Proofix

Terms of Service

Last updated: 3 May 2026

Note: This Agreement is being prepared phase by phase. Phase 1 (Definitions) is set out below in full. Phases 2–16 (Acceptance & Contract Formation; Eligibility; Acceptable Use; User-Generated Content; Intellectual Property; Payments & Refunds; Data Protection; Disclaimers; Limitation of Liability; Indemnification; Dispute Resolution; Termination; General Provisions; Edge-Case Annex; Compliance Memo) will be added in subsequent updates. Until those phases are added, the corresponding subject-matter is governed by Swiss statutory law applied in good faith (ZGB Art. 2) and by any prior version of these Terms still in force at the relevant moment.

Phase 1 — Definitions

For the purposes of these Terms of Service (the “Terms” or this “Agreement”), the following capitalised expressions bear the meanings set out below. Where a term is not defined here, the meaning given by Swiss statutory law applies, in particular the Swiss Code of Obligations of 30 March 1911 (Obligationenrecht, “OR”), the Swiss Civil Code of 10 December 1907 (Zivilgesetzbuch, “ZGB”), the Federal Act on Data Protection of 25 September 2020 (revidiertes Datenschutzgesetz, “nDSG”), the Federal Act on Copyright of 9 October 1992 (Urheberrechtsgesetz, “URG”), and the Federal Act against Unfair Competition of 19 December 1986 (Bundesgesetz gegen den unlauteren Wettbewerb, “UWG”).

Singular includes plural and vice versa. References to a statute include any successor enactment and any subordinate regulation issued under it. The masculine includes all genders without distinction.

1.1 “Operator”

Means Digital Ledger Systems AG, a Swiss stock corporation (Aktiengesellschaft) duly registered in the Commercial Register of the Canton of Schwyz under registration number [OPERATOR: insert CHE-xxx.xxx.xxx as shown on the official Zefix excerpt], with registered seat at Roosstrasse 53, 8832 Wollerau, Canton of Schwyz, Switzerland, contactable at info@proofix.ch for general matters and [OPERATOR: insert legal@proofix.ch or equivalent dedicated address] for legal notices, and (where the Operator is registered for VAT) holding VAT identification number [OPERATOR: insert CHE-xxx.xxx.xxx MWST or confirm not VAT-registered].

Wording rationale: Swiss commercial law (OR Art. 936 et seq.) and ZGB Art. 643 require an AG to be identified by its full registered name, registered seat, and Commercial Register number whenever it acts in legal commerce. Article 326a OR specifically requires this disclosure on commercial communications. Failure to identify the Operator with statutory precision is a recurring ground on which Swiss courts have refused to enforce standard terms (so-called Identifikationsmangel). The CHE number cannot be omitted; it is the unique legal identifier from which all standing flows. The contact address fixed here is also the address of service for the purposes of OR Art. 102 (default), Art. 107 (notice of intent to terminate), and the notice provisions in Phase 14.

Mandatory legal meaning: Once registered, the Operator’s identification details are not at the parties’ disposal — they may only be amended by Commercial Register filing and not by contractual stipulation.

1.2 “Platform”

Means the technical software service provided by the Operator and accessible primarily under the domain proofix.ch and any sub-domain or successor domain operated by the Operator, comprising the public website, the user-facing web application accessible at /send, /download, /verify, and /proof/*, the application programming interfaces (/api/*), the timestamp authority service, the worker job runners, and any client-side cryptographic libraries, scripts, and assets delivered by the Operator to a User’s device.

Wording rationale: The definition is deliberately written by reference to technical artefactsrather than to commercial branding. Swiss courts have, on multiple occasions, allowed Users to escape standard-terms obligations where the contract attempted to bind the User to “the service” without specifying what was actually licensed (see, by analogy, the reasoning in BGE 138 III 411 on the determinacy requirement for AGB). By enumerating the software components here, the Operator preserves the right to invoke breach in respect of each component individually (e.g. unauthorised API access under Phase 4) without having to re-prove what the “Platform” is each time.

Mandatory legal meaning: None. Freely definable, but the definition must not be expanded after acceptance without re-notification (see Phase 2 — amendment mechanism).

1.3 “Service”

Means, collectively, (a) the Platform, (b) any associated technical infrastructure, including without limitation hosting, e-mail delivery, cryptographic timestamping, payment processing, and storage of encrypted blobs, (c) any support, maintenance, communications, or documentation provided by the Operator in connection with the Platform, and (d) any updates, patches, or new functionality that the Operator may make available from time to time.

Wording rationale: The ToS distinguishes “Platform” (the technical thing) from “Service” (the wider bundle of obligations the Operator owes). This separation is essential for the warranty disclaimers in Phase 9 and the liability cap in Phase 10: a Swiss court applying Treu und Glauben(ZGB Art. 2) would refuse to disclaim, e.g., support obligations under the umbrella of a “platform-only” disclaimer if the same word were used for both. Splitting them allows targeted, defensible carve-outs.

Mandatory legal meaning: None.

1.4 “User”

Means any natural person (natürliche Person) who accesses the Service, whether or not they have completed e-mail verification, whether or not they have paid for any tier, and whether they act as the sender, the recipient, or a third party verifying a Proof Certificate.

Wording rationale: Swiss law makes a binding distinction between natürliche Personen (ZGB Art. 11 et seq.) and juristische Personen(ZGB Art. 52 et seq.). Conflating them creates ambiguity in the consumer-protection analysis (see “Consumer” below), in the data-protection analysis (the nDSG only protects the personal data of natural persons since the 2023 revision), and in the forum rules of LugÜ Art. 15-17 (consumer jurisdiction rules apply only to natural persons acting outside their trade or profession).

Mandatory legal meaning: The notion of “natural person” is statutory (ZGB Art. 11). It cannot be redefined.

1.5 “Business User”

Means any natural person acting in the course of a trade, profession, or commercial activity, or any legal person (juristische Person) within the meaning of ZGB Art. 52, including without limitation Swiss stock corporations (AG), limited liability companies (GmbH), partnerships under OR Art. 552 et seq., associations (Verein) under ZGB Art. 60 et seq., and foundations (Stiftung) under ZGB Art. 80 et seq., as well as comparable foreign entities. A Business User is not a Consumer for the purposes of these Terms.

Wording rationale: This is the gateway definition for the B2B carve-outs throughout the Agreement. The dual definition (acting-in-trade individuals plus legal entities) reflects established Swiss case law, in particular BGE 132 III 268 and the longstanding approach under LugÜ Art. 15. Without this dual definition, a freelancer using the Service for client work would be able to argue the consumer protections in the same breath as a multinational signing on for compliance archives.

Mandatory legal meaning: The capacity of a legal person to contract is governed by ZGB Art. 53 and OR Art. 32 et seq. (representation). These cannot be derogated from.

1.6 “Consumer”

Means a User who is a natural person acting wholly or predominantly outside any trade, profession, or commercial activity, in line with the Swiss understanding reflected in OR Art. 40a et seq. and the consumer-jurisdiction rules of LugÜ Art. 15(1).

Wording rationale: The definition is intentionally narrower than “User” and broader than “natural person.” The “wholly or predominantly” formulation tracks the Federal Court’s approach in BGE 121 III 336 and aligns with how Swiss commercial chambers (e.g., Handelsgericht Zürich) characterise dual-purpose contracts. The reference to OR Art. 40a et seq. is critical because that statute fixes which protections the Consumer carries with them, including the seven-day right of revocation for distance contracts where it applies.

Mandatory legal meaning: Whether a person is a Consumer is judicially determined; the Operator’s classification in any individual case is not binding on the court. This must be flagged because any clause that purports to fix a User’s status as non-Consumer (“By accepting these Terms you confirm you are not a Consumer”) is, on settled Swiss case law, void for offending mandatory consumer protection (see UWG Art. 8 and the AGB-Kontrolle reasoning in BGE 140 III 404).

1.7 “Account”

Given that the Operator does not maintain persistent user accounts in the conventional sense, “Account” means, for the purposes of these Terms, the combination of (i) a User’s verified e-mail address, (ii) the active proofix_sessioncookie issued by the Operator following e-mail verification, (iii) the row in the Operator’s email_verifications data store associated with that verification, and (iv) any data, transfers, payment identifiers, or audit records linked to the verified e-mail address. Account credentials are not user-chosen passwords but the cryptographic possession of (a) the verification e-mail link and (b) the resulting session cookie.

Wording rationale: A standard cookie-cutter “Account” definition (username + password) is technically false as applied to this Service and would be an “ungewöhnliche Klausel” — a clause unusually inconsistent with the User’s actual experience — and therefore unenforceable under the established case law on AGB-Kontrolle. By aligning the legal definition with what the User actually possesses (a one-time verification link plus a session cookie), the Operator preserves enforceability of every downstream obligation tied to “Account” (security, suspension, termination).

Mandatory legal meaning: None. But the definition must be transparent because it ties back to OR Art. 8 (control of standard terms): a User who never sees a username/password screen will reasonably assume there is “no account,” and the Operator must disclose otherwise.

1.8 “Content”

Means all data, files, text, images, audio, video, source code, metadata, hashes, signatures, certificates, e-mail addresses, recipient identifiers, free-text messages, and any other information uploaded to, transmitted through, generated within, or otherwise made available by means of the Service, regardless of format.

1.9 “User Content”

Means Content originating from or submitted by a User, including in particular: (a) the plaintext file payload that the User encrypts client-side before upload (which the Operator does not see, and the corresponding ciphertext that the Operator does receive and store); (b) recipient e-mail address, optional message, file name, and selected validity and download-limit choices; (c) any password chosen by the User for password-protected transfers (which the Operator does not see); and (d) any AI-generated material that the User causes to be processed by the Service.

Wording rationale: The split between “the file the User encrypts” (Operator never sees) and “the ciphertext the Operator receives” matters under the nDSG because it determines whether the Operator is processing personal data within that ciphertext (it is not, because it cannot read it) and under URG because the Operator’s licence (Phase 5) attaches only to what the Operator can lawfully use. Being precise here also defangs the most predictable plaintiff argument — that the Operator surreptitiously read the User’s file — by writing the cryptographic architecture into the contract itself.

Mandatory legal meaning: The personality rights attaching to the User’s plaintext (ZGB Art. 28) cannot be waived in standard terms, and any clause that treats encrypted ciphertext as if it were the plaintext for the purposes of granting the Operator licences would be void.

1.10 “Intellectual Property” or “IP”

Means any and all intellectual property rights, registered or unregistered, present or future, anywhere in the world, including without limitation: (a) copyright and related neighbouring rights under URG and equivalents; (b) trademarks, service marks, trade dress, and goodwill under MSchG and equivalents; (c) registered and unregistered designs under DesG and equivalents; (d) patents and patent applications under PatG and equivalents; (e) trade secrets and confidential information protected under UWG Art. 6 (Verletzung von Fabrikations- oder Geschäftsgeheimnissen); (f) rights in databases (including, where they exist, sui generis database rights under foreign laws to which they apply); and (g) any application, registration, renewal, or extension of any of the foregoing.

Wording rationale: Swiss law does not currently recognise an EU-style sui generisdatabase right; URG protects only original compilations as collective works. The clause accommodates this by acknowledging that database rights exist where the applicable foreign law recognises them, which preserves the Operator’s enforceability against a User abroad without overstating Swiss protection. Trade secrets are deliberately anchored in UWG Art. 6 rather than in any free-standing “trade-secrets” concept, because Switzerland — unlike the EU — has no Trade Secrets Directive equivalent.

Mandatory legal meaning: The moral rights of the author under URG Art. 11 (right of first publication, right of attribution, right of integrity) cannot be fully waived in advance. This constraint propagates into the licence in Phase 5.

1.11 “Confidential Information”

Means any information disclosed by one party to the other in connection with the Service that (a) is marked or designated as confidential at the time of disclosure, (b) a reasonable person would understand to be confidential given its nature or the circumstances of disclosure, or (c) constitutes a trade secret within the meaning of UWG Art. 6, but excluding information that (i) is or becomes publicly known through no breach of these Terms, (ii) was known to the receiving party without confidentiality obligation prior to disclosure, (iii) is independently developed without reference to the disclosed information, or (iv) is rightfully obtained from a third party without confidentiality restriction. For the avoidance of doubt, the plaintext payload of any Transfer is treated as the User’s Confidential Information vis-à-vis the Operator, and the Operator’s source code, infrastructure configuration, and security controls are treated as the Operator’s Confidential Information vis-à-vis the User.

Wording rationale: The four-part exclusion list (publicly known / prior knowledge / independent development / lawful third-party receipt) is the Swiss commercial standard and tracks the safe-harbour reasoning that the Federal Court accepted in cases under UWG Art. 5 and 6. Without these exclusions, a confidentiality obligation can become impossible to comply with and is at risk of being struck down as overbroad.

Mandatory legal meaning: UWG Art. 6 protection cannot be expanded by contract to cover information that is, in fact, public — any attempt to do so is unenforceable.

1.12 “Third-Party Services”

Means any product, service, software, application programming interface, infrastructure, or content provided by a third party that is used by, integrated with, or accessible from the Service, including without limitation Stripe Payments Europe Ltd (payment processing), Infomaniak Network SA(object storage and SMTP relay), the recipient’s e-mail provider, the User’s web browser and operating system, and any internet access provider through which the Service is reached. Third-Party Services are governed by their own respective terms and privacy policies; the Operator is not the operator of any Third-Party Service.

Wording rationale: Naming the principal subprocessors here serves two purposes. First, it satisfies the transparency expectation of nDSG Art. 19(2)(c) (categories of recipients of personal data), to which the Privacy Policy will then refer. Second, it removes from the Operator any pretence of warranty over services it does not control — a precondition for the Phase 9 disclaimer to survive AGB-Kontrolle. Swiss courts have repeatedly held that an operator cannot disclaim something it has not first explicitly identified.

Mandatory legal meaning: None as to definition, but the data-protection allocation in respect of these processors is mandatory under nDSG Art. 9 (commissioned processing) and is dealt with in Phase 8.

1.13 “Prohibited Conduct”

Has the meaning given in Phase 4 (Acceptable Use Policy) of these Terms.

Wording rationale: A forward reference is used because the AUP is itself a long, enumerated list. Defining “Prohibited Conduct” by enumeration here would duplicate Phase 4 and create the risk of drift between the two formulations.

1.14 “Dispute”

Means any claim, controversy, disagreement, demand, or cause of action of any nature, whether contractual or extra-contractual (ausservertraglich), arising out of or in connection with these Terms, the Service, or the relationship between the parties created by these Terms, including without limitation claims under the OR (in particular Art. 97 et seq. on breach of contract), the URG, the UWG, the MSchG, the nDSG, ZGB Art. 28 (personality rights), the Swiss Criminal Code (StGB), or any equivalent foreign law to the extent applicable.

Wording rationale: Drafting “Dispute” broadly is essential to preserve the dispute-resolution mechanism in Phase 12. If “Dispute” were defined narrowly as “contract claims only,” then a User could plead, e.g., a tort under OR Art. 41 (extra-contractual liability) and route the claim around the agreed forum. The Federal Court has accepted broad dispute definitions in the Swiss Rules arbitration context (BGer 4A_617/2014, among others).

Mandatory legal meaning: For Consumers, mandatory court jurisdiction (LugÜ Art. 15-17 and ZPO Art. 32) cannot be displaced; this is handled in Phase 12.

1.15 “Force Majeure Event”

Means any event or circumstance beyond the reasonable control of the affected party which could not have been avoided by the exercise of due diligence, including: (a) acts of God, including without limitation earthquake, flood, fire, lightning, severe storm; (b) war, declared or undeclared, armed conflict, terrorism, civil unrest, riot; (c) acts of any government, regulator, or court (including export controls, sanctions imposed by the Swiss State Secretariat for Economic Affairs (SECO), and judicial injunctions binding on the Operator); (d) failures or interruptions of the public internet, of telecommunications networks, of electrical power, of cloud-infrastructure providers, or of upstream subprocessors (in particular Infomaniak Network SA and Stripe Payments Europe Ltd); (e) cyberattacks, denial-of-service attacks, ransomware events, and the exploitation of vulnerabilities not reasonably preventable; (f) epidemics, pandemics, and public-health measures binding on the affected party; and (g) labour disputes, strikes, and lockouts not within the affected party’s instigation.

Wording rationale: Swiss law does not codify force majeurein a single statute; it is built up from OR Art. 119 (impossibility through no fault of the debtor), OR Art. 97 (release where performance is prevented), and contract practice. Because there is no statutory list, courts test whether the invoked event was (i) external, (ii) unforeseeable, and (iii) unavoidable. By enumerating the categories the Operator considers to satisfy that three-part test — and crucially by including upstream-provider failures, which would otherwise sit in a grey zone under OR Art. 101 (vicarious liability) — the Operator avoids ad-hoc judicial guesswork.

Mandatory legal meaning: Force majeure cannot excuse breach attributable to the affected party’s own intent or gross negligence (OR Art. 100); this carve-out flows through to Phase 14.

1.16 “Processing”

Means any operation or set of operations carried out on Personal Data, in particular collection, recording, storage, modification, retrieval, consultation, disclosure by transmission or otherwise, alignment or combination, restriction, erasure, or destruction, in line with nDSG Art. 5 lit. d.

Wording rationale: Pulling the definition directly from nDSG Art. 5 lit. d ensures the ToS, the Privacy Policy, and the Operator’s data-processing register all use one operative term. Under nDSG Art. 12, the Operator is obliged to maintain a register of processing activities; the term used in the register and the term used in the contract should match.

Mandatory legal meaning: This is statutorily defined. The contract cannot narrow the meaning. Anything matching nDSG Art. 5 lit. d is “Processing” regardless of how the parties characterise it.

1.17 “Personal Data”

Means any information relating to an identified or identifiable natural person, in line with nDSG Art. 5 lit. a. For the avoidance of doubt, since the entry into force of the revised nDSG on 1 September 2023, information relating to legal persons is no longer Personal Data under Swiss law (the prior DSG protection has been removed) and is dealt with, as applicable, under “Confidential Information.”

Wording rationale: The 2023 revision of the nDSG is recent enough that older Swiss precedent and many in-force commercial contracts still treat legal-entity data as personal data. Stating the post-revision position explicitly forecloses the argument that the Operator owes nDSG-style data-subject rights (access, deletion, portability) to a corporate customer in respect of corporate data. The Privacy Policy will mirror this clarification.

Mandatory legal meaning: Statutorily defined under nDSG Art. 5 lit. a. Cannot be narrowed.

1.18 “Sensitive Personal Data”

Means Personal Data falling within nDSG Art. 5 lit. c, including without limitation data on religious, ideological, political, or trade-union views or activities, data on health, the intimate sphere or racial origin, genetic and biometric data uniquely identifying a natural person, data on administrative or criminal proceedings or sanctions, and data on social-assistance measures.

Wording rationale: Because the Service is content-agnostic and end-to-end encrypted, the Operator does not knowingly process Sensitive Personal Data — but a User may transmit such data inside an encrypted payload. Reserving the term here so it can be invoked in the AUP (Phase 4) and the data-processing allocation (Phase 8) is necessary to allocate risk for that scenario.

Mandatory legal meaning: Statutorily defined.

1.19 “Business Day”

Means any day other than a Saturday, Sunday, or public holiday in the Canton of Schwyz, Switzerland (being the canton of the Operator’s registered seat). Where these Terms refer to a period of “X days” without qualification, calendar days are meant; where they refer to “Business Days,” only days satisfying this definition count.

Wording rationale: Swiss case law on standard terms has, on multiple occasions, struck down notice and termination periods that were mathematically valid in calendar days but unworkable when most of those days were weekends or holidays in the User’s location. Anchoring “Business Day” to the Operator’s seat (Schwyz) is unambiguous and matches the rule of CO Art. 78 (deadline falling on a Sunday or holiday extends to the next Business Day). [OPERATOR: confirm Schwyz, or substitute Zurich if the dispute-forum chosen in Phase 12 is Zurich-based.]

Mandatory legal meaning: OR Art. 78 (extension of statutory deadlines falling on a holiday) is mandatory and cannot be contracted out of.

1.20 “Written” or “In Writing”

Means any communication that satisfies (a) the form requirement of OR Art. 13 in respect of obligations for which Swiss law requires written form, or (b) for all other communications under these Terms, any durable electronic medium that allows the recipient to retain and reproduce the communication unchanged, including without limitation e-mail, in-Service messaging, and PDF or HTML documents transmitted electronically. Qualified electronic signatures within the meaning of the Federal Act on Electronic Signatures (ZertES) and SR 943.03 are treated as equivalent to handwritten signatures in respect of any communication under these Terms.

Wording rationale: OR Art. 13 (Schriftform) requires a personal signature for matters where the law mandates written form; but ZertES Art. 14 deems a qualified electronic signature equivalent. For ordinary contractual notices, Swiss law allows Textformunder contractual stipulation, which means e-mail is sufficient if the parties so agree. Because most communications under this ToS are non-mandatory-form, defining “Written / In Writing” to include e-mail allows efficient operation while preserving the ZertES bridge for any clause that does require formal signature.

Mandatory legal meaning: OR Art. 13 cannot be relaxed for those rare clauses where written form is statutorily required (e.g., assignment of certain copyright transfers under URG Art. 16(2): full transfer of copyright requires writing).

1.21 “Agreement”

Means these Terms of Service together with the Privacy Policy, the Acceptable Use Policy, the Cookie Policy, and any other policy that the Operator expressly incorporates by reference, including any update lawfully made under Phase 2 (Amendments). All such documents form one single, integrated agreement (einheitlicher Vertrag) between the parties.

Wording rationale: Drafting the ToS as one prong of a multi-document Agreement is conventional Swiss SaaS practice, but it must be done with explicit incorporation language to satisfy OR Art. 1 (offer must be sufficiently determined) and the AGB-Kontrolle requirement that referenced documents be reasonably available to the User at the moment of acceptance. The hierarchy in case of conflict is set in Phase 2.

Mandatory legal meaning: None as to definition, but incorporation by reference fails entirely if the referenced document is not actually accessible to the User at the moment of acceptance — this is a recurring ground of attack and is dealt with in Phase 2.

1.22 “Transfer”

Means a single act of (i) the Operator receiving an encrypted ciphertext together with associated metadata from a User, (ii) the Operator notifying the designated recipient by e-mail (where the User selects e-mail delivery), and (iii) the Operator making the ciphertext available for download by the recipient for the validity period selected, all subject to the download-limit selected by the User.

1.23 “Standard Tier”

Means the Service offered without charge, currently subject to a maximum file size of fifty (50) megabytes per Transfer and to the per-sender quota set out in the Service’s then-current product description.

1.24 “Proof Tier”

Means the paid Service offered for a one-off price of CHF 2.90 per Transfer (inclusive of any applicable Swiss VAT), subject to a maximum file size of five hundred (500) megabytes per Transfer, and including the generation of a Proof Certificate.

1.25 “Proof Certificate”

Means the cryptographic record produced by the Operator for each Proof Tier Transfer, comprising (a) a canonical input string binding the Transfer’s identifying fields, (b) the SHA-256 hash of that canonical input string, (c) a timestamp signature issued by the Operator’s internally hosted timestamp authority over that hash, and (d) an embedded machine-readable JSON sidecar; the Proof Certificate may be regenerated on demand from the persisted proof record and is retained indefinitely under nDSG Art. 6(5) and the legal-claims exemption of GDPR-equivalent retention reasoning.

Wording rationale: Defining the Service’s commercial offerings (Standard, Proof, Proof Certificate) here, in the Definitions phase, removes the most common consumer-protection attack vector under UWG Art. 3(1)(b) — misleading descriptions of the offer. By stating tier limits, price, and what the Proof Certificate actually is in operative legal terms, the Operator forecloses the argument that the User did not know what they were buying.

Mandatory legal meaning: The price (CHF 2.90 inclusive of VAT) must match the price actually charged. Any divergence triggers UWG Art. 3 misleading-pricing exposure.

1.26 “Encryption Key”

Means the cryptographic key material generated client-side in the User’s web browser using the Web Crypto API to encrypt the plaintext payload of a Transfer under AES-256 in Galois/Counter Mode, which key (i) is, in the standard delivery flow, transmitted to the recipient solely as the fragment portion (#…) of the share URL and is not transmitted to the Operator’s servers, and (ii) is, in the password-protected delivery flow, wrapped with a key derived from the User’s password via PBKDF2-HMAC-SHA256 and stored on the Operator’s servers in wrapped form only.

Wording rationale: Building the cryptographic architecture into the contract — at the level of definitions — is unusual in Swiss SaaS contracts but defensible and beneficial here. It (a) supports the Operator’s representation that it cannot read User payloads (relevant to nDSG accountability under Art. 7), (b) defeats the predictable plaintiff allegation that the Operator could access plaintext, and (c) provides the technical anchor for the warranty allocation in Phase 5 (the User warrants ownership over what they encrypt — not what the Operator stores).

Mandatory legal meaning: None.

1.27 “FDPIC”

Means the Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter; in French: Préposé fédéral à la protection des données et à la transparence; in Italian: Incaricato federale della protezione dei dati e della trasparenza), being the Swiss federal supervisory authority for data protection under nDSG Art. 43.

Wording rationale: Mandatory for the Phase 8 right-to-complain clause. Spelling out the trilingual name avoids any “we did not know which authority you meant” disputes.

Mandatory legal meaning: Statutory.

1.28 “Swiss Mandatory Law”

Means any provision of Swiss federal or cantonal law from which the parties cannot derogate by contract, including without limitation OR Art. 100 (no exclusion of liability for intent or gross negligence), the protection of personality rights under ZGB Art. 27 and 28, the rights of data subjects under nDSG Art. 25 et seq., the consumer-protection provisions of UWG (in particular Art. 8 on unfair standard terms), the consumer- jurisdiction rules of LugÜ Art. 15-17 and ZPO Art. 32, and the right of revocation under OR Art. 40a et seq. where applicable.

Wording rationale: Defining “Swiss Mandatory Law” as a single term lets every later clause append “to the maximum extent permitted by Swiss Mandatory Law” without re-listing the entire stack. This is the savings-clause pattern that makes severability (Phase 14) work as a true safety net rather than as a litigated mess.

Mandatory legal meaning: By definition, this is law that cannot be altered by contract.

[Legal Rationale — Swiss Law]

  • Identification of the Operator(§1.1): OR Art. 936–936b, ZGB Art. 643, OR Art. 326a (commercial communications). The CHE registration number is the unique legal identifier under SR 221.411.
  • “Platform” / “Service” split(§1.2–1.3): OR Art. 1 (determinacy of the offer); Federal Court reasoning in BGE 138 III 411 on the determinacy requirement for AGB. Treu und Glauben (ZGB Art. 2) demands that ambiguous service descriptors be construed against the drafter (in dubio contra stipulatorem).
  • “User” / “Business User” / “Consumer” trichotomy (§1.4–1.6): ZGB Art. 11, 52; OR Art. 32 et seq. (representation of legal persons); LugÜ Art. 15–17 (consumer jurisdiction); OR Art. 40a et seq. (consumer revocation); BGE 121 III 336, BGE 132 III 268 on the dual-purpose test.
  • “Account” (§1.7): OR Art. 8 (control of unfair standard terms) and the ungewöhnliche Klauseldoctrine — the definition must reflect what the User actually experiences, not boilerplate from another product.
  • “Content” / “User Content”(§1.8–1.9): URG Art. 6 and Art. 11 (moral rights); ZGB Art. 28 (personality rights); the encryption split is necessary for accurate nDSG accountability under Art. 7.
  • “Intellectual Property” (§1.10): URG, MSchG (SR 232.11), DesG (SR 232.12), PatG (SR 232.14), UWG Art. 6 (trade secrets). The express absence of Swiss sui generis database protection is acknowledged.
  • “Confidential Information” (§1.11): UWG Art. 5 and 6; the four-part exclusion list is the established Swiss commercial standard reflected in BGer judgments on UWG Art. 6 enforcement.
  • “Third-Party Services” (§1.12): nDSG Art. 9 (commissioned processing); Art. 19(2)(c) (transparency about recipients).
  • “Force Majeure Event” (§1.15): OR Art. 119 (impossibility), OR Art. 97 (breach), OR Art. 101 (vicarious liability). The list is required because Swiss law does not codify force majeure and courts otherwise apply a three-part test (external / unforeseeable / unavoidable).
  • “Processing” / “Personal Data” / “Sensitive Personal Data” (§1.16–1.18): nDSG Art. 5. The clarification that legal-entity data is no longer Personal Data is the consequence of the 2023 nDSG revision and must be stated because pre-revision practice still survives in many in-force contracts.
  • “Business Day” / “Written”(§1.19–1.20): OR Art. 78 (deadlines falling on holidays), OR Art. 13 (Schriftform), ZertES Art. 14 (qualified electronic signature equivalence), URG Art. 16(2) (writing required for full copyright assignment).
  • “Agreement” (§1.21): OR Art. 1; AGB doctrine that referenced documents must be accessible at acceptance.
  • Service-specific definitions(§1.22–1.26): UWG Art. 3 (truth in pricing and product descriptions); MWSTG (VAT obligation if turnover exceeds CHF 100,000); URG Art. 11 (preservation of moral rights even within a commercial product framing).
  • “FDPIC” (§1.27): nDSG Art. 43.
  • “Swiss Mandatory Law”(§1.28): meta-definition supporting OR Art. 19–20 (limits of contractual freedom) and OR Art. 8 (AGB control).

[Risks Closed]

  • Identification ambiguity: A User cannot claim the Agreement is with an unidentified Swiss entity. The CHE number locks it to one Commercial Register file.
  • “What is the Service?” attack: A User cannot argue the Operator’s disclaimers cover only the website-narrowly-construed and not the API or worker. The technical artefacts are itemised.
  • Consumer-vs-business arbitrage: A freelancer using the Service for paid client work cannot oscillate between Consumer and Business User to pick the most favourable forum, because the dual-prong definition of Business User catches them.
  • “You forced me to declare I’m not a consumer”: Pre-emptively neutralised — the Consumer definition expressly states that classification is judicially determined.
  • “The platform read my plaintext”: Defeated by encoding the cryptographic split (plaintext vs. ciphertext) into User Content (§1.9) and Encryption Key (§1.26).
  • “Database rights” overreach: The Operator does not claim a right that Swiss law does not grant, defeating a UWG Art. 3 misleading-IP-claim attack.
  • Trade-secret overbreadth: The four-part exclusion list defeats the predictable defendant argument that publicly known information was wrongly captured as confidential.
  • Subprocessor non-disclosure: Stripe and Infomaniak are named, satisfying nDSG Art. 19(2)(c) and feeding the Privacy Policy.
  • Dispute scope arbitrage: A claim re-pleaded in tort or in IP cannot escape the Phase 12 mechanism because “Dispute” expressly captures both contractual and extra-contractual claims.
  • Force majeure litigation roulette: Without the enumerated list, every cloud-provider outage becomes its own evidentiary contest. The Operator now has a contractual hook into upstream-provider failures.
  • Personal-data definition drift: A corporate User cannot demand nDSG access rights over corporate data dressed up as “personal” — §1.17 forecloses this post-2023.
  • “I had no notice the website’s terms applied to the API”: §1.2 and §1.21 close this by identifying every technical surface and incorporating every policy.
  • Misleading-price claim under UWG: §1.24 fixes price, tier, and inclusion of VAT.
  • Schriftform mismatch: §1.20 covers both ordinary contractual e-mail communications and ZertES-grade signatures, preventing the User from arguing a notice was invalid for want of handwritten signature.

[Known Vulnerabilities Under Swiss Law]

  • Definition of “Account” (§1.7) is unusual and could be argued to be an ungewöhnliche Klausel if not surfaced clearly to the User at registration. Hardening: at the e-mail-verification step, display a short, plain-language explainer (“By verifying your e-mail you create an Account in the sense of our Terms — see Definitions, §1.7”) and link directly to the Definitions section, not to the ToS landing page. Without this surfacing, the most plaintiff-friendly cantons (Zürich, Geneva) will treat it as void.
  • Forward reference to “Prohibited Conduct” (§1.13): a Swiss court applying OR Art. 1 (determinacy) might insist that the AUP be incorporated visibly at the same screen as acceptance. Hardening: link the AUP from the verification screen, not just from the ToS document.
  • “Force Majeure” enumeration including upstream providers (§1.15(d)): contestable — a User could argue that Infomaniak failures are notexternal from the Operator’s perspective because the Operator chose Infomaniak. The Federal Court has gone both ways depending on whether the provider was the only commercially reasonable choice. Hardening: in Phase 9 (Disclaimers) and Phase 14 (Force Majeure operative clause), add language that the Operator has selected its providers in accordance with industry standard and exercises the diligence of OR Art. 101.
  • “Confidential Information” includes “the plaintext of any Transfer” (§1.11) — this could be argued to be inconsistent with the Operator’s representation that it cannot see the plaintext. The clause is conceptually correct (the User’s plaintext would be confidential vis-à-vis the Operator if the Operator could see it) but might be attacked as misleading. Hardening: clarify in Phase 8 that “the Operator does not Process the plaintext payload at any time, but to the extent any such payload is at any moment within the Operator’s technical environment, it is treated as the User’s Confidential Information.”
  • “Standard Tier” / “Proof Tier” / “Proof Certificate” written into Definitions (§1.23–1.25): tightly couples the contract to the current product. If the product changes (price, tier limits), an unmodified Agreement becomes immediately misleading. Hardening: Phase 2 amendment mechanism must allow tier and price changes with the prescribed notice period; the Operator must monitor these definitions actively.
  • Cantonal interpretation differences: Geneva and Vaud commercial chambers tend to read “natural person” definitions narrowly and apply consumer-protection thinking expansively; Zürich and Zug commercial chambers (especially Handelsgericht) take a more business-friendly view. The Operator should plan for the most conservative reading (Geneva) when drafting consumer-facing flows.
  • EU regulatory pressure: Although Switzerland is not the EU, the GDPR applies in parallel where the Service is offered to data subjects in the Union (GDPR Art. 3(2)). The Definitions phase contains nothing that conflicts with GDPR, but the Privacy Policy (Phase 8) must mirror these definitions in GDPR-compatible form to avoid a “two-tier” data-subject experience.
  • “Sensitive Personal Data” capture without explicit consent flow: §1.18 reserves the term but the Service may receive Sensitive Personal Data inside encrypted payloads without ever asking. Under nDSG Art. 6(7), the Processing of Sensitive Personal Data requires an express legal basis. Hardening: Phase 4 (AUP) should oblige the User to have obtained necessary consents before transmitting Sensitive Personal Data, shifting the legal-basis burden to the User.

[Cross-References]

  • §1.1 (Operator)— drives Phase 12 (notices to the Operator), Phase 14 (notices, governing forum).
  • §1.2–1.3 (Platform / Service)— drives Phase 9 (Disclaimers), Phase 10 (Liability), Phase 13 (Termination effects).
  • §1.4–1.6 (User / Business User / Consumer)— drives Phase 2 (capacity), Phase 7 (consumer pricing rules), Phase 10 (B2B vs B2C liability caps), Phase 12 (B2C state courts vs B2B arbitration).
  • §1.7 (Account)— drives Phase 3 (registration mechanics), Phase 13 (termination effects on Account data).
  • §1.8–1.9 (Content / User Content)— drives Phase 5 (UGC licence and warranties), Phase 8 (data-protection allocation in respect of metadata vs payload).
  • §1.10 (Intellectual Property)— drives Phase 5 (User’s IP warranties), Phase 6 (Operator’s IP rights), Phase 11 (User indemnifies Operator for IP infringement).
  • §1.11 (Confidential Information)— drives Phase 8 (the Operator’s confidentiality vis-à-vis the User’s plaintext).
  • §1.12 (Third-Party Services)— drives Phase 8 (subprocessor disclosure), Phase 9 (no warranty for Third-Party Services), Phase 15 Edge Case 1 (User claims the Operator is responsible for a Stripe outage).
  • §1.13 (Prohibited Conduct)— drives the entirety of Phase 4.
  • §1.14 (Dispute)— drives Phase 12 entirely.
  • §1.15 (Force Majeure Event)— drives Phase 14 operative force-majeure clause and Phase 9 (Disclaimers — non-availability).
  • §1.16–1.18 (Processing / Personal Data / Sensitive Personal Data) — drives Phase 8 in full and intersects with Phase 4 (AUP duty to obtain necessary consents for sensitive data).
  • §1.19 (Business Day)— drives every period-of-notice clause in Phases 2, 3, 7, 12, 13, 14.
  • §1.20 (Written / In Writing)— drives Phase 2 (amendment notices), Phase 7 (cancellation), Phase 12 (dispute notice), Phase 14 (notices generally).
  • §1.21 (Agreement)— drives Phase 2 (incorporation of policies, hierarchy), Phase 14 (Entire Agreement, severability).
  • §1.22–1.26 (Transfer / Tiers / Proof Certificate / Encryption Key) — drives Phase 7 (pricing, refunds), Phase 9 (warranties as to availability of Transfer), Phase 13 (data retention of proof records vs encrypted blobs at termination).
  • §1.27 (FDPIC)— drives Phase 8 (right to lodge complaint).
  • §1.28 (Swiss Mandatory Law) — drives every liability, indemnity, disclaimer, and savings clause across Phases 9, 10, 11, 12, 14.

Phase 1 complete. Phases 2–16 will be appended to this document as they are drafted, reviewed, and signed off by Operator’s Swiss counsel. Until then, all subject-matter not yet covered is governed by Swiss statutory law applied in good faith.

Questions about these Terms: info@proofix.ch.