Aura Compliance | Microsoft 365 Governance & Reporting

Data Protection

Information on the processing of personal data under the GDPR and Swiss FADP

Effective date: May, 2026 · Version 1.0

1.Data Controller

The data controllers within the meaning of the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP) are:

dotCLOUD LLC Bahnhofstrasse 9
CH-8952 Schlieren
Switzerland
Email: [insert privacy@aura-compliance.org]

KöllnService GmbH Am Linder Kreuz 67
51147 Cologne
Germany
Email: [insert privacy@aura-compliance.org]

Note If a Data Protection Officer has been appointed (which may be required for KöllnService GmbH under Art. 37 GDPR), their contact details should be added here.

2.General Information on Data Processing

We generally only process personal data of our users to the extent necessary to provide a functional website and our content and services. Processing usually only takes place with the user's consent or in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by statutory provisions.

Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

3.Data Collection When Visiting the Website

When you access our website, the browser used on your device automatically sends information to our website's server. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until automated deletion:

IP address of the requesting device (truncated where possible)
Date and time of access
Name and URL of the file accessed
Website from which access was made (referrer URL)
Browser used and operating system of your device
Name of your access provider

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is in ensuring a smooth connection setup, the comfortable use of our website, the evaluation of system security and stability, and other administrative purposes.

Storage period: The data is deleted no later than after 7 days, unless further retention is required for evidentiary purposes.

4.Cookies and Similar Technologies

We use cookies on our website. Cookies are small text files stored on your device. We distinguish between:

4.1 Strictly Necessary Cookies

These cookies are required to enable the visit to the website and its basic functions (e.g., session cookies). Legal basis: Art. 6(1)(f) GDPR and § 25(2) No. 2 of the German Telecommunications Telemedia Data Protection Act (TTDSG).

4.2 Functional and Analytics Cookies

These cookies are only set with your express consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG). You may revoke your consent at any time via our cookie banner or your browser settings.

Customization required A specific list of cookies in use should be added here, including provider, purpose, and storage period (ideally generated dynamically by your consent management tool).

5.Contact

If you contact us by email, contact form, or telephone, the data you provide (name, email address, phone number, content of the message) will be stored to process your request and in case of follow-up questions.

Legal basis: Art. 6(1)(b) GDPR (for performance of a contract or pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in handling inquiries).

Storage period: We delete the data collected as part of a contact request as soon as their storage is no longer necessary, or restrict processing if statutory retention obligations apply.

6.Registration and Use of "Aura"

Use of our SaaS solution "Aura" requires the creation of a user account. We process the following data:

First and last name
Email address
Company name and position (if provided)
Password (stored in encrypted form)
Billing and payment details
Usage data within the application (e.g., logins, actions performed)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Where our customers process personal data of third parties via "Aura", this constitutes data processing on behalf of our customers within the meaning of Art. 28 GDPR. In such cases, we conclude a separate Data Processing Agreement (DPA) with our customers.

7.Payment Processing

For payment processing, we work with external payment service providers. The data processing is carried out for the performance of the contract on the basis of Art. 6(1)(b) GDPR.

Customization required The specific payment service providers (e.g., Stripe, PayPal, Mollie) including their registered office and privacy notices must be listed here.

8.Web Analytics and Tracking

If you have given your consent, we use web analytics services to analyze and improve the use of our website.

Customization required Specific tools (e.g., Google Analytics, Matomo, Plausible) must be added here, including provider, purpose, storage period, and any indication of data transfer to third countries.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG (consent).

9.Newsletter

If offered and subscribed to by you, we send newsletters with information about our products and services. We use the double opt-in procedure for sending.

Legal basis: Art. 6(1)(a) GDPR (consent). You can revoke your consent at any time via the unsubscribe link in the newsletter.

10.Hosting and Data Processing

Our website and "Aura" are operated on servers of an external hosting provider. This provider processes personal data exclusively on the basis of a Data Processing Agreement pursuant to Art. 28 GDPR.

Customization required The specific hosting provider and its registered office must be named here (e.g., AWS, Hetzner, Microsoft Azure, Swisscom).

11.Data Transfers to Third Countries

Insofar as personal data is transferred to recipients outside the European Economic Area (EEA), this only takes place if an adequate level of data protection is ensured. This may be ensured in particular by:

an adequacy decision of the European Commission (Art. 45 GDPR),
EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), or
your express consent (Art. 49(1)(a) GDPR).

Switzerland is recognized by the European Commission as a country with an adequate level of data protection. Transfers of data between the data controllers in Germany and Switzerland are therefore permissible under data protection law.

12.Storage Period

We only store personal data for as long as is necessary to fulfil the respective processing purposes or as required by statutory retention obligations (in particular under commercial and tax law). After expiry of these periods, the data will be deleted or its processing restricted.

13.Your Rights

As a data subject, you have the following rights:

Right	Legal basis
Access to your processed data	Art. 15 GDPR
Rectification of inaccurate data	Art. 16 GDPR
Erasure of your data	Art. 17 GDPR
Restriction of processing	Art. 18 GDPR
Data portability	Art. 20 GDPR
Objection to processing	Art. 21 GDPR
Withdrawal of consent given	Art. 7(3) GDPR

To exercise your rights, please use the contact details provided under section 1.

14.Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.

For Germany – the supervisory authority responsible for KöllnService GmbH is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestr. 2-4, 40213 Düsseldorf.
For Switzerland – the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern.

15.Data Security

We take appropriate technical and organizational measures to protect your data against unauthorized access, loss, or manipulation. Our security measures are continuously improved in line with technological developments. The transfer of your data is carried out via a TLS/SSL-encrypted connection.

16.Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to ensure that it always complies with current legal requirements or to reflect changes to our services. The version applicable at the time of your next visit will then apply.