Skip to main content
← LokBox

Data Processing Agreement (DPA)

Last updated: 6 July 2026

Effective Date: July 6, 2026. This version is effective as of July 6, 2026. You will be notified in good time in the event of any material changes to this Data Processing Agreement. This Data Processing Agreement ("DPA") governs the data protection obligations of the parties in connection with the processing of personal data in the context of the use of the LokBox services. It meets the legal requirements under Art. 28 GDPR as well as under the Swiss Federal Act on Data Protection (revFADP / nFADP). Change history: Version 2026-07-06 – Addition of the categories of personal data and the categories of data subjects (§ 2), clarification of EU data residency (§ 5), inclusion of a jurisdiction clause (§ 11), clarifications regarding instructions and subprocessors (§§ 3, 4). Version 2026-06-16 – Initial version.

1. Parties

Controller (Customer): The user of the LokBox services who processes personal data within their account. Processor (Provider): bubloo, Kubilé, Lischenweg 7, 4915 St. Urban, Switzerland (UID: CHE-190.821.402).

2. Subject Matter, Nature and Purpose of Processing

The Processor processes personal data on behalf of and according to the documented instructions of the Controller in order to provide the LokBox services (AI-assisted browser automation, text processing, and API integrations). The processing comprises the collection, recording, storage, retrieval, querying, and deletion of data. Categories of personal data: client master data (names, addresses, contact details, company and legal-form information); identifiers (e.g. UID, commercial-register, tax and social-security numbers, insofar as entered by the Controller); as well as portal task data (the task texts issued by the Controller, uploaded documents, access context, and the result and log data generated by the agent). Categories of data subjects: the Controller's clients and their authorised representatives or contact persons, the Controller's employees and end users, as well as other natural persons whose data the Controller enters in the course of a task.

3. Instructions and Confidentiality

The Processor processes personal data exclusively on the documented instructions of the Controller. If the Processor is of the opinion that an instruction infringes the GDPR, the revFADP, or other data protection provisions, it will inform the Controller without undue delay (Art. 28(3) subpara. 2 GDPR). The Processor ensures that all persons authorised to process the data (employees) have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.

4. Subprocessors

The Processor uses in particular the following subprocessors to provide the services: Hetzner Online GmbH (frontend & backend hosting, Germany/Falkenstein (fsn1)); Amazon Web Services (AWS) (LLM inference (Bedrock) – no training, EU eu-central-1 Frankfurt); Supabase (database & storage, EU eu-central-1 Frankfurt); Stripe (payment processing, EU/Ireland); Sentry (error monitoring, EU de.sentry.io). The complete and current list of subprocessors is available at lokbox.ch/subprocessors and is authoritative for the scope of the consent granted; the Controller hereby consents to the use of the subprocessors listed there. The Processor contractually binds each subprocessor to data protection obligations that are substantially equivalent to those agreed in this DPA (Art. 28(4) GDPR). The Processor will inform the Controller in good time about any intended change (addition or replacement); the Controller may object for an important data protection reason.

5. International Data Transfers (Third-Country Transfer)

LokBox is a Swiss provider; however, data processing and storage take place on European infrastructure within the EU/EEA (in particular Frankfurt). No productive hosting of personal data takes place in Switzerland within the scope of the cloud services. Insofar as the use of certain integrations (e.g. Notion) results in data being transferred to the USA, the Processor relies on the Standard Contractual Clauses (SCC) of the EU Commission (as well as the corresponding Swiss adaptations) and the Data Privacy Framework (DPF) to ensure an adequate level of data protection pursuant to Art. 46 GDPR.

6. Technical and Organisational Measures (TOMs)

The Processor has taken appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. These include, among others: Encryption: All data transfers (TLS/SSL) as well as stored data (data at rest) are encrypted; Isolation: Browser automations run in short-lived, isolated sandbox environments; Access and access control: Physical and logical access is restrictively regulated.

7. Support Obligations and Breach Notification

The Processor appropriately supports the Controller in responding to requests to exercise data subject rights (access, rectification, erasure, etc.). In the event of a personal data breach (data breach), the Processor notifies the Controller without undue delay after becoming aware of it and supports the Controller in its statutory notification and communication obligations (Art. 33, 34 GDPR) as well as in data protection impact assessments.

8. Control and Audit Rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. The Controller (or an independent auditor mandated by it) has the right, after timely notice, to carry out reasonable reviews (audits).

9. Data Retention and Deletion

Upon completion of the provision of the processing services or upon termination, the Processor, at the Controller's choice, deletes or returns (exports) all personal data, unless there is a legal obligation to retain it. A technical soft-delete phase of 30 days may apply to prevent accidental data loss before data is physically and irrevocably deleted.

10. Term of the Agreement

This DPA is concluded for an indefinite period and ends automatically upon termination of the main agreement for the use of the LokBox services.

11. Applicable Law and Jurisdiction

This DPA is governed exclusively by Swiss law, to the exclusion of its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Lucerne, Switzerland, unless mandatory statutory places of jurisdiction preclude this.

info@lokbox.ch · +41 78 845 84 66
Lischenweg 7, 4915 St. Urban (Canton of Lucerne), Switzerland