Skip to main content

Data Processing Agreement

Last updated on November 15, 2023

Within the scope of the Framework Agreement, the Processor (CAOS Ltd., also ZITADEL) processes Personal Data on behalf of the Customer (Responsible Party), collectively the "Parties".

This Annex to the Agreement governs the Parties' data protection obligations in addition to the provisions of the Agreement.

Subject matter, duration, nature and purpose of the processing as well as the type of personal data and categories of data subjects​

This annex reflects the commitment of both parties to abide by the applicable data protection laws for the processing of Personal Data for the purpose of Processor's execution of the Framework Agreement.

The duration of the Processing shall correspond to the duration of the Agreement, unless otherwise provided for in this Annex or unless individual provisions obviously result in obligations going beyond this.

In particular, the following Personal Data are part of the processing:

Type of personal dataExamplesAffected data subjects
Basic data
  • Family and given name
  • Email addresses
  • User name
All users
Login data
  • Randomly generated ID
  • Password
  • Public keys / certificates ("FIDO2", "U2F", "x509", ...)
  • User names or identifiers of external login providers
  • Phone number(s)

All users

Password: Users who use authentication methods with password.

Public Keys: Users who use an authentication procedure with cryptographic keys.

External login provider identifiers: Users who use an external login provider.

Phone number: Users who use authentication methods with SMS

Profile data
  • Profile pictures
  • Gender
  • Language
  • Nickname
  • Display name
  • Phone number(s)
Users who voluntarily add profile data
Communication data
  • Emails
  • Chats
  • Call metadata
Customers and users who communicate with us directly (e.g. support)
Payment data
  • Billing address
  • Payment information
  • Customer number
  • Customer history
  • Credit rating information

Customers who use services that require payment

Credit rating information: Only customers who pay by invoice

Usage meta data
  • User agent
  • IP addresses
  • Operating system
  • Time and date
  • URL
  • Referrer URL
  • Accept Language
All users

Scope and responsibility​

Under this Agreement, the Processor shall process Personal Data on behalf of the Customer.

This Annex applies to all processing of Customer's data (including data of the users of Customer's organization) with reference to persons ("Personal Data") which is related to the Agreement and which is carried out by the Processor, its employees or agents.

The Customer shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Processor as well as for the lawfulness of the data processing.

The Processor is responsible for taking appropriate technical and organizational protection measures so that its processing complies with the legal requirements and ensures the protection of the rights of the Data Subjects.

Obligations of the processor​

Bound by directions​

The Processor processes personal data in accordance with its privacy policy (cf. Privacy Policy) and on the documented directions of the Customer. The initial direction result from the Agreement. Subsequent instructions shall be given either in writing, whereby e-mail shall suffice, or orally with immediate written confirmation.

If the Processor is of the opinion that a direction of the Customer violates the Agreement, the GDPR or other data protection provisions of the EU, EU Member States or Switzerland, it shall inform the Customer thereof and shall be entitled to suspend the Processing until the instruction is withdrawn or confirmed.

Obligation of the processing persons to confidentiality​

The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.

Technical and organizational measures​

The Processor has taken appropriate technical and organizational security measures, maintains them for the duration of the Processing and updates them on an ongoing basis in accordance with the current state of technology.

The technical and organizational security measures are described in more detail in the annex to this appendix.

Involvement of subcontracted processors​

A current and complete list of involved and approved sub-processors can be found in our legal section.

The Processor is entitled to involve additional sub-processors. In this case, the Processor shall inform the Responsible Party about any intended change regarding sub-processors and update the list of involved an approved sub-processors. The Customer has the right to object to such changes. If the Parties are unable to reach a mutual agreement within 30 days of receipt of the objection by the Processor, the Customer may terminate the Agreement extraordinarily.

The Processor obligates itself to impose on all sub-processors, by means of a contract (or in another appropriate manner), the same data protection obligations as are imposed on it by this Annex. In particular, sufficient guarantees shall be provided that the appropriate technical and organizational measures are implemented in such a way that the processing by the sub-processor is carried out in accordance with the legal requirements.

Our websites and services may involve processing by third-party sub-processors with country of registration outside of Switzerland or the EU/EAA. In these cases, we only transfer personal data after we have implemented the legally required measures for this, such as concluding standard contractual clauses on data protection or obtaining the consent of the data subjects. If interested, the documentation on these measures can be obtained from the contact person mentioned above. The country of registration of a sub-processor may be different from the hosting location of the data. Please refer to the list of involved and approved sub-processors for more details.

If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the customer for this as for its own conduct.

Assistance in responding to requests​

The Processor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the data subject's rights ("Data Subject Request"). The Processor will promptly notify the Customer if it receives a Data Subject Request. The Processor will not respond to a Data Subject Request, provided that the Customer agrees the Processor may at its discretion respond to confirm that such request relates to the Customer. The Customer acknowledges and agrees that the Services include features which will allow the Customer to manage Data Subject Requests directly through the Services without additional assistance from the Processor. If the Customer does not have the ability to address a Data Subject Request, the Processor will, upon the Customer’s written request, provide reasonable assistance to facilitate the Customer’s response to the Data Subject Request to the extent such assistance is consistent with applicable law; provided that the Customer will be responsible for paying for any costs incurred or fees charged by the Processor for providing such assistance.

The Processor, unless prohibited from doing so by applicable law, will promptly notify the Customer of any requests from a regulator or any other authority in relation to Personal Data that is being processed on behalf of the Customer, given that request resulted in disclosure of Personal Data to the regulator or any other authority.

Further support for the customer​

The Processor shall, taking into account the nature of the processing and the information available to it, assist the Customer in complying with its obligations in connection with the security of the processing, any notifications of Security Incidents, and any data protection impact assessments.

Security incidents​

The Processor will notify the Customer of any incident, meaning breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data covered under this (*Security Incident") without undue delay, and will promptly provide the Customer with all reasonable information concerning the Security Incident insofar as it affects the Customer. If possible, the Processor will promptly implement measures proposed in the notification. Insofar required the Processor will assist the Customer in notifying any applicable regulatory authority.

Deletion or destruction after termination​

Upon Customer's request, the Processor shall delete personal data received after the end of the agreement, unless there is a legal obligation for the Processor to store or further process such data.

Information and control rights of the customer​

The Processor shall provide the Customer with all information necessary to demonstrate compliance with the obligations set forth in this annex or to respond to requests from an applicable supervisory authority, subject to the confidentiality terms in the Framework Agreement. The Processor shall enable and contribute to audits, including inspections, carried out by the Customer or an auditor appointed by the Customer.

The procedure to be followed in the event of directions that are presumed to be unlawful is governed by the section Bound by directions of this Appendix.

Annex regarding security measures​

The Processor has taken the following organizational and technical security measures to ensure a level of protection of the Personal Data processed that is appropriate to the risk:

Pseudonymization / Encryption​

The following measures for pseudonymization and encryption exist:

  1. All communication is encrypted with TLS >1.2 with PFS
  2. Critical data is exclusively stored in encrypted form
  3. Storage media that store customer data are always encrypted
  4. Passwords are irreversibly stored with a hash function
  5. Data for web analytics are pseudonymized and do not contain any personal data

Ensuring certain properties of the systems and services​


The following confidentiality measures exist:

  1. Information security policies
  2. Authentication policies
  3. Vendor management policies
  4. Technical measures in this annex


The following integrity measures exist:

  1. Code and container images are automatically checked for vulnerabilities
  2. An automated system is used to keep dependencies up to date
  3. Secrets are automatically rotated whenever possible and are short-lived (for example, signing keys)
  4. Changes to code or infrastructure require mandatory review by at least one other employee


The following measures of availability exist:

  1. Operation of the systems in combination with a CDN/DDoS mitigation service
  2. High availability operation
  3. Geo-redundant operation over at least two data centers

Load capacity​

The following measures of availability exist:

  1. Automatic scaling of resources
  2. Monitoring, logging, tracing and alerting

Restoring availability and access​

The following measures exist to restore availability and access:

  1. Implementation of a backup concept
  2. Emergency plan
  3. Testing of the emergency plan

Regular review, assessment and evaluation of effectiveness​

The following measures exist for regular review, assessment and evaluation of effectiveness:

  1. At least annual audit and evaluation of processes within the framework of an information security management system
  2. Responsible Disclosure and Bug Bounty policies
  3. External audit of system security ("penetration testing")