whenever Switchy processes Personal Data subject to the GDPR or the UK GDPR.

For the purposes of the California Consumer Privacy Act (CCPA), Switchy is a "Service Provider" with respect to Controller Data, processes such data only for the purposes set out in this DPA, and does not sell or share it.

• Subject-matter: Personal Data submitted to or generated by use of the Switchy service.
• Duration: The term of the Controller's subscription, plus any post-termination retention period set out in /privacy.
• Nature and purpose: Hosting, transmission, structuring, retrieval, and deletion of Controller Data to provide team chat, multi-model AI access, persistent memory, and MCP integrations.
• Categories of data subjects: The Controller's authorised users (members of its organization in Switchy) and any third parties whose Personal Data they choose to submit.
• Categories of Personal Data: Account data (name, email, OAuth identifier), message and memory content, usage telemetry, billing identifiers.

Switchy processes Personal Data only on documented instructions from the Controller. The Terms of Service, this DPA, the privacy policy, and the Controller's configuration of its organization (members, MCP integrations bound to Spaces, billing plan) constitute the complete and final instructions. Any additional instruction must be agreed in writing and may incur additional fees if it materially changes the service.

The Controller authorises Switchy to engage the sub-processors listed in Section 5 of the privacy policy:

• Google Cloud Platform (hosting, database, secret storage) — EU (europe-west1)
• OpenRouter (AI model routing) — United States
• Stripe (payment processing) — United States
• Ably (realtime delivery for live chat) — EU + global edge
• Composio (aggregator for 500+ third-party integrations; holds OAuth tokens, Switchy holds only opaque connection handles) — United States
• Resend (transactional email) — United States / EU
• Third-party MCP integrations the Controller's admin chooses to connect (GitHub, Notion, custom HTTPS MCPs)

Switchy will notify the Controller at least 30 days before adding or replacing a sub-processor that processes Controller Data. The Controller may object on reasonable data-protection grounds, in which case Switchy will use commercially reasonable efforts to provide an alternative or, failing that, the Controller may terminate the affected service for cause without penalty for the unused portion of the prepaid term.

Switchy ensures that any person it authorises to process Personal Data is bound by an obligation of confidentiality (whether contractual or statutory) and processes Personal Data only as instructed by the Controller.

Switchy implements appropriate technical and organisational measures to protect Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (Google Cloud disk encryption).
• Storage of all credentials and OAuth tokens in Google Secret Manager — never in the application database.
• Visibility-aware data access enforced at the database query layer (PRIVATE / SPACE / ORG) — see /docs/concepts/memory.
• Server-side request forgery (SSRF) protection on all outbound MCP calls, including DNS-rebinding defence.
• Per-API-key rate limits, sub-second key revoke, and idempotency keys on all writes.
• Quarterly access reviews and least-privilege IAM in the underlying GCP project.
• Hosting on infrastructure with ISO 27001 + SOC 2 Type II certification (Google Cloud Platform).

A more detailed security overview is available at /security.

Switchy will assist the Controller in fulfilling requests from data subjects exercising their rights under GDPR Articles 12–22, taking into account the nature of the processing. Most rights (access, rectification, erasure, portability) can be exercised directly by the data subject in the Switchy UI; for any request that cannot, the Controller may contact contact@switchy.build.

Switchy will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller Data, providing all information reasonably required for the Controller to comply with its obligations under GDPR Art. 33.

Where Switchy or its sub-processors transfer Personal Data outside the EU/EEA, the transfer is governed by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or, where applicable, the EU-US Data Privacy Framework. The relevant SCC modules are incorporated into this DPA by reference.

Switchy will make available to the Controller, on reasonable request and not more than once per twelve-month period (except where required by a supervisory authority), the information necessary to demonstrate compliance with Art. 28. Where the Controller wishes to conduct an audit beyond reviewing third-party reports (e.g. SOC 2), the parties will agree the scope, timing, and reasonable cost in advance.

Upon termination of the service, the Controller may export its data in standard formats. After 30 days, Switchy will delete Controller Data from the live system; backups containing Personal Data will be deleted in the ordinary course of business, no later than 90 days after termination.

To the extent of any conflict between this DPA and the Terms of Service or any order form, this DPA prevails with respect to the processing of Personal Data. Liability under this DPA is subject to the limitations set out in the Terms of Service.

Acceptance of the Terms of Service by an authorised representative of the Controller constitutes acceptance of this DPA. If your procurement process requires a counter-signed copy, email contact@switchy.build with the subject line "DPA counter-sign request" and we will return a PDF within five business days.