FADP Commitment
Last updated: 2026-04-11
Last updated: 2026-04-11
1. Context — the 2023 revised FADP
The revised Swiss Federal Act on Data Protection (FADP, also "nLPD") entered into force on 1 September 2023. It replaces the 1992 FADP and strengthens the rights of data subjects as well as the obligations of controllers and processors. arkplan has been designed from the outset to comply with this legal framework, even before opening its market to European customers subject to GDPR.
2. Why arkplan is "FADP-first"
- 100% Swiss hosting of application data at Infomaniak Network SA in Geneva.
- Per-Instance isolation: each customer receives a dedicated Docker container and an isolated PostgreSQL database. No customer data is shared between Instances.
- Encryption at rest for credentials and OAuth tokens in AES-256-GCM.
- No application transfer outside Switzerland in version 1: only the payment flow transits through Stripe Payments Europe Ltd. in Ireland, within an adequate EU framework.
- Cookieless analytics (self-hosted Umami), no third-party commercial tracker.
3. FADP obligations and our response
| FADP article | Obligation | arkplan response |
|---|---|---|
| Art. 5 | Definitions (data, processing, profiling) | Terminology used consistently across all our legal pages |
| Art. 6 | Principles: lawfulness, good faith, proportionality, purpose, accuracy, limited retention | Purposes and retention periods detailed in the Privacy Policy |
| Art. 8 | Data security | Documented technical and organisational measures (DPA Annex A) |
| Art. 9 | Processing by a processor | DPA annexed to the Terms, accepted upon subscription; public list of subprocessors |
| Art. 12 | Record of processing activities | Internal record, not published, provided to the FDPIC upon request |
| Art. 16-17 | Cross-border disclosure | No application transfer outside Switzerland; Stripe (EU) is the only payments recipient |
| Art. 19-21 | Duty to inform, automated decisions | Covered by the Privacy Policy; no automated decisions with legal effect |
| Art. 22 | Data protection impact assessment (DPIA) | Carried out for CRM processing, available on motivated request |
| Art. 24 | Notification of data security breaches | Documented procedure, notification to the FDPIC within 72 hours |
| Art. 25 | Right of access | Response within 30 days to [email protected] |
| Art. 28 | Right to data portability | JSON/CSV export available |
| Art. 30 | Processing infringing personality rights, right to object | Handled by the privacy contact point |
| Art. 32 | Right to rectification and erasure | Response within 30 days, subject to accounting obligations |
| Art. 49 | Complaint to the FDPIC | Contact details provided in the Privacy Policy |
4. Cross-references
- Privacy Policy — substantive information notices
- Data Processing Agreement (DPA) — processing on behalf
- Terms of Service — contractual framework
5. Data protection contact
[email protected] — +41 78 448 60 02
In case of discrepancy between language versions, the French version prevails.