What's actually inside the data processing agreements (DPAs) of cloud and email providers used in Switzerland?
Once you sign up for a cloud service, you usually accept the terms and move on to the work itself: uploading and sharing documents with team members, sending emails to clients, and so on. Somewhere in the terms you accept there is a Data Processing Agreement (DPA). Yet, when you let a provider process data on your behalf, which is the case for common cloud and email offerings, the responsibility for what happens to this data actually stays with you. With the share of breaches involving third-party providers doubling from 15% to 30% in the past year, what the DPA says about access, breach notification, and deletion today becomes much more crucial. Yet it often goes unnoticed. When I went to check which of the tools I’ve worked with recently actually publish a DPA and what it says, the answer varied more than I expected.
TL;DR
- Access to the DPA ranges from publicly downloadable documents (often auto-accepted on subscription, as with Microsoft 365 and Google Workspace) to documents obtained through support.
- Breach notification ranges from Microsoft’s explicit 72-hour window to “without undue delay” with no stated timeline.
- Sub-processor change notice ranges from six months (Microsoft) to no specified notice period (Proton).
- Deletion timelines range from ten working days with written certification (Infomaniak) to a 180-day window (Microsoft).
A note before we start. I’m not a lawyer, and this article is not legal advice. It describes what the published DPAs of Microsoft 365, Google Workspace, Dropbox, Infomaniak, Tresorit, and Proton say and do not say. If you need advice on your specific situation, a Swiss data protection lawyer is the right person to ask.
What a DPA is
A Data Processing Agreement (DPA) is a contract between you (the controller) and a service that handles personal data on your behalf (the processor). The Swiss legal basis is Article 9 of the revised Federal Act on Data Protection (FADP), known in German as the nDSG. It requires the relationship to be regulated in writing and that you verify the processor’s ability to ensure data security. The nDSG is less prescriptive than the GDPR’s Article 28 about specific clauses. In practice, DPAs published for international customers tend to satisfy both frameworks, as we see in the DPAs analysed in this article.
DPAs typically come with business plans, not consumer ones, because as a consumer you are not the controller of someone else’s data. A personal Gmail account has no DPA; a Google Workspace subscription does (the Cloud Data Processing Addendum).
Which DPAs we assessed
We reviewed the published, standard DPA texts of six cloud and email providers. Large customers routinely negotiate amendments that change specific clauses; those bespoke versions are not public. A provider whose published DPA is silent or vague on a particular point may offer stronger terms in a negotiated addendum or a bespoke agreement.
The provider selection is a deliberate spread across mainstream productivity suites (i.e., Microsoft 365, Google Workspace, Dropbox) and more Swiss-related providers (i.e., Infomaniak, Proton, Tresorit). Reliable DACH-specific market share data for this segment is not publicly available, so the selection is not a market-share ranking. Each finding is anchored to a direct quote from the source document or to its absence.
| Provider | Main products | Document | Version |
|---|---|---|---|
| Microsoft 365 | Outlook, OneDrive, Teams | Microsoft Products and Services Data Protection Addendum | Last updated 01.09.2025 |
| Google Workspace | Gmail, Drive, Docs, Meet | Cloud Data Processing Addendum | Last modified 23.10.2025 |
| Dropbox | File storage and sharing | Data Processing Agreement with Model Clauses | Posted 23.08.2024 |
| Infomaniak | kMail, kDrive, kMeet | Personal Data Processing Agreement | n/a |
| Tresorit | Encrypted file storage and sharing | Not publicly accessible | — |
| Proton | Proton Mail, Drive, Calendar, Pass, VPN | Data Processing Agreement | Last modified 10.02.2026 |
Insights across the six DPAs
How to get the DPA: from public PDF to support-gated
How easily you can read the DPA before or after agreeing depends on how your provider makes it available. A publicly downloadable file lets you review in advance; a text behind a support request does not.
Microsoft and Google publish their documents openly while also auto-applying them on subscription, so the text is both downloadable and accepted when a customer clicks through the admin console. Dropbox, Infomaniak, and Proton publish theirs as PDFs or web pages that anyone can read. Tresorit’s DPA was not available for our analysis. Customers have to contact the Tresorit Support Team to obtain a copy.
Most providers in the set use a single unified DPA across their entire product range. Microsoft’s covers Microsoft 365, Azure, and Dynamics. Google’s Cloud DPA consolidates three separate agreements, per its own preamble. Proton’s covers Mail, Calendar, Drive, VPN, and Pass under one document.
For Microsoft and Google customers, subscribing and accepting the DPA are the same action. For Tresorit customers, the DPA text is not immediately visible, as noted above.
Breach notification: only one provider commits to a number of hours
Breach notification is your provider’s commitment to tell you if a security incident affects your data. If you are the controller of that data, you may need to notify your own clients in turn. How fast your provider reaches out shapes how fast you can react.
Only one of the published DPAs commits to a specific number of hours. Microsoft’s Appendix A states that notification will be made “without undue delay and, in any event, within 72 hours.” Dropbox targets the same window with softer language, committing to “commercially reasonable efforts to provide this notice within 72 hours of confirming the existence of a Security Incident.” Google, Infomaniak, and Proton use “without undue delay” or “without delay” with no stated window. Tresorit’s commitment is not publicly disclosed.
The phrase “without undue delay” is standard legal language but contains no fixed duration. Microsoft is the only provider in the set that translates it into a specific number in the contract.
Sub-processor change notice: widest spread in the set
Sub-processors are the third parties your provider uses behind the scenes, such as the infrastructure hosting your data, the support system handling your tickets, or the payment processor running your billing. Adding or changing one shifts your data’s path. Advance notice lets you decide whether you are comfortable with the change.
The published DPAs offer very different degrees of advance visibility into sub-processor changes. Microsoft commits to six months advance notice for new sub-processors touching Customer Data. Google commits to 30 days advance notification with a 90-day termination window. Dropbox provides a 60-day objection window, Infomaniak 30 days. Proton’s DPA defers to “the Privacy Policy notification process,” and the current Privacy Policy does not define one. The current list of processors (Zendesk, Stripe, PayPal, Chargebee, Atlassian, Hubspot) appears in Privacy Policy Section 4 under the heading “Data processors,” but without an advance notice period, an active notification obligation, or an objection mechanism. Tresorit’s policy is not publicly disclosed.
In the published DPAs, the spread runs from Microsoft’s six-month notice at one end to Proton’s shorter treatment at the other, where the document does not specify a notice period. A bespoke agreement or addendum may cover this differently for specific customers.
Deletion on termination: from ten working days with certification to 180-day retention
Deletion on termination is your provider’s commitment to remove your data when you stop using the service. Data that lingers after cancellation is a continued liability, and compliance checks may require proof that deletion happened. Knowing the timeline and whether you get a certification matters if you ever need to demonstrate the data is gone.
Deletion timelines vary widely. Infomaniak has the most specific clause, requiring deletion within ten working days of contract cessation plus a written certification attesting to it. Infomaniak’s DPA also uniquely commits to restore data at its own expense if it is lost, destroyed, or altered due to Infomaniak’s failure. Microsoft retains Customer Data for 90 days in a limited-function account so the customer can extract the data, then deletes it within another 90 days. At Google, the customer has a 30-day window to recover data after the subscription ends; deletion then completes within up to 180 days. Dropbox deletes stored data in “a commercially reasonable period” after an administrator request. Proton’s DPA defers the timeline to its Terms and Conditions and Privacy Policy, and specifies that a customer must request a data copy before account deletion or lose access to it.
Dropbox’s DPA also includes a clause stating that, on termination, Dropbox “may be a controller with respect to certain Account Data, and may retain this data in accordance with applicable privacy laws.” What falls under Account Data, presumably account metadata such as email, billing records, or admin configuration, the DPA does not fully spell out. Most providers probably retain equivalent metadata under their own legal obligations. Dropbox is unusual in naming it explicitly in the DPA itself. For a customer planning a post-termination clean break, it is worth asking the provider directly what stays and what goes.
Tresorit’s deletion clause is not publicly disclosed.
In sum, the published timelines range from Infomaniak’s ten working days with written certification to Microsoft’s 180-day window.
How providers frame the Swiss legal basis
A DPA references the legal frameworks it is designed to satisfy. For a customer in Switzerland, whether the DPA mentions the nDSG (or the FADP in English) alongside the GDPR signals how explicitly the provider has considered Swiss law. In practice this is more about clarity than compliance outcomes, since a GDPR-compliant DPA tends to satisfy the nDSG too; explicit Swiss references mainly help during due diligence.
In the published standard DPAs, the explicitness of nDSG and FADP references does not track with where the provider is headquartered. Infomaniak, a Switzerland-headquartered provider, names specific FADP articles and implementing ordinances in the preamble, citing “Art. 9 of the Swiss Federal Act on Data Protection” alongside Article 28 of the GDPR and naming the Data Protection Ordinance (SR 235.11) and Data Protection Certification Ordinance (SR 235.12) by their legal shortcodes. Google, a hyperscaler, defines the revised Swiss FADP explicitly in its Cloud DPA definitions section, referencing both the 1992 original and the revised 2020 version with the 2022 Ordinance. Microsoft and Dropbox treat Switzerland as a peer jurisdiction in transfer clauses. Tresorit’s current public support framing references only GDPR as a DPA trigger.
Microsoft’s DPA includes a unique safeguards appendix addressing cases where a non-EU government, for example a US agency acting under the CLOUD Act, compels Microsoft to disclose personal data of EU individuals. If that disclosure violates EU rules on sending personal data outside the EU, Microsoft commits to pay damages directly to the affected person. No other provider in the set makes this commitment.
Practical checklist
Now that you know more about DPAs in practice, where does this leave you? The six practical steps below can help bring clarity to your own data processing.
- List every cloud or email tool in your stack that holds client data, team communications, or documents containing personal information.
- Check which tier you are on. Consumer and personal tiers generally do not have a DPA, business tiers generally do. If you handle client data on a personal tier, upgrading is the compliance step, not just the feature step.
- Locate and save the DPA for each business-tier tool. Keep a dated copy so you can point to the version that applied if something happens later.
- Confirm the notification email the provider would use for a breach alert. Make sure that inbox is monitored by someone who would act on it.
- Find the sub-processor list and subscribe to change notifications if the provider offers them.
- Build deletion into your offboarding plan. Some providers require action from you before termination, such as requesting a data copy. Knowing this before you decide to leave keeps the exit clean.
If a specific clause does not meet your requirements, contact the provider. Many providers will negotiate amendments for business customers, especially at higher subscription tiers.
For deeper reads on specific providers, see our guides on Tresorit and Proton Mail. For the broader security setup, our guides for freelancers and founders and small teams cover adjacent ground.
For links on this page, NeoGuard may earn a commission from the provider. This supports our work and has no influence on our editorial recommendations. See our privacy policy for details.