Free trial Try
§99 Legal REF. ARKSTOCK-LEGAL-DPA

Data Processing Agreement (DPA)

Last updated : 14 April 2026.

Last updated: April 14, 2026

This Data Processing Agreement ("DPA") is concluded between the Customer (the "Controller") and ark.swiss sàrl ("ark.swiss sàrl"). It forms an inseparable annex to the Terms of Service (the "Terms") and applies as from their acceptance. It is drafted in accordance with Article 28 of the General Data Protection Regulation (GDPR) and Article 9 of the revised Swiss Federal Act on Data Protection (FADP).

1. Parties

  • Controller: the Customer identified upon subscription to the ark.stock Service.
  • Processor: ark.swiss sàrl, CHE-139.880.181, Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse.

2. Subject matter and scope

This DPA governs the processing, by ark.swiss sàrl, of personal data on behalf of the Controller in the context of operating the ark.stock suite (products ark.stock Compta, ark.stock Fiduciaire and, forthcoming, ark.stock Budget). It applies to all personal data contained in the Controller's Instance, excluding data that ark.swiss sàrl processes for its own purposes (administrative account, billing, Service security).

3. Processing details

3.1 Nature and purpose

ark.swiss sàrl processes data for the sole purpose of hosting and operating the Instance made available to the Controller, in accordance with the Terms and the Controller's documented instructions.

3.2 Categories of data subjects

  • Employees and users of the Controller
  • Customers, principals and contacts of the Controller (third-party data)
  • Suppliers and partners of the Controller
  • Prospects entered into the Instance

3.3 Categories of data

  • Identity data (first name, last name, email, phone, address)
  • Accounting and fiduciary data (bookkeeping entries, supporting documents, balances, VAT)
  • Transactional data (invoices, payments, bank statements)
  • Personal or professional budget data (ark.stock Budget)
  • Notes, attachments and interaction history entered by the Controller
  • Technical identifiers (access logs, session IDs)

In the initial version of the Service, ark.swiss sàrl does not process, on behalf of the Controller, any sensitive data within the meaning of Art. 5 lit. c FADP or Art. 9 GDPR. Should the Controller introduce any, it undertakes to inform ark.swiss sàrl beforehand.

3.4 Duration of processing

The processing applies for the entire duration of the Service contract, as well as for the 90-day post-termination retention period provided for in clause 11 below, and beyond for statutory retention periods (in particular invoices issued by ark.swiss sàrl, Art. 958f CO).

4. Controller obligations

  • Ensure the lawfulness of processing and have an adequate legal basis within the meaning of Art. 31 FADP and Art. 6 GDPR.
  • Inform its own data subjects in accordance with Art. 19 FADP and Art. 13 GDPR.
  • Respect data subject rights as the primary point of contact (access, rectification, erasure, portability, objection).
  • Provide written instructions to ark.swiss sàrl where necessary, and ensure their lawfulness.
  • Properly configure its users' access rights within the Instance.

5. Processor obligations (Art. 28 GDPR, Art. 9 FADP)

  • Lawfulness of instructions: process data only on documented instructions from the Controller, unless otherwise required by mandatory law (in which case ark.swiss sàrl informs the Controller, unless the law prohibits it).
  • Confidentiality: ensure that authorised personnel are bound by a contractual and, where applicable, statutory confidentiality obligation.
  • Security: implement the technical and organisational measures described in clause 6 below.
  • Sub-processing: use only the subprocessors authorised in clause 7; notify any change with a notice period allowing the Controller to object.
  • Assistance: assist the Controller in fulfilling its obligations — responding to data subject requests, carrying out data protection impact assessments (DPIAs), prior consultations with the authority — to a reasonable and proportionate extent.
  • Breach notification: notify the Controller without undue delay and at the latest within 72 hours of becoming aware of a breach (clause 8 below).
  • Deletion or return: at the end of the contract, upon the Controller's instructions, return or delete the data (clause 11 below).
  • Documentation: make available to the Controller all information necessary to demonstrate compliance with the obligations of this DPA.

6. Technical and organisational measures (TOMs)

The full list of measures is published and kept up to date on the Security page. In summary:

  • Encryption in transit: TLS 1.3 enabled by default (TLS 1.2 minimum), HSTS with preload, Let's Encrypt certificates auto-renewed.
  • Encryption at rest: AES-256-GCM for credentials, OAuth tokens, secrets; volume-level encryption at Infomaniak hosting level.
  • Authentication: password hashing with Argon2id (OWASP-recommended parameters), mandatory MFA on ark.swiss sàrl administrator accounts.
  • Single-tenant isolation: each Instance in a dedicated Docker container, isolated bridge network, separate PostgreSQL database.
  • Backups: GFS (Grandfather-Father-Son) strategy — daily (7d), weekly (4 weeks), monthly (12 months), encrypted, quarterly restore tests.
  • Access control: least-privilege principle, quarterly rights review, environment separation (prod / staging / dev).
  • Logging: application and access audit logs retained for 12 months, monthly review of privileged access.
  • Incident management: documented procedure, identified owner, response runbook, target reaction time < 4 business hours.
  • Training: annual staff training on data protection and security.
  • Subprocessor management: semi-annual review, aligned DPA clauses (flow-down), security measures assessment.
  • Secure erasure: definitive purge 90 days after termination, excluding statutory accounting obligations.

7. Authorised subprocessors

The Controller authorises ark.swiss sàrl to use the following subprocessors for the indicated purposes:

NameCountryRoleTransfer basis
Infomaniak Network SAGeneva, SwitzerlandApplication hosting, database, transactional SMTPSwitzerland — country benefiting from an adequacy decision (EU) and adequate third country (Switzerland)
Stripe Payments Europe Ltd.Dublin, IrelandCard payment collectionEU — single market
Cloudflare, Inc.San Francisco, USACDN, DNS, WAF, anti-DDoS protectionEU Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework
OpenAI Ireland Ltd.Dublin, IrelandAI models for accounting categorisation and assistance (optional, enabled by the Controller)EU — with contractual training opt-out
Anthropic Ireland Ltd.Dublin, IrelandAI models for assistance and drafting (optional)EU — with contractual training opt-out
Google Cloud EMEA Ltd.Dublin, IrelandComplementary AI models (optional)EU — with contractual training opt-out
Umami (self-hosted by ark.swiss sàrl)SwitzerlandCookieless audience measurement on arkstock.chSwitzerland (under ark.swiss sàrl's direct responsibility)

Any new subprocessor will be notified to the Controller with 30 days' prior notice (public list maintained in this DPA and on the Privacy Policy page). The Controller may raise a reasoned objection; in case of a reasonable objection not resolved, the Controller may terminate the contract free of charge.

8. Breach notification

In the event of a security breach concerning the data processed on behalf of the Controller, ark.swiss sàrl notifies the Controller without undue delay and at the latest within 72 hours of becoming aware. The notification contains, to the extent available:

  • the nature of the breach, the categories and approximate number of data subjects concerned;
  • the categories and approximate number of data records concerned;
  • the likely consequences and the measures taken or proposed to remedy them;
  • the contact details of a contact point for more information.

ark.swiss sàrl cooperates with the Controller for any notification to the competent supervisory authority (FDPIC, CNIL, etc.) and, if necessary, to data subjects (Art. 24 FADP, Art. 33-34 GDPR).

9. International transfers

The Controller's application data is hosted exclusively in Switzerland. Transfers to the European Union (Stripe, OpenAI, Anthropic, Google Cloud EMEA) are covered by the single market and, for Switzerland, by mutual adequacy recognition. The transfer to Cloudflare (USA) is framed by the Standard Contractual Clauses (SCCs) adopted by the European Commission in their 2021 version, supplemented by additional measures (encryption, minimisation), as well as, in the alternative, by the EU-US Data Privacy Framework.

10. Audit right

The Controller has a right to audit ark.swiss sàrl to verify compliance with this DPA. Terms:

  • Documentary audit: once per year, free of charge — ark.swiss sàrl answers reasonable security questionnaires (CAIQ, SIG) within 30 days.
  • On-site audit: possible with 30 days' written notice, limited to one per year, at the Controller's expense, subject to a prior mutual confidentiality agreement (NDA) and under conditions that do not compromise the security or confidentiality of other customers.
  • Third-party audit: possible after agreement on the choice of firm (independent and qualified) and at the Controller's expense.

ark.swiss sàrl may substitute an on-site inspection with a recent independent audit report (e.g. ISAE 3000, SOC 2, ISO 27001) if available and deemed sufficient by the Controller.

11. Deletion or return

At the end of the contract, upon the Controller's written instructions:

  • Export: ark.swiss sàrl makes available for 90 days an export in open formats (JSON, CSV; native Crésus export for ark.stock Compta).
  • Deletion: after that period, or upon the Controller's earlier request, ark.swiss sàrl permanently deletes the Instance data as well as the backups after their normal retention cycle.
  • Statutory exception: invoices issued by ark.swiss sàrl to the Controller are retained for 10 years in accordance with Art. 958f CO, an obligation that prevails over the right to erasure.

Upon request, ark.swiss sàrl provides a signed deletion certificate.

12. Duration and termination

This DPA takes effect upon acceptance of the Terms and remains in force as long as ark.swiss sàrl processes personal data on behalf of the Controller. It ends automatically upon completion of the post-termination obligations under clause 11. The confidentiality, liability and governing law clauses survive the end of the DPA.

13. Liability

Each party is responsible for its own breaches of this DPA. ark.swiss sàrl's liability towards the Controller is limited, in accordance with clause 12 of the Terms, to the total amount of subscriptions actually paid by the Controller during the 12 months preceding the triggering event, subject to Art. 100 CO (wilful misconduct, gross negligence, harm to life, bodily integrity or health) and to mandatory data protection obligations.

14. Governing law and jurisdiction

This DPA is governed exclusively by Swiss law. Any dispute shall be submitted to the exclusive jurisdiction of the courts of Lausanne, canton of Vaud, subject to the mandatory consumer forum under Art. 35 CCP.

15. Signature and acceptance

Acceptance of the Terms by the Controller upon subscription constitutes acceptance of this DPA (electronic acceptance, time-stamped and archived). Upon written request to privacy@ark.swiss, a PDF version signed by both parties may be provided for Customers whose internal governance requires it.

16. Data protection contact

ark.swiss sàrl is not legally required to appoint a Data Protection Officer (DPO) within the meaning of Art. 37 GDPR. Requests concerning this DPA, notifications and audits are centralised at the dedicated contact point:

ark.swiss sàrl
Chemin de la Duchesne 13, 1806 St-Légier, canton de Vaud, Suisse
Email: privacy@ark.swiss

In case of discrepancy between language versions, the French version prevails.