Legal Documents
and Resources

Data Processing Agreement


Rentouch GmbH

Schönenbergstrasse 68, 8820 Wädenswil, Switzerland (“Processor”)


Company (“Company”, as “Controller”):


Address, City, Country: 


This Data Processing Agreement (DPA) is for the parties to establish an agreement on the roles and responsibilities within the framework of the listed Principles, between the Processor (Rentouch GmbH, Schönenbergstrasse 68, 8820 Wädenswil, Switzerland) as defined in GDPR Art. 4(8) and the Controller as defined in GDPR Art. 4(7).

Whereas the intention of the Processor is to:

  1. Provide a DPA in compliance with Art. 28(3) of the EU General Data Protection Regulation (GDPR-(EU) 2016-679) and under the provisioning of Art. 6 for Lawful Processing;
  2. Process the personal and other data only further to documented instructions from the Controller, including restriction of access by other parties not a signatory to this DPA, or transfer of personal data to third countries or international organizations, unless provided otherwise by Swiss, EU or agreed jurisdiction law to which the Processor is subject;
  3. Take all appropriate technical and organizational measures including breach management and notification;
  4. Achieve transparency with the use of all sub-processors and third party companies towards the Controller,
  5. Impose on its sub-processors the data protection obligations set out in the Master Subscription Agreement (or legal act) between the Controller and the Processor;
  6. Taking into account the nature of the processing, assist the Controller by taking appropriate technical and organizational measures, insofar as possible, to ensure fulfillment of the Controller obligation to reply to requests by data subjects exercising their rights;
  7. Assist the Controller in ensuring compliance with its security and certain other obligations, taking into account the nature of the processing and the information available to the Processor;
  8. At the Controller choosing, delete or return all personal and other data to the Controller upon completion of the processing services and return any existing copies of the data, unless Swiss, EU or agreed jurisdiction law requires that the personal data be stored for a longer duration;
  9. Make available to the Controller all information necessary to demonstrate compliance with its obligations and allow and cooperate fully with audits, including inspections, conducted by the Controller or another person authorized to this end by the Controller.


This DPA details the parties’ obligations on the protection of personal data, associated with the processing of personal data on behalf of Company as a data controller, and described in detail in the Rentouch SaaS Subscription Agreement as signed respectively between the two Parties (hereinafter, the “Agreement”). Its regulations shall apply to any and all activities associated with the Agreement, in whose scope Processor’s employees or agents process Company’s personal data (hereinafter, “Data”) on behalf of Company as a controller (hereinafter, “Contract Processing”).

§ 1 Duration and specification of contract processing of Data

The scope and duration and the detailed stipulations on the type and purpose of Contract Processing shall be governed by the Agreement. Specifically, Contract Processing shall include, but not be limited to, the Data as declared in Annex 1 of this DPA.

§ 2 Scope of application and responsibilities

The Processor shall act exclusively on documented instructions or service agreements from the Company. The Processor shall ensure that the Customer Data entrusted is not used for other purposes or processed in any other way or form than as stated in the Company instructions, including transfer of Customer Data to a third country or an international


  1. Processor shall process Data on behalf of Company. Such Contract Processing shall include all activities detailed in the Agreement and its statement of work. Company shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Data to Processor and the lawfulness of having Data processed on behalf of Company. Company shall be the »controller« in accordance with Art. 4 (7) of the GDPR.
  2. The Processor shall process the Customer Data in accordance with the law in force at any time. If the Processor deems an instruction to be in breach of such legislation, the Processor shall promptly inform the Company accordingly. However, this shall not apply if the law in question prohibits such notification for reasons of substantial public interest.
  3. The Processor may not process the Customer Data (including Personal Data) for any purpose other than instructed, unless the Processor is obliged to do so under the Swiss DPA, EU GDPR or agreed data processing jurisdiction as applicable. If so, the Processor shall notify the Company of such legal obligation before commencing the processing.

§ 3 Processor’s obligations

  1. For the performance of the obligations in relation to this Data Processing Agreement, the Processor shall only appoint such employees who were informed about all relevant data privacy obligations and instructed to comply with data secrecy pursuant to the Swiss Data Protection Act and EU General Data Protection Regulation prior to performing their duties. The employees shall be sufficiently trained in order to be able to comply with their data protection and commercial contractual obligations. The Processor shall ensure an adequate level of training by implementing suitable controls. The Processor shall use additional means such as background checks of respective employees, where deemed as an appropriate mitigating measure to any operational risk imposed on the Company.
  2. Except where expressly permitted by Art. 28 (3)(a) of the GDPR, Processor shall process data subjects’ Data only within the scope of the statement of work and the instructions issued by Company within the Agreement or this DPA. Where Processor believes that an instruction would be in breach of applicable law, Processor shall notify Company of such belief without undue delay. Processor shall be entitled to suspend performance on such instruction until Company confirms or modifies such instruction.
  3. Processor shall, within Processor’s scope of responsibility, organize Processor's internal organization so it satisfies the specific requirements of data protection. Processor shall implement technical and organizational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Art. 32. Processor shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  4. Processor reserves the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not be less protective than initially agreed upon.
  5. Processor shall support Company, insofar as is agreed upon by the parties, and where possible for Processor, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Art.s 33 to 36 of the GDPR.
  6. Processor warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Processor’s scope of responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Processor warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing.
  7. Processor shall notify Company, without undue delay, if Processor becomes aware of breaches of the protection of personal data within Processor’s scope of responsibility.
  8. Processor shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Processor shall coordinate such efforts with Company without undue delay.
  9. Processor shall notify the Company point of contact (Annex 1) for any issues related to data protection arising out of or in connection with the Agreement.
  10. Processor warrants that Processor fulfills its obligations under Art. 32(1)(d) of the GDPR to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  11. Processor shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Processor shall, based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media and other material.
  12. Processor shall, unless requested otherwise in writing at the time of termination by Company, upon termination of Contract act in accordance to the Term and Termination Clause of the Agreement.
  13. Company shall bear any extra cost caused by deviating requirements in returning or deleting data.
  14. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller. The record shall include the following:

a. The name and contact information of the specific Processor, any sub-processor of the Commercial Contract (Rentouch Master Subscription Agreement), the Company, the Data Protection Officer and, where relevant, the representative of the Processor.

b. The categories of processing carried out by the Processor or any sub-processor on behalf of the Company.

c. General description of the technical and organizational security measures undertaken by the Processor to safeguard the Customer Data, cf. Art. 32(1) in the General Data Protection Regulation.

15. The list shall be in writing, including in electronic format. At the request of the Company, the Processor shall at any time make the list available to the Company.

16. When the processing of Customer Data at the Processor takes place in home offices, in whole or in part, the Processor shall lay down guidelines for the personnel's processing of Customer Data in home offices. The guidelines shall be submitted to the Company upon request.

17. The Processor shall participate in discussions, if any, with the Company and/or the Data Protection Agency and in good faith consider any recommendations and/or improvement notices, etc., from the Company and/or Data Protection Agency regarding the processing of Customer Data.

18. The Processor shall promptly inform the Company if the Data Protection Agency contacts the Processor regarding the support or services covered by the DPA.

19. The Processor furthermore undertakes to promptly notify the Company of:

a. Any request by a public authority for transfer of Customer Data covered by the Commercial Contract, unless the notification of the Company is explicitly prohibited by law, e.g. pursuant to rules designed to ensure the non-disclosure of investigations performed by a law-enforcement authority.

b. Any request for access received directly from the data subject or from another party.

§ 4 Company’s obligations

  1. Company shall notify Processor, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Company in the results of Processor’s work.
  2. Company shall notify to Processor the point of contact for any issues related to data protection arising out of or in connection with the Agreement in Annex 1 of this DPA.
  3. In regards to compliance with the protective measures and safeguards outlined in Annex 2 of this DPA, Processor agrees to maintain an Information Security Management System in accordance to ISO 27001:2022 Control Objectives and its verified effectiveness, parties refer to the existing certification issued and available to Company upon request as proof of the appropriate guarantees. Company is familiar with the technical and organizational measures of an ISMS as outlined by the Processor, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk.

§ 5 Enquiries by data subjects

  1. Where a data subject asserts claims for rectification, erasure or access against Processor, and where Processor is able to correlate the data subject to Company, based on the information provided by the data subject, Processor shall refer such data subject to Company.
  2. Processor shall forward the data subject’s claim to Company without undue delay.
  3. Processor shall support Company, where possible, and based upon Company’s instruction insofar as agreed upon. 
  4. Processor shall not be liable in cases where Company fails to respond to the data subject’s request in total, correctly, or in a timely manner.

§ 6 Documentation

  1. Processor shall document and prove to Company, Processor’s compliance with the obligations agreed upon in this exhibit by appropriate measures.
  2. Where specific types of documentation and proof can be identified, with regard to compliance with the obligations agreed upon, Processors may make available to Company the following information:
  • Conducting an own self-audit or self-assessment
  • Internal compliance regulations including external proof of compliance with these regulations
  • Certifications on data protection and/or information security (e.g. ISO 27001)
  • Annual Penetration Test report performed by an external company
  • Any technical and/or organizational information deemed as necessary by the Company, excluding any information that may potentially, however remote, impact the security and/or confidentiality of another Customer or Supplier of Processor.

§ 7 Right to Audit and Inspection

  1. The Company has the right to monitor the technical and organizational measures taken by the Processor at any time.
  2. Where, in individual cases, audits and inspections to monitor the technical and organizational measures by Company or an auditor appointed by Company are necessary, such audits and inspections will require written confirmation from Processor, be conducted during regular business hours, and without interfering with Processor’s operations, upon prior notice, and observing an appropriate notice period. Such on-site audits shall be announced by Company to Processor at least four weeks in advance.
  3. Processor may also require the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented.
  4. Processor shall be entitled to rejecting auditors which are competitors of Processor.
  5. Processor shall be entitled to request a remuneration for Processor’s support in conducting inspections.
  6. Processor’s time and effort for such inspections shall be limited to one visit per calendar year, maximum of three days, unless agreed upon otherwise.
  7. Company is fully responsible for any external incurred costs by Processor for such an audit or inspection.
  8. Physical Access to Data Center locations of the Processor, is excluded from any such audit or inspection.
  9. Where a data protection supervisory authority or another supervisory authority with statutory competence for Company conducts an inspection, para. 1-6 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.

§ 8 Sub-Processors (further processors on behalf of Customer)

  1. GDPR Art. 28.2 : "The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes."
  2. Processor shall use sub-processors as further processors on behalf of Customer and the signing of the Agreement and/or this Data Processing Agreement shall fulfill the requirement for a general written authorisation of the Customer, as stipulated in GDPR Art. 28.2.
  3. A sub-processor relationship shall be subject to such consent of Processor commissioning sub-processors with the performance agreed upon in the Agreement, in whole or in part.
  4. Processor shall conclude, with such sub-processors, the contractual instruments necessary to ensure an appropriate level of data protection and information security and in line with the applicable data protection regulations.
  5. Processor shall inform the Customer of any intended changes concerning the addition or replacement of a sub-processor, it being understood that the Customer may object to such changes under Section 8.4, within sixty (60) days of being informed.
  6. Customer shall be entitled to contradict any sub-processor change announced by Processor, for materially important reasons related to statutory data protection regulations (GDPR or other) or due to Customer risk as a result of competitive disadvantage.
  7. Where Customer fails to contradict such change within such period of time, Customer shall be deemed to have consented to such change.
  8. Where a materially important reason for such contradiction exists as stipulated under Section 8.7, and failing an amicable resolution of this matter by the parties, both Customer and Processor shall be entitled to terminate the Agreement and this DPA, to become effective for the commencement date of the use of the new or replacement sub-processor.
  9. Where Processor commissions sub-processors, Processor shall be responsible for ensuring that Processor’s obligations on data protection resulting from the Agreement and this DPA are valid and binding upon the sub-processor.
  10. Any costs of the establishment of an agreement with a sub-processor or a third party, including costs in connection with the drawing up of sub-processing agreements, shall be borne by the Processor and shall be of no concern to the Customer.
  11. The fact that the Customer has consented to the Processor entering into an agreement with another sub-processor shall be of no consequence to the Processor's obligation to comply with this Data Processing Agreement.
  12. In accordance to GDPR Art. 4.10 : "‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data."
  13. Processor will conduct the Software as a Service (SaaS) performance listed in the Agreement, using third party service providers as declared in Rentouch sub-processors and third party service providers list.
  14. Any new or change of third party service provider declared in Rentouch sub-processors and third party service providers list is not considered as a change to or a new sub-processor, and use thereof not subject to Customer consent, agreement or notification for any reason whatsoever.
  15. Processor is responsible to ensure any use of third party service providers is done legally and in the definition of the applicable requirements and framework of the agreed upon data protection legislation.

§ 9 Customer Data Breach Management and Notification

  1. In accordance to GDPR Art. 4(12) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  2. The Processor shall inform the Company immediately and in writing of any personal data breach on Processing of Personal OR Customer Data as stated in this Data Processing Agreement.
  3. The Processor shall be obliged to provide the Company with any and all information necessary for the compliance with the Company obligations pursuant to the Swiss Data Protection Act on Processing of Personal Data and the EU General Data Protection Regulation or the Personal Data Protection regulation of any other applicable jurisdiction.
  4. The Processor shall then without undue delay, but not later than 72 hours after the personal data breach, report to the Company.
  5. In accordance to the information requirements outlined in GDPR Art.s 33, 34, the Processor shall notify the Company of the background of the security breach and the extent thereof as well as information about initiatives to safeguard against future security breach. 

For Clarity & Transparency:

For the purpose of removing any assumptions, a reportable successful breach is one that is defined in GDPR Art. 34 (1) "When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons".

  • In case of a successful breach where the Personal OR Customer Data is impacted, the Processor will inform the Company immediately and no later than 72 hours, and in accordance to the requirements set forth for the information to be provided in Art.s 33, 34 of the EU GDPR (General Data Protection Regulation (EU) 2016 / 679).

§10 Technical and organizational measures

  1. To ensure the protection of the Customer Data and in order to comply with Personal Data laws and regulations, the Processor shall take the technical and organizational measures necessary pursuant to Art. 32 of the General Data Protection Regulation.
  2. The Processor must implement and thus safeguard the Customer Data with the necessary technical and organizational measures (inter alia with regard to storage, computing, networking access, transfer, input, order and availability control). Protective measures include using state-of-the-art software, computers and encryption methods as well as the use of adequate access controls for authentication and authorization (eg. two factor authentication and four eye control for authorization processes), password procedures, logging and documentation of processes and the implementation of a data security concept.
  3. The measures taken shall be adequate for the protection of the specific Customer Data, and protect against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in breach of the law in force at any time, including but not limited to the Swiss Data Protection Act on Processing of Personal Data and the EU General Data Protection Regulation. This shall also apply if the processing of Customer Data takes place, in whole or in part, in home offices.
  4. If the Processor is established in another EU Member State, the Processor shall comply with both the security requirements laid down in applicable law in the place of operations for the Company and the security requirements laid down in the Member State or Jurisdiction of the Processor. On transferring the Customer Data, electronically transmitted Customer Data or Customer Data made available for download shall be secured against unauthorized access.

§11 Transfer of Customer Data

Transfer of personal data to third countries

If personal data is transferred to a third country outside the European Union/Economic Area by Processor, Processor shall ensure that the requirements of Art. 44 et seq. GDPR are met.

§12 Duty of confidentiality

  1. The Processor and the Processor's personnel shall observe unconditional confidentiality as regards the processing of Customer Data, and the Processor and the Processor's personnel are thus only entitled to process Customer Data in the performance of the Commercial Contract, including this DPA.
  2. The Processor warrants that the Processor's personnel and any other sub-processor and the personnel of such other data processor who are authorized to process Customer Data under this Data Processing Agreement will be subject to the duty of confidentiality as regards to Customer Data which may come to their knowledge in connection with the performance of the Contract.

§13 Return and deletion of the Customer Data upon cancellation and termination

Subject to the Term and Termination Clause of the Agreement, or upon written instruction by the Company and pursuant to the relevant provisions of statutory law and regulations, the Processor shall facilitate the correction, deletion and blocking of Customer Data processed on behalf of the Company until these Customer Data are ultimately deleted in accordance to the Agreement.

§14 Duration

  1. The Data Processing Agreement shall enter into force upon signature thereof and shall remain in force for as long as the Processor processes on behalf of the Company, or until the Agreement expires/terminates, whichever is later.
  2. Upon expiration or termination of the Data Processing Agreement, regardless of the legal reasons for the termination, the Processor shall provide the necessary services to the Company in accordance with para. 3 of the DPA.

§15 Obligations to inform, mandatory written form, choice of law

  1. Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by outside parties while in Processor’s control, Processor shall notify Company of such action without undue delay. Processor shall, without undue delay, notify all pertinent parties in such action, that any data affected thereby is in Company’s sole property and area of responsibility, that data is at Company’s sole disposition, and that Company is the responsible body in the sense of the GDPR.
  2. No modification of this annex and/or any of its components – including, but not limited to, Processor’s representations and warranties, if any – shall be valid and binding unless made in writing, and furthermore only if such modification expressly states that such modification applies to the regulations of this DPA. The foregoing shall also apply to any waiver or modification of this mandatory written form.
  3. In case of any conflict, the data protection regulations of this DPA shall take precedence over the regulations of the Agreement. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
  4. The Applicable Law and Jurisdiction for this DPA is the same as the Agreement.

§16 Liability and damages

Liabilities and damages for this DPA is in the first instance what may be defined and as that set by a court of law and in the absence or agreement to exclude the first instance will be in accordance to the liability and damages set in the Agreement.

§17 Precedence

In the event of any discrepancy between the terms of this Data Processing Agreement and any other agreement between the Parties, whether in writing or oral, including the Commercial Contract, the requirements set forth in the Swiss Data Protection Act for Customer Data processed in Switzerland as enforced at the time and the EU General Data Protection Regulation for all other jurisdictions shall determine the requirements for precedence.

§18 Counterparts and Electronic Signatures

The Data Processing Agreement shall be signed in two original copies, of which the Parties shall each receive one. This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Photographic, electronic PDF, and facsimile copies of such signed counterparts may be used in lieu of the originals for any purpose. The authorized signatures below may be electronic signatures in conformity with local legal practice.

Processor Controller

Rentouch GmbH Company:

Name: Name:

Title: Title:

Place and Date: Place and Date:

Rentouch GmbH: Company:

Name: Name:

Title: Title:

Place and Date: Place and Date:

December 1st, 2022


Description of the Transfer and Processing

  1. Catalog of Personal Data to be transferred and Processed:
  • Names
  • Email addresses
  • IP addresses
  • Cookies
  • Statistical data (meta data)

  1. Purpose(s) of the transfer and processing:
  • Providing the services as described in the Master Subscription Agreement
  • Improving the product.

  1. Categories of Persons Affected:
  • Employees
  • Contractors
  • Partners

Always in case you provided access to the service

  1. Persons who may access or receive the Personal Data:

Rentouch employees and described sub-contractors, sub-processors

Note: sub-contractors OR sub-processors are not equal or the same as third party companies, as described under This DPA is applicable to sub-contractors and sub-processors only.

5. Additional useful information (Any agreed definitions may be stated here):

6. Contact Information for Data Protection Inquiries (Data Protection Officer):

For Rentouch:

Data Protection Officer

For Company:





Email address:


December 1st, 2022


Technical and Organizational Measures implemented by the Processor

Documentation of the technical and organizational measures to be implemented by

the processor for the proper fulfillment of the service provided (Art. 32 GDPR).

Note: The processor is allowed to update the technical and organizational measures to the

state of the art, without reducing the data protection level.

Description of the measures to ensure a level of security appropriate to the risk,

including inter alia as appropriate:

  1. Measures for pseudonymisation and encryption of personal data

    With the current service and product offerings, as we do not process any data outside of the product platform limited to data storage, we do use pseudonymisation in logs and other parts of the system to minimize the risk of leaking PII. We do encrypt data, including Personal Data where available. Our DB hosted in our VPC in all our Data Centers are encrypted. In practice, only encrypted links are used as Transfer channels.

  2. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services:

We have implemented a number of measures to safeguard the confidentiality, integrity, availability and resilience of the service offering, as listed below:

a. An Information Security Management System (ISMS) in accordance to ISO 27001:2022 Control Objectives.

b. Embedded Governance structure for Operational Risk Management. This includes a comprehensive Operational Risk Management process, including Risk Inventory.

c. Use of two factor authentication for all employees.

d. Secure workplace solution accordingly with notebooks that are encrypted..

e. All Data Center partners hold ISO 27001 Certification among other requirements.

f. Protection of the VPC (Virtual Private Cloud) environment with a segregated security architecture including border firewalls controlled fully by Rentouch employees.

g. Limited access to the production environment for authorized Rentouch employees based on the Rentouch Information Security Policy.

h. No permanent access to the production environment, other than individuals defined in above.

i. Governance of authorization for access based on “Need to Do---Need to Access” Principle.

j. Control Process for access to the production environment by defined site reliability engineers.

k. Separation of access for Production, Staging and Development environment.

l. Provisioning of Dashboard functionalities for complete onsite user management by the Data Controller.

m. Provisioning of direct interface to SSO for management of authorized users for access.

n. Use of the push principle when utilizing any 3rd party service (they cannot initiate data pull).

o. Defined 3rd Party Assessment Policy

p. Defined and controlled Change Management Process based on Submitter / Reviewer / Approver & Implementer.

q. Encrypted communication based on TLS 1.2.

r. Adequate Logging of access to Rentouch Production environment

s. Defined controlling measures by Risk and Compliance

t. Continuous training and awareness seminars for all Rentouch employees, part time/full time/contractors based on our policies.

u. Use of High Resilience offered Backup and Data Recovery solution

v. Online monitoring of service availability and subscription is available to the Controller (

w. Contractually binding service availability commitment for 99.5%

3. Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 

Rentouch as a company performs scenario based Business Continuity and Disaster Recovery Tests, as defined in the BCP / DR Policy for Rentouch.

4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing: Risk Management Governance structure with the following scope:

a. A formal Risk Assessment, and network penetration tests, will be performed at least annually and shall take into consideration the results of any technical vulnerability management activities performed in accordance with the Operations Security Policy.

b. Maintaining a Risk Profile by entering all identified operational Risks in our Risk Inventory, see 2. B.

c. Annual Penetration Testing by an External Company

d. On demand Penetration Testing by Customers

e. Continuous Security Vulnerability Scanning of the code base

f. Testing and Quality Assurance incorporated in the Change Management process

g. Annual Third-Party Risk Assessment as applicable according to Rentouch Third-Party Management Policy.

h. Defined Security Incident Management Policy

i. Defined Security Incident Notification Policy and Process according to General Data Protection Regulations framework outlined in Art.s 33, 34.

j. Performance of internal assessments according to ISO 27001 Control Objectives by a Certified ISO 27001 Internal Auditor.

5. Our Vulnerability Management Program and respectively Policy consists of the following:

  • Daily (upon code change) code base scanning using Security Scanner
  • A Risk Management process to manage the Vulnerability found, assigned, etc.

December 1st, 2022