Data Processing Addendum
Version 1.1 – June 29, 2026
This Data Processing Agreement, including its Annexes ("DPA"), forms part of the BidAtlas Subscription Terms & Conditions (available at https://bidatlas.ch/terms-of-service) or other agreement for the BidAtlas service between Neuralshape GmbH ("Neuralshape") and the customer ("Customer") (the "Agreement"), and governs the processing of Customer Personal Data (as defined below). It takes effect on the effective date of the Agreement, or, if executed separately, on the date of the last signature. In the event of any conflict between this DPA and the rest of the Agreement, this DPA prevails with respect to the processing of Customer Personal Data. Capitalised terms not defined here have the meaning given in the Agreement or in Applicable Data Protection Law.
1. Definitions
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including the Swiss Federal Act on Data Protection and its ordinance ("FADP"), the EU General Data Protection Regulation 2016/679 ("GDPR") together with the implementing laws of EU/EEA member states, and, where applicable, the UK GDPR and Data Protection Act 2018.
- "Controller", "Processor", "Data Subject", "Personal Data", "processing" and "personal data breach" have the meanings given in Applicable Data Protection Law. References to a Controller or Processor include, under the FADP, the equivalent roles of controller and processor.
- "Customer Personal Data" means Personal Data contained in Customer Data that Neuralshape processes on behalf of Customer in providing the Service. It does not include anonymised or aggregated data.
- "Data Subject Request" means a request by a Data Subject to exercise their rights under Applicable Data Protection Law.
- "Restricted Transfer" means a transfer of Customer Personal Data to a country that is not recognised, under the GDPR or the FADP as applicable, as providing an adequate level of data protection, where such transfer would be unlawful absent a transfer safeguard.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission (Implementing Decision (EU) 2021/914), together with the amendments and additional safeguards recognised by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") for transfers subject to the FADP, and, where the UK GDPR applies, the UK International Data Transfer Addendum.
- "Sub-processor" means any processor engaged by Neuralshape to process Customer Personal Data in providing the Service.
2. Roles of the parties
In respect of Customer Personal Data, Customer acts as the Controller and Neuralshape acts as the Processor. Where Customer is itself a processor acting on behalf of a third-party controller, Neuralshape acts as a Sub-processor, and Customer warrants that it is authorised to engage Neuralshape and to give the instructions set out in this DPA. Each party is responsible for complying with its own obligations under Applicable Data Protection Law. This DPA governs Customer Personal Data that Neuralshape processes as Processor; Neuralshape's processing of personal data for which it is itself the controller (such as account, billing and marketing data) is described in its Privacy Policy, available at https://bidatlas.ch/privacy-policy.
3. Scope of processing and instructions
3.1 Neuralshape shall process Customer Personal Data only on Customer's documented instructions — including as set out in the Agreement, this DPA (including Annex 1), and Customer's use and configuration of the Service — unless required to do otherwise by law, in which case Neuralshape will, where legally permitted, inform Customer first.
3.2 Customer is responsible for the accuracy, quality and legality of Customer Personal Data and for having a valid legal basis to provide it to Neuralshape and to permit the processing under this DPA. Customer's instructions must comply with Applicable Data Protection Law.
3.3 Neuralshape shall not (a) sell or "share" Customer Personal Data; (b) process it for any purpose other than providing the Service and meeting its obligations under the Agreement; (c) retain, use or disclose it outside the parties' relationship; or (d) combine it with personal data from other sources, except in each case as permitted by Applicable Data Protection Law. Consistent with the Agreement, Neuralshape does not use Customer Personal Data to train or fine-tune any AI or machine-learning model.
3.4 Neuralshape will inform Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law, or if it can no longer meet its obligations under this DPA.
4. Confidentiality
Neuralshape shall ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality (contractual or statutory) and are granted access only to the extent necessary to perform their tasks.
5. Security
Neuralshape shall implement and maintain the technical and organisational measures set out in Annex 2, appropriate to the risk, to protect Customer Personal Data. Neuralshape may update these measures from time to time provided the overall level of security is not reduced.
6. Sub-processors
6.1 Customer provides general authorisation for Neuralshape to engage the Sub-processors listed in Annex 3 to process Customer Personal Data in providing the Service.
6.2 Neuralshape shall carry out reasonable due diligence on each Sub-processor, impose data-protection obligations on it that are no less protective than those in this DPA (by written agreement), and remain responsible for its Sub-processors' processing of Customer Personal Data.
6.3 Neuralshape shall give Customer at least thirty (30) days' notice before a new Sub-processor begins processing Customer Personal Data. Customer may object on reasonable data-protection grounds within that period; the parties will then work in good faith toward a resolution, and if none is found, Customer may terminate the affected part of the Service without penalty (without prejudice to fees already incurred).
7. Assistance to Customer
7.1 Data Subject Requests. Taking into account the nature of the processing, Neuralshape shall assist Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject Requests. Neuralshape shall forward to Customer, without undue delay, any Data Subject Request it receives relating to Customer Personal Data, and shall not respond to it directly except on Customer's instructions or as required by law.
7.2 Other assistance. Taking into account the nature of the processing and the information available to it, Neuralshape shall assist Customer in ensuring compliance with its obligations regarding security of processing, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
8. Personal data breach
Neuralshape shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification shall include the information reasonably available to Neuralshape, and Neuralshape shall provide reasonable cooperation and assistance to help Customer meet its own notification obligations to supervisory authorities and Data Subjects.
9. Audits and information
On Customer's written request, Neuralshape shall make available the information necessary to demonstrate compliance with this DPA, primarily in the form of third-party certifications, audit reports or completed industry-standard security questionnaires. Where these do not reasonably allow Customer to verify compliance, Customer (or an independent auditor bound by confidentiality, and not a competitor of Neuralshape) may conduct an audit, provided that it: (a) is on reasonable prior written notice and of mutually agreed scope and duration; (b) takes place no more than once per calendar year (or where required by a supervisory authority or following a breach); (c) is at Customer's cost; and (d) does not access other customers' data or compromise Neuralshape's security or confidentiality obligations.
10. International transfers
Neuralshape processes Customer Personal Data in Switzerland and, where applicable, the EU/EEA, and does not make Restricted Transfers of Customer Personal Data in providing the Service. Customer acknowledges that Switzerland benefits from an adequacy decision of the European Commission, so transfers of Customer Personal Data from the EEA to Switzerland are not Restricted Transfers. If a Restricted Transfer were nonetheless to occur, it shall be governed by the Standard Contractual Clauses (with the relevant modules and the Swiss/UK adaptations), which are deemed incorporated into this DPA, with the details in Annex 1 completing them; in case of conflict between the SCCs and this DPA, the SCCs prevail in respect of that transfer.
11. Return and deletion of Customer Personal Data
On termination or expiry of the Agreement, Neuralshape shall, in accordance with the Agreement, make Customer Personal Data available for export in a structured, machine-readable format for thirty (30) days, and shall delete Customer Personal Data within sixty (60) days, except to the extent retention is required by law. Neuralshape shall confirm deletion in writing on request. During the term, Neuralshape shall delete or return Customer Personal Data on Customer's reasonable request.
12. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, Neuralshape's liability for a personal-data breach affecting Customer Personal Data, to the extent caused by Neuralshape's failure to meet its obligations under this DPA, is subject to the Enhanced Cap set out in Section 11.1 of the Agreement.
13. Term
This DPA takes effect together with the Agreement and remains in force for as long as Neuralshape processes Customer Personal Data, after which the deletion and return obligations in Section 11 apply.
14. Governing law and jurisdiction
This DPA is governed by the same law, and subject to the same jurisdiction, as the Agreement (the substantive laws of Switzerland; courts at the registered seat of Neuralshape in Zug), without prejudice to the governing law and forum of the SCCs where they apply to a given transfer.
15. Contact
Questions about this DPA may be sent to Neuralshape GmbH, Dammstrasse 16, 6300 Zug, Switzerland, email legal@bidatlas.ch.
Annex 1 — Details of the Processing
A. Parties. Data exporter / Controller: the Customer identified in the Agreement, processing Customer Personal Data through the Service. Data importer / Processor: Neuralshape GmbH, Dammstrasse 16, 6300 Zug, Switzerland; contact legal@bidatlas.ch.
B. Subject matter. Neuralshape's provision of the BidAtlas service to Customer under the Agreement.
C. Duration. For the term of the Agreement, plus the return/deletion period in Section 11.
D. Nature and purpose. Hosting, storage, retrieval, indexing, generation, transmission and other processing of Customer Data as necessary to provide, secure, support and maintain the Service, including AI-assisted analysis and drafting for tender, bid and RFP/RFI workflows.
E. Categories of Data Subjects. Determined and controlled by Customer, and which may include Customer's personnel and Authorised Users, Customer's clients, prospects, suppliers and contractors, and other individuals whose personal data appears in the content Customer submits.
F. Categories of Personal Data. Determined and controlled by Customer, and which may include contact and identification data, professional and employment details, and any other personal data contained in the documents, knowledge-base content and inputs Customer submits, together with the corresponding outputs.
G. Special categories. The Service is not designed for special categories of personal data. Customer controls what it submits; any special-category data is protected by the measures in Annex 2. Customer should avoid submitting special-category data unless necessary.
H. Frequency. Continuous, for the duration of the Agreement.
I. Competent supervisory authority. For processing subject to the FADP, the Swiss FDPIC. For processing subject to the GDPR, the supervisory authority of the EU/EEA member state determined in accordance with the GDPR (and, where the UK GDPR applies, the UK Information Commissioner).
Annex 2 — Technical and Organisational Measures
| Measure | How Neuralshape implements it |
|---|---|
| Encryption | Customer Personal Data is encrypted in transit (HTTPS/TLS) and at rest with AES-256 across all storage services used by the Service (on Google Cloud and AWS). |
| Secrets management | Credentials and keys are held in a managed secret-management service, not in application code. |
| Access control & authentication | Least-privilege identity and access management scoped to dedicated project roles on AWS and Google Cloud; role-based access; access removed promptly on personnel changes. |
| Tenant isolation | Multi-tenant data is logically isolated and isolation is enforced at the application layer. AI-generated code runs in isolated, credential-less microservices. |
| Data residency | Customer Personal Data is stored and processed in Switzerland, across Google Cloud (europe-west6) and AWS (eu-central-2); AI inference is performed on AWS Bedrock in eu-central-2. Certain Service notifications to Authorised Users are generated and sent from Neuralshape's own Microsoft Azure environment within the EU/EEA (see Annex 3). Customer Personal Data is not transferred outside Switzerland or the EU/EEA in connection with the Service. |
| No model training | Customer Personal Data is not used to train or fine-tune AI/ML models; inference inputs are processed ephemerally and are not retained by, or shared for training with, model providers. |
| Logging & monitoring | Application and infrastructure events are logged centrally with retention of at least 30 days across services. |
| Availability & resilience | Infrastructure is deployed across multiple availability zones, with multi-model inference fallback, to support availability and resilience. |
| Backups & restoration | Customer Personal Data is held on managed cloud services that provide redundancy and durability, and backup and recovery measures are maintained accordingly. |
| Change & vulnerability management | Segregated pre-production and production environments; changes deployed through a controlled CI/CD pipeline; security configuration and fixes applied to production. |
| Personnel & confidentiality | Personnel are bound by confidentiality obligations and access Customer Personal Data only as needed for their tasks. |
| Sub-processor controls | Sub-processors are bound by written agreements imposing data-protection terms no less protective than this DPA. |
| Deletion & portability | Customer Personal Data is exportable in a machine-readable format and deleted in accordance with Section 11. |
| Assurance / certification | Information-security programme being aligned to ISO/IEC 27001 and SOC 2 (Type 1), targeted for 2027 (in progress, not yet obtained). Underlying cloud providers maintain their own ISO/IEC 27001 certifications. |
Annex 3 — Sub-processors
| Sub-processor | Purpose | Contracting entity | Processing location |
|---|---|---|---|
| Google Cloud | Hosting, database, object storage and processing of the application and Customer Personal Data. Provided across both providers on a multi-cloud basis. | Google Cloud EMEA Limited (Ireland) | Switzerland (europe-west6, Zürich) |
| Amazon Web Services | Storage and processing of Customer Personal Data, and AI inference via Amazon Bedrock (access to closed-source (Anthropic) and open-source models), without training on Customer Personal Data | Amazon Web Services EMEA SARL (Luxembourg) | Switzerland (eu-central-2, Zürich) |
| Microsoft (Azure) | Neuralshape's own Microsoft Azure environment used to generate and send Service notifications to Authorised Users (e.g. overnight new-opportunity alerts), which may contain personal data such as recipient name and business email. Does not include Customer's own Microsoft 365 / SharePoint tenant, which Customer connects and controls under its own Microsoft agreement (see Terms §6.7). | Microsoft Ireland Operations Limited | EU/EEA |
| Stripe | Payment and subscription processing (billing data only). Stripe does not receive Customer Personal Data submitted within the application. | Stripe Payments Europe, Limited (Ireland), with onward transfer to Stripe, Inc. (United States) | EU/EEA and United States (EU SCCs with Swiss adaptations + EU-U.S./Swiss-U.S. DPF) |
The current list of Sub-processors is maintained by Neuralshape and updated in accordance with Section 6.3.