verwalt.ch
Organization management
Sign in

Data Processing Agreement (DPA)

Template pursuant to Art. 28 GDPR · Effective from: February 10, 2026

For organizations in the Czech Republic, also applies GDPR + zák. č. 110/2019 Sb.; for organizations in Slovakia GDPR + z. č. 18/2018 Z.z.; for organizations in Switzerland (CH), also applies nDSG (SR 235.1) (among others Art. 9 nDSG — data processing on behalf). nDSG is compatible with GDPR principles. Fedlex (nDSG). For organizations in Germany (DE): Art. 28 GDPR is directly applicable, also applies GDPR + BDSG. For organizations in Austria (AT): Art. 28 GDPR is directly applicable, also applies GDPR + DSG.

This DPA applies to organizations in jurisdictions available for the verwalt.ch domain (typically CH/DE/AT).

Notice: This agreement becomes effective upon acceptance by the controller (organization) during registration or in the organization settings. Acceptance is recorded with a timestamp and administrator identifier.

Article 1 — Contractual parties

Controller: Organization (association, HOA, interest group) registered on the verwalt.ch platform, represented by the organization administrator („Controller“ or „Organization“).

Processor: TimeDeals Pavelka, Berglistrasse 28a, 8180 Bülach, Switzerland, UID: CHE-393.597.780, operator of the verwalt.ch platform („Processor“).

Article 2 — Subject and duration

2.1 The Processor processes personal data on behalf of the Controller exclusively for the purpose of providing verwalt.ch platform services (membership management, voting, documents, communication, audit records).

2.2 This agreement is effective for the duration of the Controller's use of the platform. After termination of use, the provisions on return and deletion of data (Art. 9) apply.

Article 3 — Nature and purpose of processing

  • Management of the organization's membership base
  • Operation of electronic voting and generation of result records
  • Storage and provision of documents to organization members
  • Maintenance of an audit trail of activities in the organization
  • Sending transactional emails on behalf of the organization
  • Operation of internal communication (forum, messages)

Article 4 — Categories of data and subjects

Data subjects:

  • Organization members
  • Organization administrators
  • Persons who have submitted a membership application

Data categories:

  • Identification data: email address, name (if provided)
  • Membership data: affiliation with the organization, role, membership status
  • Voting records: votes cast, voting time
  • Communication data: forum posts, messages
  • Documents uploaded to the system
  • Audit records: who/what/when in the context of the organization
  • Email delivery records

Article 5 — Obligations of the processor

  • 5.1 Controller instructions: The Processor processes data exclusively on the basis of documented instructions from the Controller, including instructions contained in this agreement and within the platform's functionality. The Controller gives instructions through settings and actions in the platform.
  • 5.2 Confidentiality: The Processor ensures that persons authorized to process data are bound by confidentiality.
  • 5.3 Security: The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR (see Security page and Privacy Policy, point 11).
  • 5.4 Cooperation: The Processor provides the Controller with reasonable assistance in fulfilling obligations pursuant to Art. 32–36 GDPR (security, breach notification, impact assessment).
  • 5.5 Data subject rights: The Processor assists the Controller in handling requests from data subjects (access, rectification, erasure, portability).
  • 5.6 Breach notification: The Processor informs the Controller without undue delay (at the latest within 48 hours) of any breach of personal data security.
  • 5.7 Processor access limitation: The Processor accesses personal data of organization members exclusively for technical maintenance, error resolution, system security, and legal compliance obligations. The Processor has no routine access to the content of votes, discussions, messages, or documents; exceptional access is permitted only for technical troubleshooting, security incidents, or legal obligations, always limited to what is necessary and recorded in the audit log.

Article 6 — Sub-processors

6.1 The Controller agrees to the use of the following sub-processors:

Sub-processorPurposeSeat / data location
Hetzner Online GmbHServer infrastructure, databaseGermany (EU) — no third-country transfer
Postmark (ActiveCampaign, LLC)Transactional email deliveryUSA (EU-U.S. DPF)
Stripe, Inc.Payment processingUSA (EU-U.S. DPF)
Sentry (Functional Software, Inc.)Technical error diagnosticsUSA (EU-U.S. DPF)

6.2 The Processor informs the Controller of intended changes to sub-processors with 30 days' notice. The Controller may object to the change; if it does so and the Processor insists on the change, the Controller has the right to terminate the agreement.

6.3 The Processor shall ensure that each sub-processor provides at least the same level of personal data protection as set forth in this agreement and the applicable legislation (GDPR / revDSG), in particular through contractual obligations.

6.4 The Processor shall be liable to the Controller for the acts and omissions of its sub-processors as if they were the Processor's own acts.

Article 7 — Transfer to third countries

7.1 The transfer of data to Switzerland is covered by a European Commission adequacy decision. The transfer to the USA (Postmark, Stripe, Sentry) is ensured through the EU-U.S. Data Privacy Framework.

7.2 For the processing of personal data of data subjects in Switzerland, these provisions shall apply in accordance with the revised Swiss Federal Act on Data Protection (revDSG).

7.3 In the event that an adequacy decision ceases to be valid, transfers to third countries shall be secured through standard contractual clauses (SCCs).

Article 8 — Audit

8.1 The Processor will allow the Controller or an independent auditor designated by it access to information necessary to demonstrate compliance with obligations pursuant to Art. 28 GDPR, in reasonable scope and after prior notice (min. 30 days in advance).

8.2 The Processor may condition the audit on the signing of a confidentiality agreement by the auditor.

Article 9 — Return and deletion of data

9.1 After termination of the Controller's use of the platform, the Processor will enable export of organization data (members, voting, documents, audit) in machine-readable format.

9.2 After expiration of a reasonable export window agreed contractually, the Processor deactivates the organization (soft-delete) and restricts access to its data. Hard deletion is performed only on a separate legal/contractual request; legally required records (e.g., audit logs, delivery evidence) may be retained according to retention periods.

Article 10 — Final provisions

10.1 This agreement is governed by Swiss law. For dispute resolution, the courts in Bülach, Switzerland, have jurisdiction.

10.2 This agreement becomes effective upon acceptance by the organization administrator on the platform (checking the consent box during organization registration or in organization settings). Acceptance is recorded with a timestamp.

10.3 In case of conflict between this agreement and the Terms of Use this agreement takes precedence in the scope of data protection.

Contract acceptance

The organization administrator accepts this agreement during organization registration or in organization settings by checking the corresponding field. Acceptance is recorded in the platform's audit log with the administrator identifier and timestamp.

Contact for inquiries: privacy@verwalt.ch

Last updated: February 10, 2026