Data Processing Agreement (DPA)

Article 1 — Contractual parties

Controller: Organization (association, HOA, interest group) registered on the verwalt.ch platform, represented by the organization administrator („Controller“ or „Organization“).

Processor: TimeDeals Pavelka, Berglistrasse 28a, 8180 Bülach, Švýcarsko, UID: CHE-393.597.780, operator of the verwalt.ch platform („Processor“).

Article 2 — Subject and duration

2.1 The Processor processes personal data on behalf of the Controller exclusively for the purpose of providing verwalt.ch platform services (membership management, voting, documents, communication, audit records).

2.2 This agreement is effective for the duration of the Controller's use of the platform. After termination of use, the provisions on return and deletion of data (Art. 9) apply.

Article 3 — Nature and purpose of processing

• Management of the organization's membership base
• Operation of electronic voting and generation of result records
• Storage and provision of documents to organization members
• Maintenance of an audit trail of activities in the organization
• Sending transactional emails on behalf of the organization
• Operation of internal communication (forum, messages)

Article 4 — Categories of data and subjects

Data subjects:

• Organization members
• Organization administrators
• Persons who have submitted a membership application

Data categories:

• Identification data: email address, name (if provided)
• Membership data: affiliation with the organization, role, membership status
• Voting records: votes cast, voting time
• Communication data: forum posts, messages
• Documents uploaded to the system
• Audit records: who/what/when in the context of the organization
• Email delivery records

Article 5 — Obligations of the processor

• 5.1 Controller instructions: The Processor processes data exclusively on the basis of documented instructions from the Controller, including instructions contained in this agreement and within the platform's functionality. The Controller gives instructions through settings and actions in the platform.
• 5.2 Confidentiality: The Processor ensures that persons authorized to process data are bound by confidentiality.
• 5.3 Security: The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR (see Security page and Privacy Policy, point 11).
• 5.4 Cooperation: The Processor provides the Controller with reasonable assistance in fulfilling obligations pursuant to Art. 32–36 GDPR (security, breach notification, impact assessment).
• 5.5 Data subject rights: The Processor assists the Controller in handling requests from data subjects (access, rectification, erasure, portability).
• 5.6 Breach notification: The Processor informs the Controller without undue delay (at the latest within 48 hours) of any breach of personal data security.
• 5.7 Processor access limitation: The Processor accesses personal data of organization members exclusively for the purpose of technical maintenance, error resolution and system security. The Processor does not access the content of votes, discussions, messages or documents of the organization, unless necessary to resolve a technical problem at the request of the organization controller. The Processor's access to data is technically limited and recorded in the audit log.

Article 6 — Sub-processors

6.1 The Controller agrees to the use of the following sub-processors:

6.2 The Processor informs the Controller of intended changes to sub-processors with 30 days' notice. The Controller may object to the change; if it does so and the Processor insists on the change, the Controller has the right to terminate the agreement.

6.3 The Processor shall ensure that each sub-processor provides at least the same level of personal data protection as set forth in this agreement and the applicable legislation (GDPR / revDSG), in particular through contractual obligations.

6.4 The Processor shall be liable to the Controller for the acts and omissions of its sub-processors as if they were the Processor's own acts.

Article 7 — Transfer to third countries

7.1 The transfer of data to Switzerland is covered by a European Commission adequacy decision. The transfer to the USA (Vercel, Postmark, Stripe, Sentry) is ensured through the EU-U.S. Data Privacy Framework.

7.2 For the processing of personal data of data subjects in Switzerland, these provisions shall apply in accordance with the revised Swiss Federal Act on Data Protection (revDSG).

7.3 In the event that an adequacy decision ceases to be valid, transfers to third countries shall be secured through standard contractual clauses (SCCs).

Article 8 — Audit

8.1 The Processor will allow the Controller or an independent auditor designated by it access to information necessary to demonstrate compliance with obligations pursuant to Art. 28 GDPR, in reasonable scope and after prior notice (min. 30 days in advance).

8.2 The Processor may condition the audit on the signing of a confidentiality agreement by the auditor.

Article 9 — Return and deletion of data

9.1 After termination of the Controller's use of the platform, the Processor will enable export of organization data (members, voting, documents, audit) in machine-readable format.

9.2 After expiration of a reasonable period for export (60 days), the Processor will delete the organization's data, except for data whose retention is required by law or legitimate interest (audit logs, delivery evidence).

Article 10 — Final provisions

10.1 This agreement is governed by Swiss law. For dispute resolution, the courts in Bülach, Switzerland, have jurisdiction.

10.2 This agreement becomes effective upon acceptance by the organization administrator on the platform (checking the consent box during organization registration or in organization settings). Acceptance is recorded with a timestamp.

10.3 In case of conflict between this agreement and the Terms of Use this agreement takes precedence in the scope of data protection.