SciFork Insight – Data Processing Agreement (DPA)

Last updated: 18.03.2026

Preamble / Background

This Data Processing Agreement ("DPA") is an addendum to, and incorporated by reference into, the SciFork Insight Terms of Service. It forms a binding contract between the business client ("Data Controller") and SciFork SARL ("Data Processor"). This DPA ensures that the processing of personal data by SciFork on behalf of the Controller complies with the requirements of applicable data protection laws.

1. Definitions

• "Applicable Data Protection Law" refers to the revised Swiss Federal Act on Data Protection (nFADP) effective September 1, 2023, and the EU General Data Protection Regulation (GDPR).
• "Personal Data" means any information relating to an identified or identifiable natural person contained within the documents uploaded by the Controller to the Service.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.

2. Roles and Scope of Processing

• Roles: The client is the Data Controller, and SciFork SARL is the Data Processor.
• Nature and Purpose of Processing: SciFork processes Personal Data solely to provide the SciFork Insight AI-assisted document retrieval service, specifically by indexing uploaded PDFs and generating grounded AI responses based on the Controller's queries.
• Types of Data and Subjects: The personal data processed is determined and controlled by the Data Controller based on the documents they choose to upload. Data subjects may include employees, clients, or other individuals whose personal data appears in those uploaded documents.
• Retention Period: Data is processed for the duration of the Controller's active subscription to the Service and deleted in accordance with Section 3.

3. Obligations of the Data Processor (SciFork SARL)

SciFork agrees to:

• Process Personal Data only on the documented instructions of the Controller (which includes providing the Service as outlined in the Terms of Service).
• Unlawful Instructions: Immediately inform the Controller if, in SciFork's opinion, an instruction infringes Applicable Data Protection Law.
• Ensure that all personnel authorized to process Personal Data are bound by strict obligations of confidentiality.
• Assist the Controller, through technical and organizational measures, in fulfilling their obligation to respond to Data Subject Requests (e.g., access, rectification, or deletion of data).
• At the choice of the Controller, delete or return all Personal Data (e.g., in PDF or JSON format) within thirty (30) days following the termination of the Service or the deletion of the Controller's account, unless further storage is required by applicable law. Upon completion of deletion, SciFork will provide written confirmation (a deletion certificate) to the Controller upon request.
• Retain encrypted backups of deleted data for a maximum of sixty (60) additional days strictly for system stability and disaster recovery before permanent destruction.

4. Sub-processors and Artificial Intelligence

The Controller grants SciFork general authorization to engage Sub-processors to deliver the Service.

• Current Sub-processors: The Controller explicitly acknowledges and agrees to the use of third-party cloud infrastructure and artificial intelligence providers for data hosting, indexing, and machine learning processing. A current list of authorized Sub-processors is available at scifork.com/insight/legal/subprocessors.
• Zero Training Policy: SciFork ensures that contracts with AI Sub-processors explicitly prohibit the use of the Controller's Personal Data to train public, foundational, or shared AI models.
• Notification and Objection: SciFork will notify the Controller at least thirty (30) days prior to any intended changes concerning the addition or replacement of Sub-processors. If the Controller formally objects to a new Sub-processor on reasonable data protection grounds within this 30-day period, and SciFork cannot accommodate the objection, the Controller may terminate the affected portion of the Service (or their subscription) with written notice, without penalty.

5. Data Transfers and Residency

SciFork ensures that the storage and processing of Personal Data (including artificial intelligence generation and processing) occurs strictly within the European Economic Area (EEA) and/or Switzerland. Any transfer outside these regions will only occur subject to appropriate legal safeguards, such as Standard Contractual Clauses (SCCs).

6. Security Measures (TOMs)

SciFork implements robust Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit (TLS/HTTPS) and at rest.
• Strict logical access controls using metadata filtering to ensure the Controller's data is isolated and cannot be queried or accessed by other tenants on the platform.
• Regular security testing and monitoring of system logs.

Detailed security architecture documentation and a comprehensive TOMs overview are available to enterprise clients upon request.

7. Personal Data Breach Notification

In the event of a confirmed Personal Data breach affecting the Controller's data, SciFork will notify the Controller without undue delay, and where feasible, not later than seventy-two (72) hours after becoming aware of it. SciFork will provide reasonable assistance to help the Controller meet their breach notification obligations under Applicable Data Protection Law.

8. Obligations of the Data Controller

The Data Controller warrants and agrees that:

• They have a lawful basis under Applicable Data Protection Law to collect, process, and transfer the Personal Data uploaded to the Service.
• They are solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which they acquired it.
• Their instructions to SciFork will always comply with Applicable Data Protection Law.

9. Audit Rights

SciFork shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law. SciFork will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Such audits must be requested with at least thirty (30) days' advance written notice, conducted during normal business hours, limited to once per calendar year (unless a material breach has occurred), and subject to strict confidentiality obligations. The Controller shall bear all costs associated with the audit unless the audit reveals a material breach of this DPA by SciFork.

10. Term and Termination

This DPA shall remain in full force and effect for as long as SciFork processes Personal Data on behalf of the Controller under the Terms of Service. Upon termination of the Terms of Service, this DPA will automatically terminate, subject to the data deletion and survival provisions outlined herein.

11. Governing Law and Jurisdiction

Before initiating formal proceedings, the parties agree to attempt to resolve any dispute informally for a period of thirty (30) days. This DPA shall be governed by and construed in accordance with the substantive laws of Switzerland. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the competent courts of the Canton of Geneva, Switzerland.

Execution and Signature

This DPA is automatically incorporated by reference into the Terms of Service for all applicable business users. However, for enterprise clients requiring a formally executed copy for their compliance records, please complete and sign the block below and return a copy to legal@scifork.com.