Data Processing Agreement
SwimST — Version 1.0 • Effective date: 2 March 2026
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "User") and Otenz ("Processor", "we", "us"), the developer of the SwimST application, pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018.
1. Scope and Purpose
This DPA applies when encrypted data uploaded by the User via the Shareable Links or Recovery Link features is stored on Otenz's servers. The processing is strictly limited to:
- Storage of encrypted binary data (blobs) on behalf of the User;
- Delivery of encrypted data to authorised recipients who possess the decryption key;
- Automatic deletion of data 90 days after the last update.
Otenz does not access, read, decrypt, analyse, profile, or otherwise process the content of the encrypted data.
2. Roles and Responsibilities
| Role | Party | GDPR Basis |
|---|
| Data Controller | You (the User) | Art. 4(7) GDPR |
| Data Processor | Otenz | Art. 4(8) GDPR |
As the Data Controller, you determine the purposes and means of any personal data processing that occurs within SwimST. You are solely responsible for:
- The lawfulness of any personal data you include in session names, athlete labels, exercise descriptions, or other fields;
- Obtaining any necessary consent from data subjects (e.g., athletes) before including their personal data;
- Ensuring an appropriate legal basis under Art. 6 GDPR for any personal data you process;
- Deciding what data to share and with whom.
3. Nature of Processing
3.1 Zero-Knowledge Architecture
SwimST employs end-to-end encryption (AES-256-GCM) for all data transmitted via shareable or recovery links. The encryption key is contained exclusively in the URL fragment (#key=...), which is never transmitted to the server per the HTTP specification (RFC 3986 §3.5). Consequently:
- Otenz cannot decrypt, read, or access the content of any data stored on its servers;
- Otenz has no knowledge of whether any personal data is contained in the encrypted payload;
- From the Processor's perspective, only pseudonymised binary data is processed.
3.2 Data Processed
| Data Category | Processor Access | Retention |
|---|
| Encrypted binary blob | Storage only — no decryption capability | 90 days after last update |
| Upload timestamp | Server-side metadata | Same as blob |
| IP address of uploader | Transient server log (not stored persistently) | Not retained |
3.3 Categories of Data Subjects
Potentially: athletes, coaches, and any individuals whose personal data the Controller chooses to include (at their sole discretion) in the encrypted content.
4. Processor Obligations
In accordance with Art. 28(3) GDPR, Otenz undertakes to:
- (a) Process encrypted data only on documented instructions from the Controller (i.e., upload, store, deliver, delete);
- (b) Not access, decrypt, or process the content of encrypted data for any purpose;
- (c) Ensure that persons authorised to process the data have committed themselves to confidentiality;
- (d) Implement appropriate technical and organisational measures to ensure security of processing (Art. 32 GDPR), including AES-256-GCM encryption, HTTPS transport, and access controls on server infrastructure;
- (e) Assist the Controller, insofar as technically feasible, in fulfilling obligations regarding data subject rights (Arts. 15–22 GDPR) — noting that Otenz cannot identify data subjects within encrypted blobs;
- (f) Assist the Controller with data protection impact assessments and prior consultation with supervisory authorities where required (Arts. 35–36 GDPR);
- (g) Delete all encrypted data upon expiry of the retention period (90 days from last update) or upon Controller request;
- (h) Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR;
- (i) Immediately inform the Controller if, in Otenz's opinion, an instruction infringes GDPR.
5. Sub-Processors
Otenz uses the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|
| VPS hosting provider | Server infrastructure for encrypted blob storage | EU (Germany) |
Otenz will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. The same data protection obligations as set out in this DPA are imposed on each sub-processor.
6. Data Breach Notification
In the event of a personal data breach affecting the encrypted blob storage service, Otenz shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach (Art. 33 GDPR);
- Provide all available information about the nature and scope of the breach;
- Cooperate with the Controller in investigating and mitigating the breach.
Important: Given the zero-knowledge encryption architecture, a server breach would expose only encrypted binary data that cannot be decrypted without the key (which is never stored on the server).
7. International Data Transfers
Otenz processes and stores all data within the European Economic Area (EEA). No data is transferred to third countries. If this changes, Otenz will ensure appropriate safeguards under Chapter V GDPR (e.g., Standard Contractual Clauses).
8. Controller Obligations and Indemnification
The Controller acknowledges and agrees that:
- The Controller is solely responsible for the lawfulness of any personal data included in the encrypted content;
- The Controller shall not include special categories of personal data (Art. 9 GDPR) — such as health data, racial or ethnic origin, political opinions, or biometric data — unless the Controller has a valid legal basis and has obtained explicit consent from data subjects;
- The Controller shall indemnify Otenz against all claims, fines, damages, and costs arising from the Controller's breach of GDPR or this DPA;
- The Controller has been advised to use pseudonymised identifiers (nicknames, codes, initials) instead of real names for athlete labels, and to avoid including sensitive personal data in shared content.
9. Limitation of Liability
To the maximum extent permitted by applicable law (including Italian Civil Code Art. 1218 et seq. and GDPR Art. 82):
- Otenz's liability as Processor is limited to the obligations set out in this DPA and Art. 28 GDPR;
- Otenz shall not be liable for any damage caused by processing carried out in accordance with the Controller's instructions;
- Otenz shall not be liable for the content of encrypted data, which it cannot access or read;
- Each party's aggregate liability under this DPA shall not exceed the fees paid by the Controller for the Service in the 12 months preceding the claim (currently: €0, as the Service is free).
10. Duration and Termination
- This DPA is effective as long as the Controller uses SwimST features that involve server-side storage of encrypted data.
- Upon termination, Otenz will delete all encrypted data in accordance with the standard retention policy (90 days from last update) or immediately upon Controller request.
- Sections 8 (Indemnification) and 9 (Limitation of Liability) survive termination.
11. Governing Law and Jurisdiction
This DPA is governed by the laws of Italy and the GDPR. Any disputes shall be resolved before the competent courts of Italy. The Controller may also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).
12. Contact
For all DPA-related inquiries, data subject requests, or breach notifications, contact: