Legal · Customer agreement

Data Processing Addendum.

In effectEffective:April 23, 2026Version:v2.0Region:EU · UK · CH · US
In plain English

The contract that governs how to11 handles personal data on your behalf as a Processor — incorporated into your Main Agreement. Covers GDPR, UK GDPR, Swiss revFADP, and US state privacy laws, with EU SCCs / UK Addendum / Swiss Addendum attached as Schedule 3.

Preamble

Vendor / Processor
to11 Inc. (“to11”)
Customer / Controller
The customer identified in the Main Agreement (“Customer”)
Effective date
The effective date of the Main Agreement, or if separately signed, the date last signed by the Parties.

This Data Processing Addendum (“DPA”) forms part of and is subject to the Master Services Agreement or such other agreement entered into (including online terms and conditions) between the Parties (“Main Agreement”) under which to11 provides services (“to11 Services”) to Customer. Customer and to11 are collectively referred to as the “Parties” and each a “Party”. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement.

Definitions

1.1. “Affiliates” has the same meaning set forth in the Main Agreement.

1.2. “Authorized Affiliates” means Customer Affiliates that have entered into service orders or statements of work under the Main Agreement, or to which Customer has granted a sublicense to the to11 Services. The rights and obligations of Customer under this DPA extend to Authorized Affiliates solely to the extent they are receiving the to11 Services, and Customer remains primarily liable for their compliance with this DPA.

1.3. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), together with its implementing regulations and any successor or replacement legislation.

1.4. “Customer Data” has the same meaning set forth in the Main Agreement.

1.5. “Customer Personal Data” means the Personal Data contained within Customer Data.

1.6. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

1.7. “Data Protection Laws” means all data protection and privacy laws applicable to the respective Party in its role in the Processing of Personal Data under the Main Agreement, including without limitation, European Data Protection Laws and US Data Protection Laws.

1.8. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

1.9. “European Data Protection Laws” means, to the extent applicable: (i) Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”); (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection of 25 September 2020 (the “revFADP”) together with the Swiss Data Protection Ordinance of 31 August 2022, as amended; and (iv) any implementing, supplementing, or successor legislation to those laws and regulations.

1.10. “Personal Data” means any information relating to an identified or identifiable natural person, including pseudonymized data where re-identification is reasonably possible, and includes similarly defined terms in Data Protection Laws, including “personal data” under GDPR and “personal information” under the CCPA.

1.11. “Standard Contractual Clauses” means, as applicable: (i) “EU SCCs” — the standard contractual clauses approved pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021; (ii) “UK Addendum”— the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119A of the UK Data Protection Act 2018; and/or (iii) “Swiss Addendum” — the EU SCCs as modified in Schedule 3 to address the revFADP.

1.12. “Sub-processor” means any other Processor engaged by to11 to Process Customer Personal Data.

1.13. “US Data Protection Laws” means, to the extent applicable, federal and state laws in the United States relating to data protection, privacy, and/or the Processing of Personal Data, including the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, the Delaware Personal Data Privacy Act, and any successor or equivalent state or federal privacy legislation in force from time to time.

1.14. The terms “Controller”, “Processor” and “Processing” (including Process, Processed, and Processes) shall have the meanings given to them in Data Protection Laws. Where Data Protection Laws do not define such terms, the definitions given in European Data Protection Laws will apply.

Scope of application

2.1. Except as provided by this DPA, the Main Agreement remains unchanged and in full force and effect. The Standard Contractual Clauses, where applicable, prevail over this DPA to the extent of any discrepancy.

2.2. This DPA becomes effective on the effective date of the Main Agreement or, if separately signed, the date last signed by the Parties below (“Effective Date”) and remains in effect for as long as to11 Processes Customer Personal Data pursuant to the Main Agreement.

Roles of the Parties

3.1. For the purposes of the GDPR, to11 acts as a Processor on behalf of Customer, who acts as either (i) a Controller or (ii) a Processor on behalf of another Controller.

3.2.For the purposes of US Data Protection Laws, to11 acts as a “service provider” or “processor” (as defined under such laws) in performing its obligations under the Main Agreement and this DPA.

3.3. As between the Parties, Customer is and remains the owner of Customer Personal Data and the holder of all rights relating to Customer Personal Data.

3.4. AI / machine-learning carve-out.to11 shall not use Customer Personal Data to train, develop, fine-tune, evaluate, or improve any artificial intelligence or machine-learning model (i) for the benefit of any third party or (ii) for any purpose not expressly authorized in writing by Customer. Any model training performed to improve the to11 Services for Customer’s own benefit will be conducted on de-identified or aggregated data except as otherwise agreed in writing.

Processing on Customer’s instructions

4.1.Each Party will comply with its respective obligations under Data Protection Laws. to11 shall Process Customer Personal Data solely on behalf of Customer and on Customer’s documented instructions as set forth in the Main Agreement and this DPA. Any additional instructions require prior written agreement of the Parties. to11 shall promptly notify Customer if it determines that an instruction infringes Data Protection Laws. Without limiting the foregoing, to11 is prohibited from:

  1. 4.1.1. selling Customer Personal Data or otherwise making it available to any third party for monetary or other valuable consideration;
  2. 4.1.2. sharing Customer Personal Data with any third party for cross-context behavioral advertising;
  3. 4.1.3. retaining, using, or disclosing Customer Personal Data for any purpose other than the business purposes specified in the Main Agreement or as otherwise permitted by Data Protection Laws; and
  4. 4.1.4.combining Customer Personal Data with Personal Data received from or on behalf of any other person, or collected from to11’s own interaction with the Data Subject, except as reasonably necessary to provide the to11 Services to Customer or as permitted by Data Protection Laws.

4.2. to11 must notify Customer without undue delay if it determines it can no longer meet its obligations under Data Protection Laws. Upon such notice, Customer may direct to11 to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by suspending the relevant Processing operations and/or deleting all or the relevant portion of Customer Personal Data, or by such other means as agreed.

4.3. The details of the Processing under the Main Agreement and this DPA (subject matter, nature, duration, purpose, categories of Personal Data and Data Subjects, and processing locations) are set forth in the Main Agreement and/or Schedule 1.

Customer obligations

5.1. Customer is responsible for obtaining all necessary consents, permissions, and rights required under Data Protection Laws for to11 to lawfully Process Customer Personal Data in providing the to11 Services.

5.2. Customer shall not issue Processing instructions that would cause to11 to Process Customer Personal Data in violation of Data Protection Laws.

5.3. to11 shall have no obligation to assess the contents or accuracy of Customer Personal Data.

Security of Processing

6.1. to11 implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the varying likelihood and severity of risk to the rights and freedoms of Data Subjects.

6.2. Such technical and organizational measures are specified in Schedule 2 and/or in the Main Agreement. to11 will maintain those (or materially equivalent) measures during the term of the Main Agreement and will not materially reduce the overall level of security of the to11 Services.

6.3. to11 shall ensure that any person authorized to Process Customer Personal Data is subject to an appropriate obligation of confidentiality (whether contractual or statutory) and receives periodic data-protection and security awareness training appropriate to their role.

Sub-processors

7.1. Customer provides to11 with a general written authorization to appoint Sub-processors in accordance with this section.

7.2. to11 may continue using those Sub-processors already engaged as of the Effective Date and listed at to11.ai/legal/subprocessors (“Sub-processor Site”), subject to to11 meeting the obligations in this section. The Sub-processor Site discloses each Sub-processor’s name, function, and processing location.

7.3. to11 will notify Customer at least thirty (30) daysbefore engaging a new Sub-processor, either by email to the address set forth in Customer’s account registration or Service Order or by updating the Sub-processor Site and providing a subscription mechanism for notifications. Customer may object on reasonable grounds within thirty (30) days of such notice. If Customer does not object within this period, Customer is deemed to have consented. Where a reasonable basis for objection exists and an amicable resolution fails, Customer’s sole and exclusive remedy is to terminate by written notice the affected portion of the Service Order that cannot be provided without the new Sub-processor. to11 will refund any prepaid unused fees on a pro-rata basis.

7.4. to11 (i) remains liable under this DPA for the acts and omissions of its Sub-processors to the same extent to11 would be liable if performing the services directly, and (ii) will enter into written agreements with Sub-processors containing data-protection obligations no less protective than this DPA, including the Standard Contractual Clauses to the extent applicable.

Data Subject requests

8.1. Full-scope assistance.Taking into account the nature of the Processing, to11 shall assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws, including the rights of access, rectification, restriction, erasure, data portability, objection, withdrawal of consent, and the right not to be subject to solely-automated decision-making (collectively, “Data Subject Request(s)”).

8.2. If a Data Subject contacts to11 directly to exercise such rights and is identifiable as originating from Customer, to11 will not respond substantively (other than to acknowledge receipt or redirect the Data Subject) but will forward the request to Customer without undue delay.

8.3. Where a Data Subject has a right to data portability with respect to Customer Personal Data, to11 will ensure Customer can obtain such data in a structured, commonly used, and machine-readable format.

Data Breach

9.1. Expanded breach notification. If to11 becomes aware of a Data Breach, it will notify Customer without undue delay and in any event within seventy-two (72) hours, to facilitate compliance with Data Protection Laws (including GDPR Article 33(1)). Each such notification shall include, to the extent known and tracking GDPR Article 33(3):

  • (a) the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and data records concerned;
  • (b) the likely consequences of the Data Breach;
  • (c) the measures taken or proposed by to11 to address the Data Breach and mitigate its possible adverse effects; and
  • (d) the name and contact details of to11’s designated point of contact for further information.

9.2. to11 will, without undue delay, take all necessary and reasonable measures to mitigate or contain the Data Breach, keep Customer reasonably informed of developments, and provide further information as it becomes available.

9.3.to11’s notification of, or response to, a Data Breach under this Section 9 is not an acknowledgement by to11 of any fault or liability with respect to the Data Breach.

Return & deletion

10.1. Return-or-delete election (Art. 28(3)(g) GDPR). Upon termination or expiration of the Main Agreement, Customer may, within thirty (30) days, elect in writing either:

  • (a) the return of all Customer Personal Data in a structured, commonly used, and machine-readable format; or
  • (b) the deletion(such that it cannot be recovered or reconstructed) of all Customer Personal Data within to11’s possession or control.

If Customer does not make such an election within the thirty (30) day period, to11 will delete all Customer Personal Data in accordance with clause (b).

10.2.to11 may retain Customer Personal Data after termination only to the extent and for such period as required by Data Protection Laws or to11’s standard back-up retention cycles. Any retained Customer Personal Data remains subject to the terms of this DPA and will be Processed only as necessary for the purposes requiring its retention and thereafter deleted.

Cross-border data transfers

11.1. If any transfer of Customer Personal Data from Customer to to11 requires execution of the Standard Contractual Clauses or another approved transfer mechanism to comply with European Data Protection Laws (where Customer is the Data Exporter), the terms of Schedule 3 apply.

11.2. EU-US Data Privacy Framework. Where to11 is certified under the EU-US Data Privacy Framework (“DPF”), the UK Extension to the DPF, and/or the Swiss-US Data Privacy Framework, the Parties may agree in writing that such certification serves as the primary lawful transfer mechanism for transfers within the scope of the applicable framework. In that case, the relevant Standard Contractual Clauses in Schedule 3 remain in force as a fallback mechanism and automatically apply if the certification is invalidated, suspended, or withdrawn, or ceases to provide an adequate basis for transfer.

11.3. Government-access commitments (Schrems II). Recognizing the principles established by the Court of Justice of the European Union in Case C-311/18 (Schrems II):

  • (a) to11 shall, prior to providing Customer Personal Data in response to a legally binding request from a public authority, carefully review the legality of such request, and challenge any request that appears excessive, overbroad, or unlawful, using all reasonable legal remedies available;
  • (b) to11 shall, to the extent legally permitted, promptly notify Customer of any such request and provide reasonable assistance in enabling Customer to respond;
  • (c) to11 shall limit any disclosure to the minimum information necessary; and
  • (d) to11 shall, no less than annually, publish or make available to Customer under confidentiality a summary of the aggregate number and type of government-access requests received that concerned Customer Personal Data (or confirm that none were received).

Audit

12.1. To the extent the Main Agreement does not otherwise grant the information and audit rights required by Data Protection Laws (including GDPR Article 28(3)(h)), to11 will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor designated by Customer.

12.2. Reports-in-lieu.Customer acknowledges that to11 maintains third-party certifications and/or independent audit reports (such as SOC 2 Type II and/or ISO/IEC 27001, where applicable) and agrees that to11 may satisfy Customer’s audit rights under Section 12.1 by providing, under appropriate confidentiality obligations, copies of such current certifications or audit reports. Customer will accept such reports in lieu of conducting an on-site audit unless: (i) to11 does not hold a relevant current certification/report; (ii) the reports do not cover the Processing activities or systems relevant to the audit; (iii) Data Protection Laws or a competent supervisory authority require otherwise; or (iv) Customer reasonably considers an on-site audit necessary because of documented material concerns as to to11’s compliance.

12.3.Customer will take all reasonable endeavors to minimize disruption to to11’s business in connection with any audit. The audit and any information arising therefrom shall be treated as to11’s Confidential Information and may only be shared with a third party with to11’s prior written agreement, except as required by Data Protection Laws or a supervisory authority.

12.4.Unless otherwise agreed, Customer will not carry out more than one on-site audit per year of the Main Agreement term unless: (i) Customer reasonably considers it necessary because of genuine, documented concerns as to to11’s compliance with this DPA or Data Protection Laws; (ii) Customer is required to carry out an audit by Data Protection Laws or a supervisory authority; or (iii) an earlier audit has identified non-conformity. Customer will provide at least thirty (30) days’ prior written notice of any on-site audit, and the Parties will cooperate in good faith to agree on the scope, duration, timing, and allocation of reasonable costs.

12.5. Nothing herein limits any rights mandated by law, including supervisory authority and Data Subject rights, or rights under the Standard Contractual Clauses.

Cooperation obligations

13.1. If Customer is required to provide information to, or otherwise cooperate with, a supervisory or public authority regarding the Processing of Customer Personal Data, to11 will support Customer by providing reasonably available information and otherwise cooperating, including regarding the technical and organizational measures taken in line with GDPR Article 32.

13.2. DPIA cooperation. Taking into account the nature of the Processing and the information available to to11, to11 will provide reasonable assistance to Customer in connection with data protection impact assessments and prior consultations with supervisory authorities as required by GDPR Articles 35 and 36 (and equivalent provisions of other Data Protection Laws).

Relationship to Main Agreement

14.1. This DPA replaces and supersedes any existing data processing addendum, attachment, exhibit, or standard contractual clauses that to11 and Customer may have previously entered into in connection with the to11 Services. This DPA is subject to the governing-law and jurisdiction provisions of the Main Agreement, unless and to the extent Data Protection Laws require otherwise.

14.2.Each Party’s and its Affiliates’ liability arising out of or related to this DPA (including the Standard Contractual Clauses where applicable) is, in the aggregate, subject to the limitations and exclusions of liability set out in the Main Agreement.

Schedule 1 — Details of Processing

Schedule 1
Details of Processing

For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 1 serves as Annex I, Part B.

Categories of Customer Personal DataDetermined and controlled by Customer in its sole discretion, typically including: (i) authentication data (e.g., user name, password or PIN code, security questions, audit trail); (ii) contact information (e.g., addresses, email, phone numbers); and (iii) usage and configuration data associated with the to11 Services. No “special categories of personal data” as defined in GDPR Article 9 or similarly sensitive Personal Data are intentionally transferred, and Customer agrees not to submit such data except as expressly agreed in writing.
Categories of Data SubjectsCustomer’s personnel, contractors, collaborators, and end users authorized to use the to11 Services, and any other individuals identified in communications with to11 support channels or workflows.
Duration of ProcessingDuration of the Main Agreement, including this DPA, and as further described in Section 10.
Frequency of ProcessingContinuous for the duration of the Main Agreement.
Nature of ProcessingAny operation necessary for the performance of the Main Agreement and to comply with Customer’s Processing instructions, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, restriction, erasure, and deletion.
Purposes of ProcessingPerformance of the Main Agreement, provision of the to11 Services, and related support, security, and account-management services.
Processing LocationsUnited States (AWS us-east-1) and European Union (AWS eu-west-1). Detailed, up-to-date locations available on the Sub-processor Site.
Competent Supervisory AuthorityThe competent supervisory authority of the applicable Member State of Customer (the data exporter for purposes of Schedule 3).

Schedule 2 — Technical & Organizational Measures

Schedule 2
Technical and Organizational Measures

to11 maintains the security measures described below (“Security Standards”) to protect the to11 Services and Customer Personal Data. During the Services Term, these Security Standards may evolve as additional controls are implemented or existing controls are modified as reasonably necessary by to11, provided the overall level of security of the to11 Services will not be materially reduced.

1. Governance and certifications. to11 maintains a written information security program aligned with industry-recognized frameworks including SOC 2 Type II and ISO/IEC 27001. Copies of current certifications or audit reports are available to Customer under appropriate confidentiality obligations in accordance with Section 12.2.

2. Access control. Role-based access control; principle of least privilege; individual user IDs; multi-factor authentication for administrative and remote access to systems handling Customer Personal Data; strong password or passkey requirements; logging and auditing of access; formal information-security change-control procedures. Access to Customer Personal Data is restricted to personnel who require it to perform their duties.

3. Encryption. Customer Personal Data is encrypted in transit using industry-standard protocols (at minimum TLS 1.2) and at rest using industry-standard algorithms (at minimum AES-256 or equivalent). Cryptographic keys are managed using a documented key-management process with restricted access.

4. Network and infrastructure security. Firewalls; intrusion detection/prevention systems; network segmentation between production and non-production environments; endpoint protection (including up-to-date anti-malware); hardening of server and container images; logging of security-relevant events.

5. Hosting and physical security. The to11 Services are hosted with reputable third-party providers maintaining commercially customary physical security and access controls, including 24×7 monitoring, visitor logging, environmental controls, redundant power, and fire suppression.

6. Secure software development. Secure SDLC including peer code review, static and/or dynamic analysis where practical, dependency scanning, pre-production testing, and separation of duties between development and production.

7. Vulnerability management. Regular vulnerability scanning; at least annual independent penetration testing; findings triaged and remediated within documented timelines based on severity. Summaries available to Customer upon reasonable request under confidentiality.

8. Business continuity and disaster recovery. A documented and periodically tested disaster-recovery plan providing system backup, technology replacement, and alternate recovery-site capabilities. Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets are documented internally and reviewed periodically.

9. Personnel security. Background checks on personnel where permitted by law; written confidentiality obligations for employees and contractors; periodic security and privacy awareness training; prompt deprovisioning of access upon termination or role change.

10. Incident response. A documented incident-response plan covering identification, containment, eradication, recovery, notification, and post-incident review, aligned with the breach-notification obligations in Section 9 and periodically tested (e.g., tabletop exercises).

11. Data retention and deletion. Customer Personal Data is retained only for as long as required by the Main Agreement or Data Protection Laws and is securely deleted in accordance with Section 10, including from back-ups within the documented back-up cycle.

12. Sub-processor oversight. Risk-based due diligence on Sub-processors; contractual obligations no less protective than those in this DPA (including Standard Contractual Clauses where applicable); ongoing monitoring of Sub-processor compliance.

Schedule 3 — Standard Contractual Clauses

Schedule 3
Standard Contractual Clauses

EU SCCs · UK Addendum · Swiss Addendum — applicable to transfers from EEA / UK / Switzerland to to11 in non-adequate jurisdictions.

For data transfers by Customer from the European Economic Area, the United Kingdom, or Switzerland to to11 in a country that does not ensure an adequate level of protection within the meaning of Data Protection Laws, the EU SCCs, UK Addendum, and/or Swiss Addendum, as applicable, shall govern such transfers.

1. EU SCCs

The EU SCCs will apply to any Processing of Customer Personal Data subject to the GDPR, and any optional clauses not expressly selected are not incorporated. For purposes of the EU SCCs:

1.1. Module Two applies where Customer acts as a Controller; Module Three applies where Customer acts as a Processor.

1.2. Clause 7 (docking clause) applies.

1.3. Clause 9, Option 2 (general written authorization) applies; the prior-notice period for Sub-processor changes is as set forth in Section 7.

1.4. With regard to Clause 11, the optional independent-dispute-resolution language is not incorporated.

1.5. With regard to Clause 17 (governing law), Option 1 applies; governing law is the law identified in the Main Agreement provided such law is the law of an EU Member State that allows for third-party beneficiary rights; otherwise, the law of Ireland applies.

1.6. With regard to Clause 18 (choice of forum and jurisdiction), jurisdiction is as set forth in the Main Agreement, provided such jurisdiction is within an EU Member State; otherwise, the courts of Ireland.

1.7. For purposes of Annex I, Part A:

Data ExporterCustomer as listed in this DPA. Contact details: Customer’s account-owner email or the notice email specified in the Main Agreement.
Data Exporter RoleController for Module Two; Processor for Module Three.
Data Importerto11 Inc. Contact: to11 Privacy Team — privacy@to11.ai.
Data Importer RoleProcessor for Module Two; sub-processor for Module Three.
Signature & DateBy entering into this DPA, the Parties are deemed to have signed these Standard Contractual Clauses (including their Annexes) as of the Effective Date.

1.8. For purposes of Annex I, Part B, Schedule 1 of this DPA contains the specifications regarding the Processing and the competent supervisory authority.

1.9. For purposes of Annex II, Schedule 2 of this DPA contains the technical and organizational measures.

1.10. For purposes of Annex III, the list of Sub-processors is determined by Section 7 of this DPA and the Sub-processor Site. Sub-processors’ contact persons’ names, positions, and contact details will be provided by to11 upon reasonable written request.

2. UK Addendum

The UK Addendum applies to any Processing of Customer Personal Data subject to the UK GDPR or to both the UK GDPR and the GDPR. For purposes of the UK Addendum:

2.1. Table 1. The Parties are to11 and Customer, with contact details as set forth in this DPA.

2.2. Table 2. The Approved Standard Contractual Clauses are the EU SCCs as set forth in Section 1 of this Schedule 3.

2.3. Table 3.

  • Annex 1A: as set forth in Section 1.7 of this Schedule 3;
  • Annex 1B: as set forth in Schedule 1 of this DPA;
  • Annex II: as set forth in Schedule 2 of this DPA; and
  • Annex III: as set forth in Section 7 of this DPA.

2.4. Table 4. Either Party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum if the Parties are unable to come to a mutual agreement after a good-faith effort to amend this DPA to account for changes arising from a revised Approved Addendum issued by the ICO.

2.5. Part 2 Mandatory Clauses. The Mandatory Clauses of the Approved Addendum (being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) apply.

3. Swiss Addendum

For transfers of Customer Personal Data subject to the revFADP, the EU SCCs form part of this Swiss Addendum, with the following modifications to the extent required by the revFADP:

3.1. References to the GDPR in the EU SCCs are references to the revFADP to the extent the data transfers are subject exclusively to the revFADP and not to the GDPR.

3.2.References to the “European Union”, “Union”, “EU” and “EU Member State” are replaced with “Switzerland”.

3.3.The “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner (FDPIC) insofar as the transfers are governed by the revFADP.

3.4.During the transitional period in which the revFADP retains its broader scope, references to “personal data” in the EU SCCs also refer to data about identifiable legal entities to the extent required by the revFADP.

3.5. Clause 18 of the EU SCCs is replaced to read: “Any dispute arising from these Clauses relating exclusively to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence.”

Still have questions?

If you have questions, contact privacy@to11.ai. We aim to respond within two business days.

legal@to11.aiprivacy@to11.ai
to11
© copyright to11.ai 2026. All rights reserved.

Pages

Socials

Legal

Register

to11.ai