Skip to main content
Last Update: March 12, 2025

Processing Agreement in accordance with Article 28 GDPR

This Processing Agreement is entered into between the Customer with the name and contact details provided when registering for the Wire-services (hereinafter referred to as "Principal") and Wire Swiss GmbH, Untermueli 9, 6300 Zug, Switzerland (hereinafter referred to as "Wire", collectively "Parties" or individually "Party").

Section 1 – Subject Matter and Duration of the Order

  1. This Processing Agreement specifies the Parties' data protection obligations arising from the processing carried out for the purpose of providing the software solution for messaging services described in the Terms of Use and the related services (collectively the "Service") to be performed by Wire for the Principal. The subject matter of the order results from the Agreement on the provision of the Service including the Terms of Use incorporated therein (collectively the "Service Agreement"), to which reference is made.
  2. Beyond this, this Processing Agreement applies to all work activities in connection with the work activities under the Terms of Use where employees of Wire or any third parties commissioned by Wire may come into contact with the Principal's personal data.
  3. This Agreement enters into force upon signing by both Parties. Its duration corresponds to the term of the Service Agreement. The obligations under this Agreement continue even after termination of the Service Agreement, unless Wire has returned, erased, or otherwise destroyed all personal data of the Principal pursuant to this Agreement.

Section 2 – Specification of the Order Details

  1. The nature and purpose of the processing of personal data by Wire for the Principal are defined in the Service Agreement. Changes to the processing objects and procedural changes shall be jointly agreed upon by the Parties in writing or in a documented electronic format.
  2. Wire shall ensure compliance with all statutory data protection regulations in its area of responsibility.
  3. Wire generally performs the processing on servers within the EU Member States and other signatory states of the European Economic Area (EEA), for example Switzerland. If services are provided outside the EU/EEA on the Principal’s instructions, Wire shall ensure that the transfer of personal data complies with Art. 44 et seq. GDPR by ensuring that at least one of the following conditions is met:
    1. An adequacy decision by the European Commission for the third country;
    2. Appropriate safeguards are in place (e.g., binding corporate rules (BCR), standard data protection clauses, approved codes of conduct, or certification mechanisms);
    3. The data transfer is covered by derogations for specific situations pursuant to Article 49 GDPR.
  4. The subject matter of the processing includes the following types of personal data:
    1. Name of user;
    2. Email address of user;
    3. Data separately provided by the user (e.g., profile picture);
    4. Metadata of the Service (e.g., information on the creator of a team, conversation name, pseudonymized participants list, and team assignments);
    5. User Devices (e.g., model, timestamp when device was registered);
    6. End-to-end encrypted communication data (e.g., messages and files).
  5. Wire temporarily stores encrypted messages on its servers for the purpose of allowing later delivery to offline clients. Wire does not hold the decryption keys and therefore cannot access the content.
  6. The categories of data subjects include:
    1. Users of the Service (including all persons registered by the Principal);
    2. Persons whose personal data is the subject of communications between users.

Section 3 – Technical and Organizational Measures

  1. Within its area of responsibility, Wire shall structure its internal corporate organization to meet the requirements under data protection law. Wire shall establish data processing security in accordance with Article 28 (3)(c) and Article 32 GDPR, in conjunction with Article 5 (1) and (2) GDPR.
  2. The measures include data security measures and measures ensuring a protection level appropriate to the risk regarding confidentiality, integrity, availability, and resilience of systems. Factors such as the state of the art, implementation costs, the nature, scope, and purposes of processing, as well as the probability and severity of risk to the rights and freedoms of natural persons (as per Article 32(1) GDPR) are taken into account.
  3. Wire may provide current certificates, reports, or excerpts from independent bodies (e.g., auditors, data protection officers, IT security audits) to evidence its measures. Adherence to approved codes of conduct (Article 40 GDPR) or approved certification mechanisms (Article 42 GDPR) is also acceptable.
  4. If an audit by the Principal shows the need for amendments, such changes shall be implemented by mutual agreement. Technical progress may lead to alternative measures, provided the security level is maintained. Wire shall notify the Principal of any significant adjustments.
  5. The Parties may, upon request, review and evaluate the effectiveness of the measures at agreed intervals.

Section 4 – Responsibilities, Authority of the Principal to Issue Instructions

  1. The Principal is responsible for compliance with statutory data protection provisions, including the lawfulness of processing and the protection of data subjects' rights. The Principal must inform data subjects about the processing by Wire and, if necessary, obtain their consent.
  2. Wire and its agents may only collect, process, and use data upon documented instruction from the Principal, unless required by law (Article 29 GDPR). In such cases, Wire will notify the Principal before processing, except when prohibited due to public interest.
  3. Wire shall not use the data for any other purposes or forward it to third parties. No copies shall be made without the Principal's knowledge, except for back-up copies or those required to comply with statutory record-keeping requirements.
  4. Instructions by the Principal must be in writing or in a documented electronic format. Verbal instructions should be immediately confirmed in writing. Wire will process the data as follows:
    1. As required by the nature and scope of the Service and the obligations under the Service Agreement;
    2. When legally obliged to do so, in which case Wire will notify the Principal (unless prohibited by law due to public interest).
  5. If the Principal's instructions change the subject matter of performance under the Service Agreement, a mutual agreement is required. Wire must immediately notify the Principal if an instruction appears to violate data protection regulations. In such cases, Wire may suspend execution until the instruction is confirmed or changed. Should the Principal insist on an instruction that may be illegal, the Principal shall indemnify Wire for any damages or costs incurred.

Section 5 – Duties of Wire

  1. Data Protection Officer (DPO): Wire has appointed a DPO who can be contacted at privacy@wire.com.
  2. Confidentiality: Wire ensures that only employees who are bound by confidentiality obligations and familiar with relevant data protection provisions process personal data.
  3. Processing Directory: Wire shall maintain a processing directory as per Article 30(2) GDPR.
  4. Cooperation: The Principal and Wire shall cooperate in responding to requests from the competent supervisory authority.
  5. Notification: Wire shall immediately inform the Principal of any inspections or measures by supervisory authorities, and support the Principal in case of any liability claims or legal proceedings relating to data processing.

Section 6 – Rectification, Restriction and Erasure of Data, Rights of Data Subjects

  1. Wire may only rectify, erase, or restrict processing of data on documented instruction from the Principal. The Principal must promptly inform Wire of any changes to personal data to enable timely updates.
  2. If a data subject directly contacts Wire regarding their rights, Wire shall immediately forward the request to the Principal and process it only on documented instructions. Wire may claim remuneration for support services provided.

Section 7 – Subcontracting

  1. “Subcontracting” refers to services directly related to the provision of the principal service under this Agreement. It excludes ancillary services (e.g., telecommunications, postal/transport, cleaning, or security services), unless related to IT systems provided by Wire.
  2. Wire may engage or replace subcontractors provided that:
    1. Wire notifies the Principal in writing or text form in advance, including the planned date of the change;
    2. The Principal does not object within fourteen days;
    3. The subcontracting is based on a contractual agreement in accordance with Article 28 (2) to (4) GDPR.
  3. The Principal agrees to the commissioning of subcontractors listed in Annex 2, subject to a contractual agreement under Article 28 (2) to (4) GDPR. Data transfer to the subcontractor shall only occur when all subcontracting conditions are met. Wire shall be liable for the data processing carried out by any engaged subcontractors.

Section 8 – Supervisory Powers of the Principal

  1. The Principal has the right, after consultation with Wire, to carry out inspections or have them conducted by a designated auditor during normal operating hours without disrupting operations. Wire shall facilitate such inspections by providing necessary information to verify compliance with Article 28 GDPR.
  2. Evidence of compliance may include:
    1. Adherence to approved codes of conduct pursuant to Article 40 GDPR;
    2. Certification under an approved procedure per Article 42 GDPR;
    3. Current certificates, reports, or excerpts from independent bodies;
    4. Certification by IT security or data protection auditing (e.g., ISO/IEC 27001, ISO/IEC 27701).
  3. If an on-site inspection is necessary, Wire may require the signing of a confidentiality agreement regarding third-party data and business secrets.
  4. Wire may claim appropriate remuneration for enabling controls by the Principal.

Section 9 – Duties of Wire to Provide Support

  1. Security Measures: Implementing technical and organizational measures to protect personal data and detect breaches.
  2. Data Breach Reporting: Notifying the Principal within 48 hours of any data breach or operational disruption.
  3. Supervisory Authority Notification: Assisting the Principal with any required notifications to supervisory authorities and data subjects.
  4. Impact Assessments and Consultations: Supporting data protection impact assessments and prior consultations if necessary.
  5. Wire may claim compensation for support services not included in the Service Agreement or not due to any misconduct on Wire's part.

Section 10 – Deletion and Return of Personal Data or Destruction

  1. Upon completion of the contracted Services or upon request by the Principal – and at the latest upon completion of the Services under the Service Agreement – Wire must either hand over all documents, processing results, and related data files or destroy/erase them in a data-protection compliant manner, unless conflicting legitimate reasons under Article 17 (3) GDPR exist.

Section 11 – Liabilities of the Parties

  1. The liability between the Principal and Wire shall be governed by the Service Agreement. In relation to data subjects, Article 82 GDPR applies.
  2. The Parties shall each indemnify and hold the other harmless from liability towards data subjects if one Party proves it is not responsible for the damage caused.

Section 12 – Miscellaneous

  1. Wire shall not be entitled to a right of retention pursuant to Section 273 BGB (German Civil Code).
  2. In cases of data endangerment due to seizure, insolvency, or other measures by third parties, Wire must immediately inform the Principal.
  3. Any costs incurred by Wire in fulfilling its duties under this Agreement are included in the remuneration agreed in the Service Agreement, unless otherwise provided. There is generally no obligation to pay remuneration if the Service was compromised by a breach of data protection law by Wire.
  4. Should any individual provisions of this Agreement be or become invalid, the remaining provisions shall remain in force.
  5. The following Annexes form an integral part of this Agreement:
    1. Annex 1 – Technical and Organizational Measures of Wire Swiss GmbH
    2. Annex 2 – List of Sub-Processors

Annex 1 – Technical and Organizational Measures of Wire Swiss GmbH

This document outlines the Technical and Organizational Measures (TOM) implemented by Wire Swiss GmbH ("Wire") to ensure the protection of personal data in compliance with the General Data Protection Regulation (GDPR). Wire is committed to safeguarding the privacy and security of personal data, especially given its operational reliance on third-party service providers and its remote-first working environment.

Organizational Measures

  1. Data Protection Policy: A dedicated Privacy and Data Protection Policy covers applicable legislation, processing principles, data subject rights, lawfulness of processing, privacy by design, impact assessments, international data transfers, and defined roles and responsibilities.
  2. Information Security Team: An assigned team plans, implements, and assesses data protection and security measures.
  3. Data Breach Policy: Established procedures advise on actions to take during a data breach.
  4. Vendor Assessment: Initial and regular evaluations ensure that third-party vendors meet Wire’s data protection and security standards.
  5. Data Processing Agreements: DPAs are in place with all third-party organizations processing data on Wire’s behalf.
  6. Risk Analysis: Regular risk analyses determine current threat levels and necessary adjustments.
  7. Role-Based Access & Access Management: Access is controlled via a role-based framework with regular reviews and a four-eye principle for authorization.
  8. Incident Response and Management: An Incident Management Policy is established for prompt response in case of incidents.
  9. Security Awareness Training: Regular training sessions for employees on data protection and security best practices.
  10. Confidentiality Agreements & Policy Acknowledgement: Employees sign confidentiality agreements and acknowledge internal data security policies upon onboarding.
  11. Off-boarding Process: A strict documented process ensures revocation of access and return of company assets upon termination.
  12. Restriction of Private Use of Devices: Only company-owned devices are used for processing customer personal data.
  13. Periodic Audits: Internal and external audits (e.g., ISO 27001, ISO 27701) confirm the adequacy and effectiveness of security measures.

Technical Measures

  1. Device Management: All devices are managed using Mobile Device Management (MDM) solutions, enforcing encryption, password protection, and remote wipe capabilities.
  2. Hard Disk Encryption: Company devices have full-disk encryption enabled.
  3. Secure Disposal of Devices: Devices no longer in use are securely disposed of by a specialized company, ensuring data wiping or physical destruction.
  4. Endpoint Security: Anti-virus and anti-malware software are installed and regularly updated.
  5. Backup and Recovery: Regular backups are performed, encrypted, and securely stored with a disaster recovery plan in place.
  6. Access Controls: Unique user IDs, multi-factor authentication, and stringent password policies safeguard access to sensitive systems.
  7. Secure Remote Work Policies: Policies ensure secure practices for remote work.
  8. Data Encryption in Transfer: Personal data is transported over encrypted networks (e.g., HTTPS).
  9. Penetration Testing: Regular tests by external companies identify and resolve system vulnerabilities.

Office Security

  1. Electronic Locks: Office access is controlled by electronic locks.
  2. CCTV Monitoring: Entrance doors are monitored outside office hours.
  3. Key Management: Assignment of electronic keys is centrally managed and documented.
  4. Visitor Policy: Visitors must be announced in advance and accompanied at all times.

Data Protection Measures

  1. Data Availability: Measures ensure personal data is available, protected from loss or destruction, and restorable in case of malfunctions.
  2. Data Entry Control: Controls verify who, when, and how personal data is entered, modified, or removed.
  3. Data Segregation: Personal data is processed separately based on its intended use and client.
  4. Data Minimization: Only necessary data is collected and processed.
  5. Data Retention: Data is retained only as long as necessary per Wire's policy.
  6. Data Subject Rights: Procedures are in place for handling requests regarding access, rectification, deletion, and portability.
  7. Incident Response: An incident response plan promptly addresses breaches or security incidents.
  8. Data Protection Officer (DPO): A designated DPO oversees data protection strategy and implementation.
  9. Data Protection Impact Assessments (DPIA): Conducted for processing activities that may result in high risks.
  10. Encryption and Pseudonymization: Personal data is encrypted and pseudonymized where appropriate.
  11. Access and Usage Controls: Stringent controls ensure only authorized personnel access personal data.
  12. Data Erasure Control: A dedicated process exists for personal data deletion in accordance with GDPR.

Annex 2 – List of Sub-Processors

To provide services, Wire uses its affiliate companies – in particular, Wire Germany GmbH – and the following third parties for processing data of business prospects and business account users:

Entity Name and Contact Details Purpose Processing Location Third Country Transfer
Amazon Web Services EMEA SARL,
38 avenue John F. Kennedy, L-1855 Luxembourg		 Hosting EU No
Wire Germany GmbH,
Rosenthaler Str. 40, 10178 Berlin, Germany		 Development of the services n/a No
Hetzner Online GmbH,
Industriestr. 25, 91710 Gunzenhausen, Germany		 Hosting Germany No
Google Cloud EMEA Limited,
Velasco, Clanwilliam Place, Dublin 2, Ireland		 E-mail provider EU No
Box, Inc.,
64 North Row, 2nd Floor, London W1K 7LL, United Kingdom		 Signature Management EU No
ContractHero GmbH,
Parkstrasse 89a, 13086 Berlin, Germany		 Contract Management EU No
Countly Ltd.,
1 Bow Churchyard, London EC4M 9DQ, United Kingdom		 Product Analytics Germany No
Hubspot Inc.,
25 First Street, Cambridge, MA 02141, USA		 Website Hosting & Marketing Activities, CRM Services EU No
Salesforce, Inc.,
Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA		 CRM Services Germany No
Stripe Payments Europe, Limited (SPEL),
1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02H210, Ireland		 Payment Services USA USA (Standard Contractual Clauses (SCCs))
Zendesk, Inc.,
1019 Market Street, San Francisco, CA 94103, USA		 Customer Support EU No