Data Processing Agreement

Version 2025: Zurich, August 2025

The previous version can be found here.

  • Scope of Application

This Data Processing Agreement (hereinafter also referred to as "Contract" or "Agreement") concerning the processing of personal data done by the RaiseNow entity specified in the underlying contract (“Data Processor”) on behalf of the customer (“Data Controller” or “Client”, together “Parties”), according to Art. 28 GDPR and Art. 9 FADP. This Agreement applies with respect to the processing of personal data as specified in No. 2 and Annex 3.

By signing the individual contract, the client expressly acknowledges this Agreement. If the client does not agree to this Agreement, they cannot access the Services.

Unless defined otherwise herein, all terms shall have the same meaning as in the Swiss Federal Act on Data Protection (“FADP”) or the EU’s General Data Protection Regulation (“GDPR”), as applicable. In the event that there is a significant difference between the definition of a term in the FADP and the GDPR, the definition in the GDPR shall prevail.

In the event of a conflict between this Agreement and the provisions of any other agreement between the Parties existing at the time when this Agreement is agreed upon or entered into thereafter, this Agreement shall prevail, except where explicitly agreed otherwise in text form.

  • Subject and Duration of the Agreement

The assignment includes the following:

Operational processing of personal data within the scope of service provision.

The details of the processing operations, and in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Data Controller, are specified in Annex 3.

The Data Processor processes personal data for the Client in accordance with Art. 28 GDPR and Art. 9 FADP based on this Agreement.

The contractually agreed service shall be exclusively provided in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area or Switzerland. Any relocation of the service or parts thereof to a third country requires the prior consent of the Client and may only occur if the special requirements of Art. 44 et seq. GDPR as well as Section 2 of the FADP are met.

The Data Controller agrees that where the Data Processor engages a sub-processor in accordance with No. 6 for carrying out specific processing activities (on behalf of the Data Controller) in a Third Country and those processing activities involve transfer of personal data within the meaning of the GDPR or the FADP, as applicable, the Data Processor and the sub-processor may use standard contractual clauses adopted by the Commission on the basis of Article 46(2) of the GDPR in order to comply with the requirements of Chapter V of the GDPR, provided the conditions for the use of those clauses are met and provided that an internal assessment concluded that such transfer meets the level of data protection of the GDPR and the FADP.

The duration of the Agreement is determined by the main contract.

  • Rights and Obligations of the Client

The Client is solely responsible for ensuring the lawfulness of the processing, including the compliance with applicable data protection laws, ensuring the existence of appropriate legal bases for the data processing within this Agreement and for safeguarding the rights of data subjects. If the Data Processor receives a request from a data subject concerning their rights under the GDPR and/or the FADP, as applicable, the Data Processor is obliged to forward all such inquiries, if they are recognizably addressed to the Client, directly to the Client without delay. The Data Processor will not respond to data subjects’ requests unless explicitly authorised by the Client.

The Client shall issue all instructions not included in this Agreement in writing or in a documented electronic format. Oral instructions must be confirmed in writing or in a documented electronic format without delay to be effective. To be effective, instructions must be sent to: dataprotection@raisenow.com.

In case of a change or a long-term prevention of contact persons, the Client must be informed immediately and in principle in writing or electronically. The instructions are to be kept for their validity period and then for three full calendar years.

The Data Processor safeguards the personal data processed within the scope of this Agreement by adopting at a minimum the technical and organizational measures included in Annex 2 to this Agreement. The Client shall immediately inform the Data Processor if they detect errors or irregularities when inspecting the results of the instruction.

The Client is obliged to treat all knowledge of business secrets and data security measures of the Data Processor acquired in the course of the contractual relationship confidentially. This obligation continues even after the end of this Agreement.

  • Obligations of the Data Processor

The Data Processor processes personal data exclusively within the framework of the agreements made and according to the instructions of the Client unless it is obliged to a different processing by the law of Switzerland, the European Union, or the EU member states to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of these legal requirements before processing, provided that the relevant law does not prohibit such notification.

The Data Processor shall deal promptly and properly with all reasonable inquiries from the Data Controller that relate to the processing under this Agreement. The Data Processor shall assist the Data Controller, upon request, with fulfilling its obligations under Arts. 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Data Processor.

In fulfilling the rights of the data subjects by the Client, in the creation of the records of processing activities and in required data protection impact assessments of the Client, the Data Processor shall cooperate to the necessary extent and support the Client upon request and taking into account the nature of the processing and the information available to the Data Processor.

The Client warrants that all instructions provided respect the applicable data protection laws. The Data Processor will immediately alert the Client if, in his opinion, an instruction issued by the Client is in violation of legal or contractual provisions. The Data Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the Controller after verification. If confirmed, the Data Processor has the right to terminate this Agreement.

The Data Processor is obliged to correct, delete, or restrict the processing of personal data if the Client demands this via an instruction and the Data Processor is not prohibited from doing so by any applicable law. If no further instruction is given in this regard, the personal data processed within the scope of this Agreement will only be deleted at the term of the Agreement. The Client may also instruct the Data Processor to anonymize the data instead of deleting it. Any question of deletion, anonymisation or return of personal data shall be done through the contact point identified in No. 3.

Disclosures of personal data falling under the scope of this Agreement to third parties or the data subject may only be made by the Data Processor following prior instruction or consent by the Client, unless required by any applicable law.

The Data Processor commits to maintaining confidentiality regarding the personal data of the Client processed in accordance with the Agreement. The Data Processor assures that it will familiarize the employees involved in the execution of the work with the relevant provisions of data protection before commencing their activities and obligate them to confidentiality in a suitable manner for the duration of their activities as well as after the end of the employment relationship.

The Data Processor has appointed the following as the Data Protection Officer:

IITR Datenschutz GmbH
Dr. Sebastian Kraska
Eschenrieder Str. 62c
82194 Gröbenzell

Germany

dataprotection@raisenow.com

A change of the Data Protection Officer must be communicated to the Client without delay.

  • Security and Audits

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and that are stemming directly from the GDPR or the FADP and at the Data Controller’s request, allow for and contribute to reviews of data files and documentation or of audits of the processing activities covered by this Agreement, in particular if there are indications of non-compliance.

The Data Processor agrees that the Client – subject to appointment at least a month in advance – is entitled to verify the compliance with data protection and data security regulations as well as the Agreement to an appropriate and necessary extent, especially by obtaining information and inspecting the stored data and data processing programs as well as through on-site inspections and audits. The costs shall be borne by the client, provided that the Data Processor has announced them and the client has approved them. Upon termination of this Agreement, the Data Processor is obliged to immediately return all personal data and copies thereof covered by this Agreement, including personal data transmitted by the Client, and, insofar as this is not possible, delete or anonymize these personal data and copies at the Client's discretion. If the applicable legislation t. Any audit and request for information shall be limited to information necessary for the purposes of this Agreement and shall give due regard to the data processor's confidentiality obligations and legitimate interest to protect business secrets.

The Data Processor will cooperate in these controls as necessary.

The Data Processor shall notify the Client of data breaches without undue delay from the moment it becomes aware of it, in accordance to Art. 33 and Art. 34 GDPR or Art. 24 FADP, as applicable. Such notification shall contain the details of a contact point where more information concerning the personal data breach can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and data records concerned), its likely consequences and the measures taken or proposed to be taken to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available without undue delay.

  • Sub-processors

The Client grants the Data Processor general authorization for future engagement of sub-processors for processing personal data within the scope of this Agreement. The Data Processor must ensure that it carefully selects the sub-processor, especially considering the technical and organizational measures taken by the sub-processor in the sense of Art. 32 GDPR and Art. 8 FADP. When engaging a sub-processor, the processor ensures it is subject to the same obligations as set out in this Agreement by means of a contract. If the sub-processor fails to fulfil its data protection obligations, the Data Processor is liable to the Client for this failure.

The Data Processor informs the Controller 2 weeks in advance about any intended change regarding the addition of new or the replacement of existing sub-processors. The Client has the opportunity to object to such changes if there is a significant data protection impediment to the sub-processing, or if the sub-processor violates the provisions of the GDPR or the FADP, as applicable, or other data protection regulations. In this case, the intended change may not be implemented. If the Client exercises its right to object, the Data Processor may terminate the Agreement if it is unable to fulfil its obligations without the notified changes.

The data processor shall provide, at the data controller’s request, a copy of such a sub-processor agreement and subsequent amendments to the data controller.

The Client gives consent to the engagement of the sub-processors documented in Annex 1 for the processing personal data within the scope of this Agreement.

  • Technical and Organizational Measures

A level of protection appropriate to the risk to the rights and freedoms of natural persons affected by the processing is ensured for the specific contract processing. For this purpose, the protection goals such as confidentiality, integrity, and availability of the systems and services as well as their resilience in relation to the type, scope, circumstances, and purposes of the processing are taken into account in such a way that the risk is reduced through suitable technical and organizational remedial measures. An appropriate and comprehensible methodology for risk assessment is used, which considers the probability of occurrence and severity of the risks to the rights and freedoms of the persons affected by the processing.

The measures described in Annex 2 represents the minimum requirements of the technical and organizational measures suitable for the identified risk, taking into account the protection goals according to the state of the art, detailed and with special consideration of the IT systems and processing processes used by the Data Processor. This also describes the procedure for regular review, assessment, and evaluation of the effectiveness of technical and organizational measures to ensure data protection-compliant processing.

  • Obligations of the Data Processor upon Termination of the Contract

Upon termination of this Agreement, the Data Processor is obliged to immediately return all personal data and copies thereof covered by this Agreement, including the personal data transmitted by the Client, and, insofar as this is not possible, to delete or anonymize such personal data and copies at the Client’s discretion. If the legislation applicable to the Data Processor prohibits the return or anonymization of the personal data covered by this Agreement, the Data Processor shall inform the Client about this and treat the personal data confidentially and not actively process it beyond the extent demanded by law.

  • Miscellaneous

Agreements on technical and organizational measures as well as control and audit documents (also for sub-processors) are to be kept by both contracting parties for their validity period and then for three full calendar years.

Written form or a documented electronic format is generally required for ancillary agreements.

In case the processing under this Agreement is subject to canon law, the canon law addendum available here applies.

Should the security and integrity of the personal data processed by the Data Processor on behalf of the Client be endangered by third-party actions (such as attachment or seizure), by insolvency or composition proceedings, or by other events, the Data Processor must notify the Client immediately.

 

Annex 1 – List of Subprocessors

The following subcontracting relationships currently exist in connection with the contract processing:

Subcontractors may vary depending on the scope of services.

Company

Adress

Services

Used for

Amazon Web Services, EMEA SARL.

aws.amazon.com/de

38 Avenue John F. Kennedy,L-1855,
Luxembourg

Serverstandort: Frankfurt am Main

Server/Infrastructure

Always used

Datatrans AG

www.datatrans.ch

Kreuzbühlstrasse 26

8008 Zürich

Switzerland

Payment Service

Provider

Only used for Payments routed through Datatrans

Stripe Payments Europe, Limited

www.stripe.com

3 Dublin Landings, North Wall Quay, Dublin 1, D01 C4E0

Ireland

Payment Service

Provider

Only used for Payments routed through Stripe

Spreedly, Inc.

https://www.spreedly.com/

300 Morris Street, Suite 400, Durham, NC 27701

United States

Payment Orchestration

Only used for Payments routed through Datatrans

Nine Internet Solutions AG

www.nine.ch

Badenerstrasse 47

8004 Zürich

Switzerland

Server/infrastructure for Peer-to-Peer and Employee Giving

Only used if you have a Peer-to-Peer or Employee Giving Platform

Rackspace International GmbH

www.rackspace.com

Baslerstrasse 30

8048

Switzerland

Server/infrastructure

Only used if you're still on our legacy platform manage.raisenow.com

TWINT AG

www.twint.ch

Stauffacherstrasse 41

8004 Zürich

Switzerland

Payment Service

Provider

Only used if you're based in CH & accepted TWINT T&Cs in hub.raisenow.com

PayPal

paypal.com

22-24 Boulevard Royal

L-2449 Luxembourg

Luxembourg

Payment Service Provider

Only used for Payments routed through PayPal

Elasticsearch B.V.

elastic.co

Elasticsearch B.V.

Keizersgracht 281

1016 ED Amsterdam

Netherlands

Server/Infrastructure

Always used

Atlassian Pty Ltd

atlassian.com

Level 6, 341 George Street,

Sydney, NSW 2000

Australia

Server/Infrastructure

Always used

84codes AB

84codes.com

Ottsjö Rävstigen 16, 837 96 Stockholm

Sweden

Server/Infrastructure

Always used

Twilio Ireland Limited

www.twilio.com

EEA Headquarters

70 Sir John Rogerson’s Quay

Dublin 2, D02 R296

Ireland

Two-Factor Authentication RaiseNow Hub

Always used

Weunity AG

www.weunity.com

Hardturmstrasse 101

8005 Zürich,

Switzerland

TWINT Donation Portal (Service)

Only used for Payments initiated on the TWINT+ portal

Google Cloud EMEA Limited

www.google.com

70 Sir John Rogerson’s Quay, Dublin 2, Ireland

Online meeting assistant

If Customers agree and aim to receive meeting notes.

 

RaiseNow may need to rely on affiliates to provide the services to our customers. The affiliated companies involved in the processing of personal data depend on the location of our customers and users and the type of services provided.

Associated Company

Adress

Services

RaiseNow AG

Hardturmstrasse 101

8005 Zürich

Switzerland

Provides technical functions related to the RaiseNow services and support for users and affiliates in German-speaking countries and the EU

RaiseNow GmbH

Frankfurter Allee 56

10247 Berlin

Germany

Provides support for users and associated companies in German-speaking countries and the EU

Altruja GmbH

Augustenstr. 62

80333 München

Germany

Provides support for users and associated companies in German-speaking countries and the EU

Koalect NV

Picardstraat 7 Bus 100

1000 Brussels

Belgium

Provides support for users and associated companies in the EU

gettup GmbH & Co. KG

Schauenburgerstraße 116,

24118 Kiel

Germany

Provides support for users and associated companies in German-speaking countries and the EU

 

If the services of Koalect or gettup are used, additional subprocessors are relevant. See the list for the additional subprocessors:

Annex 2 - Technical and Organizational Measures

The Data Processor assures to comply with the following minimum requirements in its data protection concept. It describes the measures required for the secure handling of personal data by the Data Processor within the scope of contract processing. The basis for this data protection concept is the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (FADP), and possibly further measures demanded by the interested parties. In this context, the Data Processor primarily adheres to the provisions of Articles 24, 25, and 32 GDPR as well as Art. 8 FADP.

Confidentiality

Admission Control

Personal data is exclusively hosted on servers by Amazon located in Frankfurt, on servers by Rackspace located in London, and on servers by nine (nine.ch) located in Zurich. Amazon and Rackspace are not only GDPR-ready but also PCI-DSS certified.

Access Control

Measures that ensure that only authorized persons can access data processing systems with the right to access, and that personal data cannot be read, copied, altered, or removed without authorization during processing, use, and after storage.

  • Number of administrators reduced to the "necessary minimum"
  • Virtual access to systems only via VPN from the internal network and public-key authentication
  • Two-factor authentication for all employees to view personal data
  • Use of paper shredders
  • Proper destruction of data carriers

Pseudonymization

Evaluations must be pseudonymized unless the reference to the person is mandatory for the result.

Separation Control

Measures that ensure data collected for different purposes can be processed separately.

  • Separation of production and test systems
  • Only data directly serving the actual purpose is collected, stored, and processed.

Integrity

Transfer Control

Measures that ensure personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or transport, and that it is possible to verify and ascertain to which bodies personal data has been transmitted by data transmission equipment.

  • Exporting of personal data is logged
  • Policies for data sharing are documented and known to the affected employees
  • The connection to database systems is protected
  • Regulations for data protection-compliant destruction of data carriers
  • Encryption methods according to current technology standards are used for transmissions (API requests via TLS 1.2, website accesses via SSL);

Input Control

Measures that ensure it is subsequently possible to check and ascertain if and by whom personal data has been entered, modified, or removed in data processing systems.

  • Traceability of data entry, modification, and deletion by individual usernames (logging)

Availability and Resilience

Measures that ensure personal data is protected against accidental destruction or loss.

  • A backup concept exists
  • Responsible persons and representatives are named
  • Redundant server infrastructure

Procedures for regular review, assessment, and evaluation

  • Data protection management system implemented;
  • A security device exists
  • Quarterly vulnerability tests and annual PCI-DSS SAQ D Level 2 review
  • Data protection-friendly presets (Art. 25 para. 2 GDPR, Art. 7 FADP)
  • Anonymization possible after a defined interval

Procedures for regular review, assessment, and evaluation

A procedure for monitoring data protection within the company must be implemented. This must include the obligation of employees to data secrecy, the training and sensitization of employees, and the regular auditing of data processing procedures. A continuous reporting and processing procedure must be introduced for data protection violations and the safeguarding of data subject rights. This must also include informing the client.

 

Annex 3 - Description of Transmission and Processing

  1. Catalog of personal data to be transferred and processed:
  • Identification and contact information such as name, address, email, phone, birthday
  • Communication preferences, communication data
  • Payment-related data such as bank account details, donation transactions, duration and direct debit orders or SEPA mandates, credit card data
  • Connection details, such as IP address and log files
  • Content and information shared and recorded during meetings
  1. Purpose of Transmission and Processing
  • The nature and purpose of processing personal data by the Data Processor arise from the business relationships between the Client and the Data Processor or the concluded main contract.
  1. Categories of Affected Persons
  • Supporters (donors, members, sponsors, patrons, guardians, fundraising participants)
  • Prospects used for transfers