FADP Commitment
Last updated: April 14, 2026
1. Context — the 2023 revised FADP
The revised Swiss Federal Act on Data Protection (FADP, also "nLPD") entered into force on 1 September 2023. It replaces the 1992 FADP and strengthens the rights of data subjects as well as the obligations of controllers and processors. ark.flow has been designed to comply with this legal framework, in parallel with GDPR compliance for European customers.
2. Why ark.flow is "FADP-first"
- 100% Swiss hosting of application data at Infomaniak Network SA in Geneva.
- Per-Instance isolation: each customer receives a dedicated container and an isolated database. No customer data is shared between Instances.
- Encryption at rest for credentials, tokens and sensitive documents in AES-256-GCM.
- No application transfer outside Switzerland for accounting and fiduciary data; only payment flows (Stripe, EU) and CDN/DNS (Cloudflare, US, under SCCs and adequacy) entail a transfer.
- Cookieless analytics (self-hosted Umami), no third-party commercial tracker.
- Optional and controlled AI: AI providers are used only upon Customer activation, under contracts prohibiting training of their models on Customer data.
3. FADP obligations and our response
| FADP article | Obligation | ark.flow response |
|---|---|---|
| Art. 5 | Definitions (data, processing, profiling) | Terminology used consistently across all our legal pages |
| Art. 6 | Principles: lawfulness, good faith, proportionality, purpose, accuracy, limited retention | Purposes and retention periods detailed in the Privacy Policy |
| Art. 8 | Data security | Documented technical and organisational measures; periodic review |
| Art. 9 | Processing by a processor | Framework clauses in the Terms; public list of subprocessors |
| Art. 12 | Record of processing activities | Internal record, not published, provided to the FDPIC upon request |
| Art. 16-17 | Cross-border disclosure | Application data in Switzerland; Stripe (EU) and Cloudflare (US, SCCs + adequacy) for their respective purposes |
| Art. 19-21 | Duty to inform, automated decisions | Covered by the Privacy Policy; no automated decisions with legal effect |
| Art. 22 | Data protection impact assessment (DPIA) | Carried out for AI and accounting processing, available on motivated request |
| Art. 24 | Notification of data security breaches | Documented procedure, notification to the FDPIC within 72 hours |
| Art. 25 | Right of access | Response within 30 days to [email protected] |
| Art. 28 | Right to data portability | JSON/CSV export and native Crésus export (Compta) available |
| Art. 30 | Processing infringing personality rights, right to object | Handled by the privacy contact point |
| Art. 32 | Right to rectification and erasure | Response within 30 days, subject to the 10-year accounting obligations |
| Art. 49 | Complaint to the FDPIC | Contact details provided in the Privacy Policy |
4. Technical and organisational measures (summary)
- In transit: TLS 1.2 minimum, HSTS, strict CSP headers.
- At rest: AES-256-GCM for secrets and tokens; encrypted disks at the infrastructure level.
- Access: mandatory MFA for administrators; full logging; quarterly access review.
- Resilience: daily encrypted backups, tested monthly.
- Organisation: internal training, confidentiality undertakings for anyone accessing production systems.
5. Cross-references
- Privacy Policy — substantive information notices
- Cookie Policy — trackers and local storage
- Terms of Service — contractual framework
- Data Processing Agreement (DPA) — processing on behalf (Art. 28 GDPR / Art. 9 FADP)
6. Data protection contact
In case of discrepancy between language versions, the French version prevails.