SOMBA.io – Data Processing Agreement (DPA)

Parties and Scope
This Data Processing Agreement ("DPA") is entered into between Sigrun GmbH, a limited liability company domiciled in Switzerland ("the Company"), and each SOMBA.io account holder with an active subscription ("Account Holder").

This DPA governs the processing of Personal Data within SOMBA.io, a software platform licensed from HighLevel Inc. ("HighLevel"), a corporation domiciled in the United States. HighLevel serves as the primary Data Processor, responsible for storing and processing all Personal Data entered into the platform.

The Account Holder acknowledges that they act as the Data Controller for all Personal Data entered into SOMBA.io. The Company does not access, manage, or control the Account Holder’s Personal Data within SOMBA.io, except as required for account administration purposes (e.g., billing, customer support, and subscription management). The Company does not determine the purposes or means of processing Personal Data within SOMBA.io and bears no liability for how the Account Holder processes such data.

This DPA is an integral part of the SOMBA.io Terms of Use and applies exclusively to Account Holders with an active subscription, including both trial and paying users.

By using SOMBA.io, the Account Holder explicitly agrees to the terms of this DPA.

Definitions
For the purposes of this Data Processing Agreement (DPA), the following terms shall have the meanings set forth below:

• "Personal Data" refers to any information relating to an identified or identifiable natural person that is processed within SOMBA.io

• "Processing" means any operation performed on Personal Data, including but not limited to collection, recording, storage, adaptation, retrieval, consultation, use, transmission, disclosure, combination, restriction, erasure, or destruction.

• "Controller" refers to the Account Holder, who determines the purposes and means of processing Personal Data within SOMBA.io and is responsible for ensuring compliance with all applicable data protection laws.

• "Processor" refers to HighLevel Inc., which processes Personal Data on behalf of the Account Holder within SOMBA.io in accordance with the Account Holder’s instructions.

• "Company" refers to Sigrun GmbH, which provides access to SOMBA.io as a licensed platform but does not process, control, or determine the purposes or means of processing Account Holder data within SOMBA.io, except as required for account administration.

• "Data Breach" means any security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to Personal Data.

• "Sub-Processor" refers to any third party engaged by HighLevel to process Personal Data on behalf of the Account Holder as part of the SOMBA.io service.

• "Applicable Data Protection Laws" includes, but is not limited to:
• The Swiss Federal Data Protection Act (FADP)
• The European General Data Protection Regulation (GDPR)
• Any other data protection laws applicable to the Account Holder or data subjects whose Personal Data is processed within SOMBA.io

Roles and Responsibilities

• The Account Holder as Controller
  • The Account Holder is the sole Data Controller for all Personal Data entered into SOMBA.io and assumes full responsibility for ensuring that all Processing of Personal Data is lawful, compliant, and authorized under Applicable Data Protection Laws.
  

  • The Account Holder is required to obtain all necessary consents and provide all legally required disclosures to data subjects before collecting or processing their Personal Data within SOMBA.io.
  
  • The Account Holder must ensure that all Personal Data is accurate, complete, and up to date and must delete or rectify any outdated or incorrect data in accordance with Applicable Data Protection Laws.
  
  • The Account Holder is solely responsible for responding to and complying with data subject requests (e.g., access, rectification, deletion, portability) and regulatory obligations, including cooperation with data protection authorities.
  
  

• The Company as a Service Provider
  • The Company provides access to SOMBA.io as a licensed software service but does not actively process, access, or control Account Holder data within the platform.
  • The Company only processes Account Holder data for limited account administration purposes, including:
  • Account setup and management
  • Subscription and billing processing
  • Customer support and troubleshooting (only upon request)

  • The Company does not process, analyze, or use Personal Data for any other purposes, including marketing, profiling, or external sharing.
  • The Company is not liable for any processing activities performed by HighLevel or the Account Holder, including but not limited to:
  • Unauthorized data collection, processing, or sharing by the Account Holder.
  • Data misuse, breaches, or security failures within SOMBA.io.
  • Any legal claims or regulatory actions resulting from the Account Holder’s data processing practices.
  
  

• HighLevel as the Processor

  • HighLevel acts as the sole Data Processor for all Personal Data stored within SOMBA.io and processes data exclusively on behalf of the Account Holder.
  • HighLevel is solely responsible for implementing appropriate security measures and compliance protocols to protect Personal Data within SOMBA.io.
  • The Company is not responsible for HighLevel’s processing activities beyond providing the SOMBA.io platform, nor does it have any control or oversight over HighLevel’s internal processing policies.
  
  

Security Measures

• Responsibilities of HighLevel
  HighLevel is responsible for implementing appropriate Technical and Organizational Measures (TOMs) to ensure the confidentiality, integrity, and availability of Personal Data processed within SOMBA.io. These security measures include, but are not limited to:
  • Encryption of Personal Data at rest and in transit to protect against unauthorized access or interception.
  • Strict access controls and multi-factor authentication (MFA) to limit system access to authorized users only.
  • Regular security audits, vulnerability testing, and risk assessments to identify and mitigate security risks.
  • Data backup and disaster recovery protocols to ensure data integrity and availability in case of system failure or cyber incidents.
  • Logging and monitoring of system activity to detect unauthorized access attempts and mitigate potential security threats.
  
  HighLevel maintains independent responsibility for these security measures. The Company does not control, manage, or oversee HighLevel’s security protocols beyond contractual obligations.

  
  

• Responsibilities of the Account Holder
  • The Account Holder is solely responsible for securing all login credentials, passwords, API keys, and authentication mechanisms used to access SOMBA.io.
  
  • The Account Holder must ensure that all Team Members, employees, and authorized users accessing SOMBA.io comply with this Agreement and all applicable data protection laws.
  
  • The Account Holder agrees to indemnify, defend, and hold harmless the Company from any claims, damages, losses, regulatory fines, or legal expenses arising from:
  • Failure to comply with this Agreement.
  • Violations of applicable data protection laws by the Account Holder or their Team Members.
  • Unauthorized access, misuse, or improper handling of Personal Data within SOMBA.io.
  • Data breaches or security failures caused by the Account Holder’s negligence or failure to follow security best practices.
  
  

  • If the Account Holder integrates third-party tools, applications, or software with SOMBA.io, they:
  • Assume full responsibility for ensuring that such integrations comply with all applicable data protection laws.
  • Acknowledge that the Company is not liable for any data breaches, unauthorized access, or processing activities resulting from such integrations.
  • Must implement appropriate safeguards to protect Personal Data when using third-party services.

• Prohibited Data Processing
  • The Account Holder shall not store, process, or enter Special Categories of Personal Data into SOMBA.io, including but not limited to:
  • Health data or medical records.
  • Biometric data or genetic information.
  • Data related to minors or individuals under 18 years old.
  • Criminal records or data related to offenses.
  
  • The Company disclaims all liability if the Account Holder fails to comply with this restriction.
  
  • In the event that an Account Holder knowingly or unknowingly enters such data into SOMBA.io, the Company reserves the right to:
  • Suspend or terminate access to the Account Holder’s account.
  • Report the violation to the appropriate data protection authorities if required by law.
  • Delete the non-compliant data without prior notice to ensure regulatory compliance.
  
  

Data Subject Rights

• The Account Holder’s Responsibility

  • The Account Holder is solely responsible for managing and responding to all data subject requests related to Personal Data processed within SOMBA.io. This includes, but is not limited to:

  • Access requests (right to obtain a copy of personal data).
  • Correction requests (right to rectify inaccurate or incomplete data).
  • Deletion requests (right to be forgotten, subject to legal retention requirements).
  • Restriction of processing (right to limit data use under certain circumstances).
  • Objections to processing (right to opt out of data use for certain purposes).
  
  • If the Company receives a request from a data subject concerning Personal Data stored within SOMBA.io, the Company shall:
  • Promptly forward the request to the Account Holder.
  • Take no further action, as the Company does not process or control such data.

  • The Company does not provide legal advice or direct support to Account Holders regarding data subject rights, nor does it mediate disputes between the Account Holder and data subjects.
  
  • The Account Holder is solely responsible for ensuring compliance with all legal obligations regarding data subject rights under applicable data protection laws (e.g., GDPR, FADP).

  
  

• No Direct Support from the Company

  • The Company does not provide direct support to data subjects regarding their rights under GDPR, FADP, or any other data protection laws.
  
  • The Company will not:
  • Verify the identity of data subjects.
  • Provide Personal Data or any details about Account Holder clients.
  • Modify or delete data on behalf of an Account Holder.

  
  • The Company disclaims all liability for any failure by the Account Holder to comply with legal obligations related to data subject rights.

  
  

Data Breach Notification

• Breach Detected by HighLevel

  • If HighLevel detects a Data Breach affecting Personal Data within SOMBA.io, it will notify the Company.

  
  • The Company will forward HighLevel’s notification to the Account Holder without undue delay.
  
  • The Account Holder is responsible for assessing whether regulatory reporting is required and notifying affected individuals if necessary.

  
  

• Breach Caused by the Account Holder

  • If a Data Breach occurs due to the Account Holder's actions, including but not limited to:

  • Weak or shared passwords leading to unauthorized access.
  • Team Members improperly sharing access credentials.
  • Negligence in handling Personal Data within SOMBA.io.
  • Misuse or security failures related to third-party integrations used by the Account Holder.
  
  • The Account Holder is solely responsible for taking necessary remedial actions, including:

  • Conducting an internal investigation.
  • Notifying affected data subjects.
  • Reporting to data protection authorities (if required).

  
  • The Company is not liable for breaches caused by the Account Holder's actions or omissions.
  
  

• Breach Caused by the Company
  • If a Data Breach occurs due to the Company’s actions, including:
  • A Company employee or contractor mistakenly exposing Account Holder Personal Data.
  • A rogue employee deliberately leaking or misusing Personal Data.
  • A technical misconfiguration on the Company's end leading to an unauthorized disclosure.
  
  • The Company shall:
  • Immediately assess and contain the breach.
  • Notify the affected Account Holders as soon as possible.
  • Cooperate with authorities if a regulatory report is required.
  • Take necessary corrective actions to prevent a recurrence.
  
  • The Company is responsible for any regulatory reporting obligations only if the breach is caused by the Company.
  
  

• General Data Breach Responsibilities
  • Each Party is responsible for its own obligations under applicable data protection laws.
  
  • The Account Holder must notify the Company if they become aware of a security incident related to SOMBA.io that may impact other users.
  
  • If a breach involves both the Company and the Account Holder, both shall cooperate in investigating and mitigating the incident.

Sub-Processors

• Use of Sub-Processors
  • HighLevel is the only authorized sub-processor for Personal Data within SOMBA.io.
  
  • HighLevel may engage additional sub-processors as necessary, but:
  • HighLevel remains fully responsible for ensuring their compliance with applicable data protection laws.
  • The engagement of any additional sub-processors shall not diminish HighLevel’s obligations under this Agreement.

  
  

• No Sub-Processing by the Company
  • The Company does not engage any additional sub-processors beyond HighLevel for the operation of SOMBA.io. 
  
  • The Company has no control over HighLevel’s selection, management, or oversight of sub-processors.
  
  • The Company is not liable for any acts, omissions, security failures, or breaches caused by HighLevel’s sub-processors.
  
  

• Account Holder Acknowledgment and Indemnification
  • By using SOMBA.io, the Account Holder acknowledges that HighLevel may engage sub-processors without prior approval from the Account Holder.
  
  • The Account Holder waives any claims against the Company related to:
  • The selection or use of HighLevel’s sub-processors.
  • Any security incidents or data breaches caused by HighLevel’s sub-processors.
  
  • The Account Holder agrees to indemnify the Company against any claims, penalties, or damages arising from:
  • HighLevel’s engagement of sub-processors.
  • Failures or misconduct by HighLevel’s sub-processors that affect the Account Holder’s Personal Data.
  
  

International Data Transfers

• Data Storage and Transfer Outside Switzerland and the EEA
  • SOMBA.io operates on a white-labeled version of HighLevel, which stores and processes all Personal Data in the United States (U.S.), outside of Switzerland and the European Economic Area (EEA).
  
  • By using SOMBA.io, the Account Holder acknowledges and agrees that their Personal Data may be transferred to and stored in a jurisdiction that may not provide the same level of data protection as Switzerland or the EEA.
  
  

• HighLevel’s GDPR Compliance and Data Privacy Framework Certification
  • HighLevel is GDPR compliant and is certified under the EU-U.S. Data Privacy Framework, demonstrating its commitment to data protection and privacy when processing Personal Data.
  
  • HighLevel ensures GDPR compliance by implementing:

  • Standard Contractual Clauses (SCCs) approved by:
  ◦ The European Commission, under the General Data Protection Regulation (GDPR)
  ◦ The Swiss Federal Data Protection and Information Commissioner (FDPIC), under the Swiss Federal Data Protection Act (FADP)
  

  • Robust security measures, including encryption, access controls, and regular security audits.
  • Procedures to detect and report personal data breaches.
  • Processes for responding to data subject requests, including rights of access, correction, and deletion.
  
  • HighLevel acts solely as a Data Processor and will not access, use, or process Account Holder data for its own purposes, except as required to fulfill its contractual obligations under SOMBA.io.
  
  

• Company’s Limited Responsibility
  • The Company ensures that HighLevel is contractually bound by SCCs and legally required safeguards.
  
  •The Company is not responsible for HighLevel’s internal data transfer mechanisms beyond ensuring that SCCs are in place.
  
  • The Company does not conduct independent audits of HighLevel’s data handling processes.
  
  • The Account Holder agrees not to hold the Company liable for any legal, compliance, or security risks arising from HighLevel’s processing of Personal Data outside of Switzerland and the EEA.
  
  

• Account Holder’s Acknowledgment and Compliance Responsibility

  • The Account Holder is responsible for ensuring that their use of SOMBA.io aligns with their legal and regulatory obligations.
  
  • If the Account Holder is subject to local data residency requirements, they must not store or process Personal Data in SOMBA.io unless they have ensured full compliance with applicable laws.
  
  • The Account Holder waives any claims against the Company related to:
  • HighLevel’s processing of Personal Data outside the EEA and Switzerland.
  • Any legal, regulatory, or compliance restrictions arising from international data transfers.

Liability and Indemnification

• Company’s Disclaimer of Liability

  • The Company shall not be liable for any direct, indirect, incidental, special, punitive, or consequential damages arising from:
  • HighLevel’s processing activities, security failures, or legal non-compliance.
  • Unauthorized access, disclosure, or misuse of Personal Data stored in SOMBA.io.
  • Loss, corruption, or alteration of Personal Data due to system failures, cyberattacks, or user errors.
  • Compliance failures related to international data transfers, regulatory changes, or third-party obligations.
  • Delays, service disruptions, or unavailability of SOMBA.io.
  
  • The Account Holder acknowledges that any claims related to data security, privacy breaches, or regulatory fines resulting from HighLevel’s actions or omissions must be directed at HighLevel directly.
  
  • The Company shall not be responsible for providing legal defense, compensation, or financial assistance related to any penalties, fines, or damages incurred due to HighLevel’s processing activities.

• Absolute Exclusion of Certain Liabilities
  Under no circumstances shall the Company be liable for:
  • Indirect, incidental, punitive, or consequential damages, including but not limited to:
  • Loss of revenue, profit, business opportunities, contracts, goodwill, or anticipated savings.
  • Business interruptions, service downtimes, or inability to access Personal Data.
  • Reputational harm, loss of customer trust, or regulatory scrutiny.
  
  • Data breaches caused by the Account Holder, including but not limited to:
  • Failure to secure login credentials or unauthorized account sharing.
  • Misuse of SOMBA.io, including uploading prohibited data or violating data protection laws.
  • Integration of third-party applications, tools, or software that compromise security.

  • Legal claims, lawsuits, regulatory fines, or penalties imposed on the Account Holder due to non-compliance with GDPR, Swiss FADP, or other applicable data protection laws.
  
  

• Account Holder’s Indemnification Obligations
  • The Account Holder agrees to indemnify, defend, and hold harmless the Company, its affiliates, officers, directors, employees, and agents from any and all claims, liabilities, damages, regulatory fines, legal costs, and expenses arising from:
  • Failure to comply with this DPA or applicable data protection laws.
  • Unauthorized, improper, or unlawful processing of Personal Data.
  • Security breaches, data leaks, or privacy violations resulting from the Account Holder’s negligence.

  • Breach of contractual obligations related to data subject rights, consent management, or data retention policies.
  • Misuse of SOMBA.io, including unauthorized access, fraudulent activities, or infringement of third-party rights.
  
  • The Account Holder shall bear all costs and expenses associated with regulatory investigations, litigation, settlements, and legal defense incurred due to their data protection failures.

  
  

• Limitation of the Company’s Financial Responsibility

  • If the Company is found liable under any circumstance, its total cumulative liability shall not exceed the total amount paid by the Account Holder for their SOMBA.io subscription in the 12 months preceding the claim.
  
  • The Company shall not be required to refund, compensate, or reimburse any payments due to service disruptions, regulatory actions, or alleged non-compliance claims.

Termination and Data Deletion

• Automatic Termination
  • This DPA automatically terminates when:
  • The Account Holder cancels their SOMBA.io subscription.
  • The Company ceases to offer SOMBA.io as a service.
  • The Account Holder materially breaches this DPA, applicable data protection laws, or the SOMBA.io Terms of Use.
  
  • Upon termination, the Account Holder immediately loses access to SOMBA.io, including all stored data, configurations, and associated files.
  
  

• Deletion of Personal Data

  • Final Deletion After Cancellation
  • When an Account Holder cancels their SOMBA.io subscription, the Company initiates the account deletion process in accordance with its internal data retention policies.
  • Personal Data will be permanently deleted after a defined period, provided no outstanding claims or obligations exist on the account.

  • HighLevel’s Role in Data
  • DeletionHighLevel is solely responsible for deleting Personal Data stored within SOMBA.io.
  • The Company does not control HighLevel’s internal retention policies and is not liable for how long HighLevel retains Account Holder data after termination.
  
  • Account Holder’s Responsibility for Data Backup
  • The Account Holder is responsible for exporting or backing up any necessary data before canceling their subscription.
  • Once deletion is finalized, data recovery is not possible, and the Company will not retrieve or restore any data after termination.
  
  

• Retention of Account Administration Data

  • The Company will retain necessary account administration data (e.g., billing records, payment history, and support logs) for up to seven (7) years or as required by:
  • Swiss financial and tax regulations.
  • Applicable laws governing business record retention.

  • The Company will not retain Personal Data beyond legal requirements and shall securely delete administrative records once they are no longer needed.
  
  

• No Liability for Post-Termination Data Handling

  • The Company is not responsible for:
  • Data loss, corruption, or delays in deletion caused by HighLevel.
  • Retention of Personal Data by third parties the Account Holder has integrated with SOMBA.io.
  • Inability to retrieve Personal Data after termination.

  
  • The Account Holder waives all claims against the Company related to data access, retrieval, or deletion following termination.

  
  
  

Audit Rights and Limitations

• Audit Request Procedure
  • The Account Holder may request an audit to verify the Company’s compliance with this DPA and applicable data protection laws.
  • Audits must be requested in writing at least thirty (30) days in advance and must include:
  • A detailed audit plan specifying the scope, objectives, and compliance concerns.
  • A justification for the audit, demonstrating a reasonable basis for the request.
  
  

• Company’s Right to Reject or Limit Audits
  • The Company reserves the right to refuse or limit an audit request if:
  • The request is excessive, repetitive, or lacks a reasonable basis under applicable data protection laws.
  • The audit would cause excessive disruption to business operations or compromise security.
  • The request seeks direct access to systems, proprietary information, or client data, which the Company is not obligated to provide.
  
  • Instead of direct audits, the Company may provide:
  • Written confirmations of compliance with this DPA.
  • Summarized security reports that demonstrate adherence to applicable data protection laws.
  • Independent third-party audit summaries, where applicable, from HighLevel as the primary Data Processor.

  • The Account Holder acknowledges that the Company does not maintain independent compliance certifications (e.g., ISO, SOC 2) and that HighLevel is solely responsible for system-level security audits and certifications.

• Exclusion of HighLevel’s Infrastructure from Audits
  • The Account Holder acknowledges that HighLevel operates independently from the Company.
  
  • Audits shall not include:
  • Direct access to HighLevel’s infrastructure, servers, or internal systems.
  • HighLevel’s internal security processes or proprietary technology.
  • Data of other users or unrelated third parties.
  
  • The Account Holder may refer to HighLevel’s published compliance reports for verification of its security and processing standards.
  
  

• Cost Allocation for Audits
  • The Account Holder shall bear all costs associated with conducting an audit, including:
  • Professional fees for auditors or legal consultants hired by the Account Holder.
  • Operational costs incurred by the Company to facilitate the audit (e.g., staff time, administrative expenses).
  
  • If an audit reveals a material compliance failure by the Company, the Company shall bear the reasonable costs necessary to remedy the issue.

• Confidentiality of Audit Findings
  • The Account Holder must treat all audit findings as confidential and may not disclose them to third parties without the Company’s written consent.
  
  • Audit findings may not be used for competitive, legal, or reputational harm against the Company.

  
  

Governing Law and Jurisdiction

• This DPA is exclusively governed by the laws of Switzerland, without regard to conflict of law principles.
  • The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to this DPA.
  
  

• Any disputes arising from or in connection with this DPA shall be exclusively settled by the courts at the Company’s registered office in Switzerland.
  
  

• The Account Holder waives the right to bring claims in any other jurisdiction and agrees that Swiss law shall prevail in all legal interpretations of this DPA.
  
  

• In the event of a dispute regarding data protection obligations, the Company is not liable for legal claims resulting from HighLevel’s processing activities, as HighLevel operates independently from the Company.

Final Provisions

• The most recent version of this DPA is always available at https://www.somba.io/dpa.
  
  • The Company reserves the right to amend this DPA at any time to ensure compliance with evolving legal, regulatory, or operational requirements.
  
  • Changes to this DPA shall become effective upon publication at the provided link.
  
  • Continued use of SOMBA.io after an update constitutes binding acceptance of the revised terms.
  
  • The Account Holder is responsible for reviewing the DPA periodically to stay informed of any modifications.
  
  • If the Account Holder does not agree with any changes to this DPA, their sole remedy is to cease using SOMBA.io and terminate their account.
  
  • No separate notification is required for amendments unless legally mandated.

  
  

• Data Protection Contact
  The Company has not appointed a Data Protection Officer (DPO), as it is not legally required under applicable data protection laws. All data protection requests, including questions about this DPA, must be submitted in writing and can be emailed to [email protected]. The Company will respond within a reasonable timeframe in accordance with its legal obligations.