Data Processing Agreement (DPA)
Last updated: 2026-04-11
Last updated: 2026-04-11
This Data Processing Agreement ("DPA") is concluded between the Customer (the "Controller") and ark.swiss Sàrl ("ark.swiss Sàrl"). It forms an inseparable annex to the Terms of Service (Terms) and applies as from their acceptance. It is drafted in accordance with Article 9 of the Swiss Federal Act on Data Protection (FADP) and Article 28 of the General Data Protection Regulation (GDPR).
1. Parties
- Controller: the Customer identified upon subscription.
- Processor: ark.swiss Sàrl, CHE-139.880.181, Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse.
2. Subject matter and duration
The DPA applies for the entire duration of the Service contract, as well as for the 30-day post-termination retention period provided for in the Terms, and beyond for statutory retention periods (in particular invoices, Art. 958f CO).
3. Nature, purpose and scope of processing
ark.swiss Sàrl processes personal data entrusted by the Controller solely in order to host and operate the arkplan Instance made available to the Controller, in accordance with the Terms and with the Controller's documented instructions.
4. Categories of data subjects
- Contacts and end-customers of the Controller
- Employees of the Controller
- Prospects and third parties related to the Controller
5. Categories of data processed
- Identity data (first name, last name, email, phone, address)
- Transactional data (invoices issued by the Controller, payments, amounts)
- Notes and interaction history entered by the Controller
- Calendar events and bookings
- Attached files (images, PDF) uploaded by the Controller
6. Controller obligations
- Ensure the lawfulness of processing (adequate legal basis).
- Inform its own data subjects in accordance with Art. 19 FADP and Art. 13 GDPR.
- Respect data subject rights as the primary point of contact.
- Provide written instructions to ark.swiss Sàrl where necessary.
7. Obligations of ark.swiss Sàrl
- Lawfulness of instructions: process data only on documented instructions from the Controller, unless otherwise required by law.
- Confidentiality: ensure that authorised personnel are bound by a contractual or statutory confidentiality obligation.
- Security: implement the technical and organisational measures described in Annex A.
- Assistance: help the Controller respond to data subject requests and carry out impact assessments (DPIAs), to a reasonable extent.
- Breach notification: notify any security breach to the Controller within 24 hours of becoming aware.
- Return or deletion: at the end of the contract, return the data (JSON/CSV export) or delete it per the Controller's instructions, within 30 days.
- Documentation: make available the information necessary to demonstrate compliance.
8. Authorised subprocessors
The Controller authorises ark.swiss Sàrl to use the following subprocessors:
- Infomaniak Network SA, Rue Eugène-Marziano 25, 1227 Geneva, Switzerland — application and database hosting, transactional SMTP.
- Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland — payment collection. Stripe is established in a country with an adequate level of protection (EU).
Any new subprocessor will be notified to the Controller with 30 days' prior notice. The Controller may raise a reasoned objection; in case of a reasonable objection that is not resolved, the Controller may terminate the contract free of charge.
9. International transfers
In version 1 of the Service, no data is transferred outside the EEA/Switzerland. Stripe Payments Europe Ltd. being located in Ireland (EU), the transfer is covered by the EU single market. Should a transfer outside the EEA become necessary, ark.swiss Sàrl undertakes to use the Standard Contractual Clauses (SCCs) adopted by the European Commission or an adequacy decision, and to notify the Controller beforehand.
10. Data subject rights
ark.swiss Sàrl assists the Controller free of charge in responding, to the extent possible and by appropriate technical and organisational measures, to requests for access, rectification, erasure, restriction, objection and portability raised by data subjects.
11. Security breaches
In the event of a data breach, ark.swiss Sàrl notifies the Controller without undue delay and at the latest 24 hours after becoming aware. The notification contains at minimum: the nature of the breach, the categories and approximate number of data subjects concerned, the measures taken or proposed, and a contact point. ark.swiss Sàrl cooperates in notifying authorities and data subjects.
12. Audit
The Controller may, once per year, request a free documentary audit to verify ark.swiss Sàrl's compliance with this DPA. An on-site audit may be carried out at the Controller's expense, with 30 days' prior notice, limited to one per year and subject to a mutual confidentiality agreement. ark.swiss Sàrl endeavours to respond to reasonable security questionnaires in good time.
13. Return or deletion
At the end of the contract, on written instruction from the Controller, ark.swiss Sàrl returns the data (JSON/CSV export) or deletes it within 30 days. Data that ark.swiss Sàrl is legally required to retain, in particular accounting invoices for 10 years (Art. 958f CO), is excluded from this obligation.
14. Liability
Each party is responsible for its own breaches of this DPA. ark.swiss Sàrl's liability towards the Controller is limited to the total amount of subscriptions actually paid by the Controller during the 12 months preceding the triggering event, subject to Art. 100 CO (wilful misconduct, gross negligence, harm to life, bodily integrity or health).
15. Governing law and jurisdiction
This DPA is governed by Swiss law. Exclusive jurisdiction lies in Lausanne, canton of Vaud, subject to the mandatory consumer forum.
Annex A — Technical and organisational measures (TOMs)
- Encryption in transit: TLS 1.2 minimum, HSTS enabled.
- Encryption at rest: AES-256-GCM for credentials and OAuth tokens; volume encryption at hosting level.
- Isolation: each Instance in a dedicated Docker container, isolated bridge network, separate PostgreSQL database.
- Backups: daily, encrypted, retained for 30 days, quarterly restoration tests.
- Access control: least-privilege principle, mandatory multi-factor authentication (MFA) on all administrator accounts.
- Logging: access logs retained for 12 months, monthly review of privileged access.
- Incident management: documented procedure, identified owner, target reaction time < 4 business hours.
- Training: annual staff training on data protection and security.
- Subprocessor management: semi-annual review, security measures assessment.
- Secure erasure: definitive purge 30 days after termination, excluding legal accounting obligations.
Annex B — List of subprocessors
| Name | Country | Service | Data concerned |
|---|---|---|---|
| Infomaniak Network SA | Switzerland | Hosting + SMTP | All Instance data |
| Stripe Payments Europe Ltd. | Ireland (EU) | Payments | Billing identifiers, amounts, card tokens |
Acceptance
Acceptance of the Terms by the Controller constitutes acceptance of this DPA. An accepted version is archived with a timestamp. A PDF version signed by both parties may be provided upon written request at [email protected].
In case of discrepancy between language versions, the French version prevails.