Data sovereignty. Implemented sovereignly.

How we process personal data. Applies to the Ascaion AG website, our specialised portals and SaaS solutions. Audited for compliance with the revised Swiss Federal Act on Data Protection (revFADP) and the GDPR.

Version

2026.1

Status

Final · legally compliant

Applies to

revFADP · GDPR

As of

15 May 2026

Introduction and scope

This policy applies to the use of the Ascaion AG website as well as to our digital specialised portals and SaaS solutions.

We protect your data through sovereignty (private cloud), local technologies (local AI) and certified processes.

Responsible entity and data protection officer

Responsible for data processing on this website and for the general business operations is:

Ascaion AG

Laubisrütistrasse 42
CH-8712 Stäfa

info@ascaion.com +41 43 433 10 00

Data protection officer (DPO): Mr Marko Feistkorn · datenschutzbeauftragter@ascaion.com

Role split: who is the "controller of the data"

We distinguish strictly by purpose of use to guarantee your data sovereignty.

Controller

Ascaion as controller

We decide on the processing of your data for website visits, marketing requests or for the management of your user account (login data) on our corporate website or the event portal, where these must be collected as part of a service for a specific purpose.

Processor

Ascaion as processor

When you use our specialised products (Absidion, Absidion Portal, Smartnode, Sorum) in the course of your professional work for an authority or school, your employer is the "controller". We process this data purely technically and strictly bound by instructions pursuant to Art. 9 revFADP or Art. 28 GDPR.

Specific data processing by product

Product · channel	Type of data	Purpose & security
Website	IP log files · contact forms	Provision of information. No Matomo, no Google Analytics.
Absidion · Absidion Portal	Specialised and process data (eGovernment)	Highly secure SaaS solution. Strict tenant data separation.
Absidion Smartnode	Configuration and telemetry data	Meeting management. Focus on data minimisation.
Absidion Sorum	Specialised data · end-to-end encrypted	Operational administration for the public sector. Per customer specifications.

Local AI & digital sovereignty

No data exchange

We use exclusively local language models (local AI) in our own data centres. Your data is never transmitted to third parties (e.g. public frontier models) for training purposes.

Transparency

We follow the ISO/IEC 42001 standard (AI management system) to ensure ethical and legal compliance.

Remote support and maintenance

To maximise service, we offer contract-based support. The following applies:

Access only on instruction

Access to content data takes place only after explicit customer approval (e.g. via token or screen sharing) and within the scope of the respective contract.

Logging

Every access is logged in an audit-proof way.

Official secrecy

All Ascaion employees are committed in the contract to the official secrecy of the respective customer (e.g. Art. 320 of the Swiss Criminal Code) and to data secrecy (§ 53 BDSG).

Data security and certifications

We evidence our duty of care through an integrated management system:

Security

ISO/IEC 27001

Information Security Management System (ISMS).

Security

ISO/IEC 27017

Information security controls for cloud services.

Privacy

ISO/IEC 27701

Privacy Information Management System (PIMS).

Privacy

ISO/IEC 27018

Protection of personal data in the public cloud.

Location

Data residency

Data of Swiss customers stored exclusively in Switzerland.

Notification

Incident response

Notification to the customer without delay (target 24 h) · Art. 24 revFADP · Art. 33 GDPR.

Your rights

You always have the right to information, correction, deletion or data portability of the data we hold (Art. 25–29 revFADP · Art. 15–20 GDPR).

Important note: For data within the specialised applications (Absidion, Sorum, etc.), please contact your responsible authority directly. They hold the legal decision-making power over this data.

Archiving and deletion

We support legally compliant archiving in the context of contracts with our customers and the applicable archive laws as well as the Swiss Federal Act on Archiving (BGA). The same applies to the deletion procedures, which are based on the customers' deletion concepts.

Data is irrevocably deleted after the statutory or contractual periods have expired, or handed over to the customer in standardised formats.