Data Processing Addendum
Last updated: 26 April 2026 · Article 28 GDPR · Swiss FADP
1. Roles
You ("Controller") instruct Etornie AG ("Processor") to process personal data on your behalf to provide the Services described in the Terms of Service. Where you act as a processor for your own clients (e.g. a law firm processing case data for end clients), Etornie acts as your sub-processor.
2. Subject matter & duration
- Subject matter: hosting and processing personal data submitted to the Etornie platform.
- Duration: the term of the Terms of Service plus any retention period required by law.
- Nature & purpose: case management, document storage, AI-assisted drafting, deadline notifications, on-chain attestations.
3. Categories of data subjects
- Customer’s employees and contractors (counsel, paralegals, admins)
- Customer’s clients and their representatives
- Witnesses, opposing parties, and other persons named in case files
4. Categories of personal data
- Identification (name, email, phone, role)
- Authentication credentials and Solana wallet public keys
- Case metadata (references, jurisdictions, deadlines, status)
- Document content uploaded by Customer
- Communication content (notes, comments, AI prompts)
- Server logs, usage telemetry
5. Sub-processors
Customer authorises Etornie to engage the following sub-processors. Etornie will give 30 days’ notice of any addition or replacement; Customer may object on reasonable grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Groq Inc. | LLM inference (EtornieGPT) | United States |
| Together AI | Embedding generation (RAG) | United States |
| Meta Platforms (WhatsApp Business Cloud API) | Outbound notifications | EU / US |
| EmailJS | Transactional email (OTP, alerts) | United States |
| Solana RPC providers | On-chain transaction submission | Global (public ledger) |
| Hosting provider (Vercel / EU region) | Web app hosting | European Union |
6. Etornie’s obligations
- Process personal data only on documented Customer instructions
- Ensure that personnel authorised to access personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (TLS, encryption at rest, RBAC, audit logging, bcrypt password hashing)
- Assist Customer in fulfilling data-subject-rights requests within 30 days
- Notify Customer without undue delay of any personal-data breach (target: 72 hours)
- Delete or return personal data on termination of the Terms, subject to legal retention obligations
7. International transfers
Where personal data is transferred outside Switzerland or the EEA, transfers are protected by the EU Standard Contractual Clauses (Module 3 — processor to sub-processor) and the Swiss FDPIC’s recognised SCCs.
8. Audits
Customer may, on 30 days’ notice and no more than once per 12 months (more often if required by a supervisory authority), request a copy of Etornie’s most recent third-party security report (SOC 2 / ISO 27001 once available) or conduct a remote audit limited to verifying compliance with this DPA.
9. Liability
Liability under this DPA is subject to the limitation-of-liability clause in the Terms of Service, except where Swiss or EU law mandates otherwise (e.g. Article 82 GDPR claims by data subjects).
10. Conflict
If there is a conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters.
For DPA execution, contact info@etornie.com.