Data Processing Addendum

Last updated on 20.08.2025

​​​

1. Principle

​

This Data Processing Addendum ("DPA") is applicable if and to the extent that, in the context of the performance of the Agreement between the Parties on the use of the Services, Drone Harmony AG Sonnentalstrasse 8, 8600 Dübendorf, Switzerland ("Processor") processes personal data as data processor on behalf of the Customer ("Controller").

​

This DPA forms an integral part of the Agreement. The provisions of the Processor's Terms of Service ("ToS")  are fully applicable in connection with and supplement this DPA, except where this DPA contradicts them. Any terms defined in the ToS and used in this DPA have the same meaning.

​

2. Applicable Data Protection Law

"Applicable Data Protection Law" means:

a) the Swiss Federal Act on Data Protection (FADP);

b) if and to the extent applicable, the EU General Data Protection Regulation (GDPR).

​

3. Subject Matter, Nature and Purpose of Processing

Subject matter of the processing and therefore this DPA is the personal data of third parties the Processor processes in its Software in the context of the performance of the Agreement ("Personal Data").

​

This includes the following categories of data:

a) User account data (identification, contact and login data, etc.);

b) Flight and inspection data (flight plans, flight scene environments, flight logs, inspection annotations, drone, flight and inspection metadata, etc.); 

c) drone footage processed through the Software (images, videos, live streams);

d) technical data (usage data, location data, error logs, etc.);

e) communication content (emails, support requests, feedback, ideas, etc.).

​

The categories of data subjects affected by the processing include:

f) Users;

g) individuals recognizable on the footage collected by the Controller's drones and processed through the Software.

​

The purpose of processing is to provide the Software and, if applicable, other Services in accordance with the Agreement. This includes the performance of necessary auxiliary functions (e.g., error monitoring, support). In addition, the Processor may analyze certain technical data of the Users in aggregated form for the purpose of improving its Services.

The type of processing includes the activities necessary to achieve these purposes, in particular the collection, recording, organization, storage, adaptation or alteration, retrieval, use, transmission, provision, reconciliation, linking, erasure or destruction of personal data.​

​

4. Processing according to Controller's Instructions​

The Processor processes the Personal Data in accordance with this DPA, the Agreement in general, and any additional documented instructions by the Controller.

​

Instructions going beyond the contractual agreements are subject to additional charges. This does not apply if the relevant instructions are demonstrably necessary to prevent or put an end to a breach of Applicable Data Protection Law the Processor is responsible for.

​

The Processor will inform the Controller without delay if it believes that any of the Controller's instructions violate Applicable Data Protection Law.

​

If the Processor is legally required to process the Personal Data in a manner inconsistent with the contractual agreements or the Controller's additional instructions, it will inform the Controller of this legal requirement prior to the processing. Cases in which the applicable law prohibits informing the Controller for important reasons of public interest are reserved.

​

5. Data Security

The Processor takes appropriate technical and organizational measures to ensure an adequate level of data security within the meaning of Applicable Data Protection Law.

​

The Processor regularly monitors its internal processes and the technical and organizational measures to ensure that an appropriate level of data security within the meaning of Applicable Data Protection Law is maintained with regard to the processing activities in its area of responsibility.

​

The Processor ensures that its employees or other individuals authorized to process the Personal Data are subject to appropriate contractual or statutory confidentiality requirements.

​

6. Cooperation regarding Legal Obligations

The Processor will provide the Controller with reasonable support in fulfilling its obligations under Applicable Data Protection Law, in particular:

a) toward the competent data protection authorities;

b) toward data subjects, in particular when they exercise their rights in accordance with Applicable Data Protection Law (e.g. right to rectification, deletion or access);

c) in case the Controller conducts a data protection impact assessment.

​

The Controller will bear the cost of these services to the extent that they exceed due performance of the Agreement. Cases where the support is demonstrably necessary due to a breach by the Processor of Applicable Data Protection Law or of its contractual obligations are reserved.

​

If a data subject or an authority contacts the Processor with an inquiry regarding the Personal Data, the Processor will not respond to the request on its own authority, but immediately forward it to the Controller. The Processor will not be liable if the Controller does not answer the request or answers it incorrectly or not in a timely manner.

​

7. Subprocessors

The Controller agrees to the use of the subprocessors listed in the Appendix to this DPA. 

The processor may engage further subprocessors for the fulfillment of the Agreement. The Processor will inform the Controller 30 days in advance of any intended engagement of a new subprocessor. 

​

a) If the Controller rejects the new subprocessor for objective reasons and the Processor cannot offer a reasonable alternative, the Controller may terminate the Agreement for exceptional reasons. 

b) If no rejection is made within the aforementioned period, the new subprocessor will be deemed approved. 

​

The Processor will impose essentially the same data protection obligations on its subprocessors as are set out in this DPA.

​

8. International Transfers

Any transfers of personal data to organizations outside the Processor’s and/or the Controller’s country require the prior consent of the Controller.

​

Transfers to subprocessors listed in the Appendix or subsequently approved by the Controller pursuant to section 7 are deemed authorized. In particular, upon conclusion of the Agreement, the Controller selects a hosting subprocessor and data location from the options provided by the Provider (see Appendix) and thereby authorizes any international transfers necessary as a consequence of that choice.

​

Any transfers the Controller initiates itself, for example by registering its drone(s) and the Software with the drone manufacturer or by linking its account(s) with third-party software, are also considered authorized.

​

9. Proof of Compliance and Inspections

Upon request, the Processor will provide the Controller with appropriate proof of compliance with the obligations under this DPA.

If an inspection by the Controller or an external auditor commissioned by the Controller is required, it will be conducted during normal business hours without undue disruption of operations. As a rule, the Controller will notify the Processor prior to the inspection and give it reasonable lead time.

​

The Controller bears the cost of the inspection unless it is demonstrably necessary due to a breach by the Processor of Applicable Data Protection Law or of its contractual obligations.

The Processor may refuse an inspection by an external auditor if the external auditor is not appropriately qualified or independent, is in a direct competitive relationship with the Processor, or is otherwise obviously unsuited.

​

The Processor will in no event be required to disclose the following data to the Controller or its external auditor:

​

a) data of the Processor's other customers;

b) internal accounting or financial data;

c) trade secrets;

d) data the disclosure of which is not permitted for legal reasons;

e) data the disclosure of which is not necessary for the exercise of the rights set forth in this clause.

​

10. Data Breach

The Processor will notify the Controller without delay if it becomes aware of a data breach in its area of responsibility. The Processor will provide the Controller with sufficient information to enable the Controller to comply with its obligations to notify the competent authorities and/or inform affected data subjects.

​

The Processor will, in cooperation with the Controller, take appropriate measures to investigate and remedy the breach.

​

11. Surrender and Deletion of Personal Data

Upon termination of the Agreement or at any time upon the Controller's written request (text form is sufficient) the Processor will:

​

a) surrender to the Controller a complete copy of the Personal Data it has stored; and/or

b) delete the Personal Data, to the extent permitted by law. Upon deletion, the data is purged from active systems. It may remain within the Processor's  backups for a period of up to 12 months, after which it will be permanently erased.

​

The Personal Data will be surrendered in a commonly used format of the Processor's choice. If the Controller requests a special format and as a result, the Processor is faced with a significant additional expense, the Controller will compensate the Processor for the additional expense incurred.

​

12. Term and Termination

The term of this DPA concurs with the term of the Agreement.

Nevertheless, the provisions of this DPA will apply to any data processing within its meaning taking place after the end of the Agreement for as long as such data processing continues.

​

​Appendix: List of Subprocessors

​

​

​

​