Data Processing Agreement (DPA)
Data processing agreement compliant with Art. 9 FADP, under which Vergasta Digital acts as processor on behalf of the using business (data controller).
Last updated: 18 June 2026
This data protection processing agreement (« DPA ») supplements the Terms and applies when Vergasta Digital processes personal data on behalf of the Axolot using business, as processor within the meaning of Art. 9 FADP.
Parties
- The data controller is the using business (sole proprietor, sole proprietorship or legal entity) creating a workspace in Axolot.
- The processor is Vergasta Digital, 2610 Saint-Imier, Switzerland, contact@vergasta.ch.
Subject matter and duration
The processor processes personal data on behalf of the data controller, exclusively to provide the Axolot service (accounting, invoicing, bank reconciliation, storage of supporting documents). Processing lasts for as long as the business account is active and, where applicable, during legal retention periods.
Nature and purpose of processing
- Hosting and storage of accounting data and supporting documents.
- Generation of commercial documents (QR invoices, quotes).
- Automatic data extraction from receipts (Infomaniak AI, Switzerland).
- Import of bank transactions (open banking).
- Fiduciary export and data portability.
Categories of data and data subjects
| Category | Data subjects |
|---|---|
| Customer and supplier contact details | Controller's customers and suppliers |
| Accounting records (invoices, quotes, journal entries) | Customers, suppliers, third-party payers |
| Supporting documents and receipts | The controller, third parties mentioned on the records |
| Imported bank data | Transaction counterparties |
Processor obligations
- Process data only on documented instructions from the controller (use of the service).
- Ensure confidentiality of persons authorised to process data.
- Implement appropriate technical and organisational measures (Art. 8 FADP).
- Assist the controller in exercising data subjects' rights (Art. 25 to 29 FADP).
- Notify the controller of any security breach without undue delay (Art. 24 FADP).
- Delete or return data at the end of the contract, subject to legal retention obligations (Art. 958f CO).
Sub-processors (Art. 7 FADP Ordinance)
The controller hereby authorises in advance the use of the following sub-processors.
| Sub-processor | Activity | Location |
|---|---|---|
| Infomaniak Network SA | Hosting and receipt AI | Switzerland |
| Stripe, Inc. | Licence payment (SaaS billing data only) | EU / international |
| SIX bLink | Open banking | Switzerland |
| Revolut Ltd | Open banking | EU / international |
| Google LLC / Apple Inc. | OAuth authentication | EU / United States |
| Email provider | Transactional sending | Switzerland |
Objection procedure (Art. 7 para. 3 FADP Ordinance). In the event of addition or replacement of a sub-processor, the processor informs the controller by email at least 30 days before commissioning. The controller may object in writing with reasons within this period. In the event of a justified objection that is not resolved, the controller may terminate the contract without penalty and obtain export of their data.
Transfers abroad
Accounting data and supporting documents are hosted in Switzerland. Transfers to sub-processors located abroad (Stripe, Revolut, OAuth) are limited to strictly necessary data and governed by appropriate safeguards within the meaning of Art. 16 and 17 FADP.
Fate of data at end of contract
Upon account closure, the controller may export all their data (fiduciary export and JSON/CSV portability). After a reasonable period, the processor deletes remaining data, except where legally required to retain it (10 years for accounting records, Art. 958f CO).
Acceptance
By creating a business in Axolot, the data controller accepts this DPA. A dated copy of the acceptance is recorded with the account.