General Terms and Conditions of Taskbase

 Version: 1.11.2025 

1. Subject Matter

These General Terms and Conditions of Taskbase ("GTC") are applicable to all services ("Services") that Taskbase AG, , Badenerstrasse 47, 8004 Zürich, Switzerland ("Taskbase") provides to its customers ("Customer") (Taskbase and the Customer each individually a "Party" and jointly the "Parties"). 

The Customer agrees to the application of these GTC by accepting Taskbase's offer or by signing a service agreement or any other agreement with Taskbase in which reference is made to these GTC (such offer, service agreement or other agreement together with all further contractual documents, including these GTC, the "Service Agreement"), whereby a contract is concluded between the Parties. 

The application of any general terms and conditions of the Customer is herewith expressly excluded unless stated otherwise in the Service Agreement. 

2. Taskbases' Services 

Taskbase shall provide the Services in accordance with the Service Agreement (including its annexes). 

Taskbase shall be free to organize the manner in which it provides the Services, unless specified otherwise in the Service Agreement. It shall however be obliged to consult with the Customer and other parties involved, as required for the applicable project. 

Taskbase is entitled to engage third parties and auxiliary persons (in particular subcontractors) for the purpose of providing the Services and meeting its contractual obligations. 

3. Customer’s duties of cooperation 

The Customer shall, by all reasonable means, to the extent necessary, and in a timely manner, actively support Taskbase, its employees and any third parties engaged by Taskbase for the purpose of providing the Services, cooperate in taking the necessary preparatory and provisioning actions (including the procurement of all requisite rights and authorizations), provide all relevant information and grant the necessary access to its systems and resources. 

In addition, the specific duties of cooperation as set out in the Service Agreement apply. 

The Customer shall bear all costs incurred by it in the course of fulfilling its duties of cooperation. 

Taskbase shall attempt to perform the Services even if the Customer fails to comply with its duties of cooperation as agreed upon in the Service Agreement. Should this occur, Taskbase shall inform the Customer promptly and set a reasonable grace period in order to comply with the relevant duties that the Customer has not or not been properly complied with, and Taskbase shall state the consequences that may be expected for the Customer in the event of failure to comply with the relevant duties of cooperation within the grace period. If, upon expiry of the grace period, compliance has not been restored by the Customer, Taskbase has the right to suspend the Services with immediate effect and/or to terminate the Service Agreement for cause.

In the event of non-fulfilment or improper fulfilment of the Customer’s duties of cooperation, in addition to the remedies stated above, the Customer shall compensate Taskbase for the resulting additional efforts at the standard hourly rates of Taskbase as stated in the Service Agreement. 

4. Duty to provide information 

Each Party shall inform the other Party promptly of any circumstances, developments, incidents and findings that may be relevant for the other Party in connection with the performance of the Service Agreement or with the contractual relationship as such, unless prohibited by statutory or contractual confidentiality obligations. 

5. Fees, payment and expenses 

The fees for the provision of the Services are specified in the Service Agreement. 

Invoices are payable net within 30 days net as of receipt. The Customer shall be in default upon expiry of the payment period without further ado. The statutory rate of default interest shall apply. If the Customer defaults on a payment, Taskbase has the right to suspend the provision of the Services until receipt of payment in full of all outstanding invoices. All fees are exclusive of value added tax (VAT) and any other taxes, duties and charges. 

Unless otherwise agreed, any expenses (i.e. all necessary and reasonable out-of-pocket expenses, including, but not limited to travel, lodging, meals, and other business expenses incurred by Taskbase in the provision of the Services, all together the "Expenses") shall be borne by the Customer. 

If the Customer does not agree with the prices or expenses invoiced (the "Billing Dispute"), it must notify Taskbase in text form within 10 days of receipt of the respective invoice, stating the reasons and the type and amount of the disputed prices (the "Billing Dispute Notice"). The Customer shall cooperate with Taskbase to promptly address and attempt to resolve any Billing Dispute submitted in accordance herewith. The Customer acknowledges and agrees that in the event that the Customer does not submit a Billing Dispute Notice in accordance with the foregoing, the Customer waives all rights to dispute such invoice, and all fees and Expenses set forth in such invoice will be considered correct and binding on the Customer. In case of a Billing Dispute, the Customer shall remain obligated to pay all undisputed fees and Expenses. 

6. Default by Taskbase 

Contractually agreed deadlines shall be deemed met upon provisioning of the relevant Services by Taskbase. 

If Taskbase fails to comply with a material contractual deadline set forth in the Service Agreement (hard milestone, performance obligation with a defined deadline), Taskbase shall be in default upon expiry of a reasonable grace period set by the Customer in a written reminder (e-mail sufficient). If Taskbase fails to fulfil its performance obligation by the expiry date of this grace period, the Customer has the right to withdraw from the Service Agreement. Any Services (or parts thereof) that have already been provided substantially in accordance with the Service Agreement and that can be used by the Customer as such in an objectively reasonable manner must be paid for in full. Any withdrawal from the Service Agreement shall not affect these Services and they shall remain subject to the relevant provisions of the Service Agreement. 

7. Acceptance procedure for one-time Services 

7.1. General 

In case the Parties agree in the Service Agreement on specific results of performance and the corresponding acceptance criteria (contract for work and services, "Werkvertrag"), then Taskbase's duty to deliver shall be met upon the Customer's acceptance of such work results in accordance with the acceptance criteria. The Customer shall declare acceptance in text form (e-mail sufficient). The work results shall, in the absence of any express written declaration to the contrary by the Customer, be deemed to have been accepted following operational use of the work results by the Customer during at least 30 days. 

If the Parties agree to the acceptance of partial work results, the acceptance thereof shall be subject to final acceptance. Upon successful final acceptance, the warranty periods shall commence. 

7.2. Failure of acceptance 

Acceptance shall be deferred, if acceptance testing by the Customer identifies major defects. The Customer is obliged to provide Taskbase with evidence of any such major defects claimed by it and to reproduce them if possible. Taskbase shall rectify the defects within a reasonable time period, taking into account the cause and nature of the defect, and once again provide the relevant deliverable for acceptance by the Customer. 

If the defect cannot be remedied within a time period appropriate to the cause and nature of the defect, the Customer shall set a reasonable grace period for the remedying of the defect. If the remedying definitely fails, the Customer is entitled to (a) demand an appropriate reduction of the respective fees, or (b) withdraw from the Service Agreement in the case of a substantial defect that prevents the Customer from using the deliverable in its entirety. Those Services or parts thereof which have already been provided substantially in accordance with the Service Agreement and which can be used by the Customer as such in an objectively reasonable manner must be paid in full. Any withdrawal from the Service Agreement shall not affect these Services and they shall remain subject to the relevant provisions of the Service Agreement. 

Minor defects shall not entitle the Customer to refuse acceptance, but such defects must be rectified by Taskbase within a reasonable grace period set by the Customer. 

8. Warranty 

8.1. Recurring/operational Services 

Taskbase will provide the Services in a professional and diligent manner. If a Service Level Agreement (SLA) forms part of the Service Agreement, then the relevant provisions of the SLA apply. In the absence of any agreement to the contrary in the Service Agreement (including the SLA), there are no representations or warranties as to the availability, quality, security, operation or support of the Services. The Services are provided on a "best effort" basis. In the event of failures, malfunctions and delays, Taskbase shall use its available resources in a reasonable and customary manner to provide the Services or remedy the failures or malfunctions, without, however, giving any assurances in this respect. 

8.2. One-time Services 

Taskbase warrants that the Services conform to the contractually agreed specifications. The warranty period is 12 months as of the date of acceptance (in accordance with section 7 of these GTC). 

Defects must be stated in text form (e-mail sufficient) in a comprehensible form with evidence of the relevant defects and all information useful for identifying the defects. The Customer is obliged to reproduce the defects if possible. 

In case of a defect covered by the warranty, the Customer may first demand that the defect shall be remedied free of charge. The Customer shall support Taskbase in the remedying of defects to the extent necessary. If the defect cannot be remedied within a time period appropriate to the cause and nature of the defect, the Customer shall set a reasonable grace period for the remedying of the defect. If the remedying definitely fails, the Customer is entitled to (a) demand an appropriate reduction of the respective fees, or (b) withdraw from the Agreement in the case of a substantial defect that prevents the Customer from using the deliverable in its entirety. Those Services or parts thereof which have already been provided substantially in accordance with the Service Agreement and which can be used by the Customer as such in an objectively reasonable manner must be paid in full. Any withdrawal from the Service Agreement shall not affect these Services and they shall remain subject to the relevant provisions of the Service Agreement. 

In the event of defects that cannot be remedied in the short term, Taskbase has the right to provide the Customer with a temporary solution (workaround). 

8.3. Warranty of title 

Taskbase warrants that the Services do not infringe any intellectual property rights of third parties which exclude or restrict the contractual use of the Services by the Customer. 

If a third party attempts to prevent the Customer from using the Services in accordance with the Service Agreement on the basis of allegedly superior proprietary rights, the Customer shall notify Taskbase of this in text form without delay (e-mail sufficient). Provided that the Customer notifies Taskbase without delay and provides reasonable assistance, Taskbase shall, at its own discretion, either (i) modify the relevant Services in such a way that they do not infringe the proprietary rights of the respective third party while however, fulfilling all material requirements of the Customer, (ii) procure a license for the Customer from the third party at its own expense or (iii) dispute the third party claim. In the event that a legal action is brought against the Customer by the third party, the Customer shall transfer to Taskbase exclusive control regarding the conduct of the lawsuit and take all actions necessary for this purpose. Subject hereto, Taskbase shall bear the costs of litigation (including reasonable attorneys' fees) and shall compensate the Customer for any direct damage resulting from a final judgment against the Customer. The Customer shall forfeit its claims under this provision if it withdraws or fails to give Taskbase control over the conduct of the lawsuit, in particular if it deals with third-party claims in whole or in part by means of settlement or recognition without the express consent of Taskbase. 

8.4. Exclusion of warranty 

Taskbase’s warranty shall be excluded in case of incidents or circumstances, the causes of which are beyond Taskbases' control and/or which are attributable in whole or in part to the Customer and/or to third parties not engaged by Taskbase (e.g. modifications of software or improper use of systems or other Services). Further, the warranty shall be excluded in case of incidents or circumstances related to force majeure events. No warranties apply to resources provided by the Customer (e.g. software licenses). In addition and in the absence of any agreement to the contrary in the Service Agreement, Taskbase makes no warranty that the Services can be used uninterruptedly and flawlessly in all combinations desired by the Customer, with any possible data or with any other IT systems or programs. 

9. Liability 

Taskbase shall be liable for proven direct damages in case of a breach of contract, unless Taskbase proves that it is not at fault. The liability shall be limited to the amount of the remuneration owed under the Service Agreement for the year in which the damage occurs. The liability shall be unlimited for any damages caused intentionally or through gross negligence, as well as for personal injury. 

Taskbase’s liability for any indirect or consequential damages, including but not limited to lost profits, loss of data, loss of reputation and third-party claims, shall be excluded. 

10. Force majeure 

Neither Party shall be liable for any damage, loss or delay resulting from any force majeure event, including but not limited to natural disaster (e.g. avalanches, flooding, landslides, etc.), acts of war, terrorism, riots, labor strike, pandemics, DDOS attacks, hacking, malware, ransomware, unforeseeable official restrictions and criminal acts of third parties, and any delivery date shall be extended to the extent of any delay resulting from any such force majeure event. 

However, if performance of a contractual obligation is prevented by such a circumstance for a period of 90 days or more, each Party shall be entitled to terminate the Service Agreement subject to 90 days’ prior notice. In case of termination by the Customer, all fees under the Service Agreement are due and payable immediately pro rata up to the date of termination. 

11. Intellectual property rights 

11.1. In general 

Unless otherwise agreed upon in the Service Agreement, no rights are transferred to the Customer in connection with the provision of the Services by Taskbase and the use of the Services by the Customer. 

11.2. Recurring/operational services 

Taskbase grants the Customer a non-exclusive, non-transferable, non-sublicensable right, limited to the term of the Service Agreement, to use the recurring Services in compliance and to the extent agreed upon in the Service Agreement. 

11.3. One-time services 

11.3.1. Newly created intellectual property rights 

Insofar as agreed in the Service Agreement, all intellectual property rights newly and specifically created for the Customer in connection with the provision of one-time Services under the Service Agreement, in the case of software newly developed specifically for the Customer including the source code and the complete documentation, shall transfer to the Customer at the time of their creation. Taskbase undertakes to take all required actions for this purpose and issue the appropriate legal declarations in the requisite form to the extent required, and to ensure that any third parties involved do the same. 

11.3.2. Pre-existing intellectual property rights 

Unless otherwise specified in the Service Agreement, the Customer shall acquire a non-exclusive right, unlimited in time, to use any pre-existing intellectual property rights that are contained in the one-time Services provided by Taskbase. The Customer may create copies of such Services protected by pre-existing intellectual property rights for backup and archival purposes. 

12. Confidentiality and data protection 

12.1. Contractual confidentiality obligations 

Both Parties undertake to treat as confidential any information that is not obvious or generally accessible concerning the other Party, or the customers and business relationships of the other Party, that may come to their attention in connection with their performance of the Service Agreement or with their contractual relationship in general. 

The Parties undertake to make such information accessible to their staff, other auxiliary agents and third parties involved or other third parties only to the extent permitted to the Parties under the Service Agreement or where approved in advance by the other Party. Taskbase shall be entitled to pass on the information to third parties (e.g. subcontractors) engaged by it in Switzerland and abroad as well as to group companies (parent, sister or daughter companies of Taskbase) to the extent necessary in connection with the conclusion and performance of the Service Agreement. 

The Parties confidentiality obligations shall not apply to information that: 

• was already in the public domain at the time of its disclosure by the disclosing Party; 

• was already known to the other Party before it was made accessible by the disclosing Party; 

• was lawfully provided to the other Party by a third party without any restrictions on disclosure; 

• was developed internally by the other Party without using or referring to the confidential information of the disclosing Party. 

The confidentiality obligations shall also extend to information exchanged prior to the conclusion of the Service Agreement and shall continue to apply after its termination, for so long as a Party has a legitimate interest in confidentiality but, as a rule, for a period of at least 3 years after the termination of the relevant contractual relationship. 

12.2. Statutory or regulatory confidentiality obligations 

Taskbase shall be obliged to treat as confidential any information concerning the Customer that is protected by statutory or regulatory confidentiality obligations insofar as Taskbase has been informed about the Customer being subject to such obligations in the Service Agreement or otherwise in text form. This shall apply in particular with regard to information protected by the banking secrecy, official secrecy, telecommunications secrecy, and non-disclosure duties under social insurance law. 

12.3. Data protection 

The Parties shall comply at all times with applicable data protection laws, in particular the provisions of the Swiss Data Protection Act and the EU-GDPR, when handling personal data. This also includes the implementation of appropriate technical and organizational security measures. 

The Parties enter into a separate Data Processing Agreement (DPA) (Annex 6 to the Service Agreement). 

Further data protection-related information can be found in Taskbase's privacy policy, which the Customer acknowledges when concluding the Service Agreement. The Customer shall observe the current version, available at: taskbase.com/privacy-policy 

12.4. Common provisions 

Notwithstanding the foregoing, each Party may disclose confidential information and personal data if and to the extent such disclosure is required pursuant to a court order or in accordance with a statutory or regulatory obligation. To the extent permitted by law, the other Party shall be informed of such disclosure in advance, and the disclosing Party shall cooperate with the other Party with respect to the manner of the disclosure and shall take all reasonable measures and avail itself of all reasonable legal remedies in order to prevent the disclosure and to achieve the confidential treatment of the information to be disclosed. 

Any information and personal data that is no longer required for the performance of the Service Agreement or in the context of the business relationship as such shall be erased (or anonymized in case of personal data), subject to any mandatory statutory retention obligations 

or legitimate interests of the relevant Party, as provided for by law, in further retention. Each Party shall take reasonable technical and organizational security measures within its respective sphere of responsibility in order to protect the confidential information and personal data (including information and data retained). 

13. Compliance with laws and regulations 

The Parties shall comply with all laws and regulations applicable to them. Taskbase will thus comply with all laws and regulations applicable to Taskbase generally as a provider of the Services agreed upon in the Service Agreement. The Customer is responsible for determining and specifying the requirements of laws and regulations applicable to the Customer’s business, in particular those relating to the Services that the Customer procures under the Service Agreement. 

14. Suspension of Services by Taskbase 

Taskbase is entitled to suspend or restrict access of the Customer to the Services immediately and without further notice: 

• if the Customer is in default with the payment of fees due under the Service Agreement; 

• if the Customer breaches any clause of the Service Agreement, any terms of license and use (software) or any specifications or instructions by Taskbase (e.g. instructions for the use of systems); 

• if Taskbase terminates the Service Agreement for good cause; 

• if the undisturbed operation of Taskbase is endangered on the basis of circumstances within the Customer's responsibility. 

The suspension of the Services shall not affect the right to terminate for cause according to section 15.2 of these GTC. 

15. Term, termination and effects of termination 

15.1. Term and ordinary termination 

The Service Agreement enters into force as of the relevant effective date as specified therein and, subject to earlier termination as provided below, be concluded for the term as specified therein. 

15.2. Termination for cause 

Either Party shall be entitled to terminate the Service Agreement with immediate effect for cause where: 

• the other Party materially breaches its obligations under the Service Agreement (including, with respect to the Customer, the failure to pay any agreed fees or the breach of essential terms of license and use) and has failed to remedy the breach within 30 days after written notice from the other Party; 

• the other Party dissolved or otherwise ceased operations; 

• the other Party is placed into bankruptcy, commences composition proceedings, or is insolvent. 

15.3. Effects of termination 

Upon any termination of the Service Agreement, the Customer shall, as of the effective date of such termination, immediately cease accessing and otherwise utilizing the Services (except during an agreed transition period, if any) and any confidential information of Taskbase (as defined in section 12.1). 

If Taskbase terminates the Service Agreement for the Customer’s uncured material breach, all fees under the Service Agreement shall become immediately due and payable within 10 days of the effective date of termination. 

Termination of the Service Agreement will not affect any accrued rights (in particular Taskbase’s right to demand payment of all fees that the Customer is obliged to pay until the date of termination), claims and/or liabilities of either Party at the date of termination and shall be without prejudice to any other rights and/or remedies that either Party may have under the Service Agreement.

Further, the termination of the Service Agreement shall have no effect on the clauses which, by their nature, shall survive termination of the Service Agreement, particularly but not exclusively the clauses relating to intellectual property rights, liability, confidentiality and applicable law and place of jurisdiction. 

16. Changes 

16.1. Changes to Services and fees 

Should the Customer wish to make any changes to any contractually pre-defined Services, it shall inform Taskbase thereof in text form (change request). Taskbase shall promptly state whether the change is possible along with any implications that it will have, in particular on the Services to be provided as well as on the fees and contractual deadlines (if any). The changes to the Taskbase Services as requested by the Customer, along with any adjustment of the fees, contractual deadlines (if any) and other terms of the Service Agreement, shall be agreed on in text form prior to execution and, if requested by a Party, signed by both Parties (e.g. by means of an addendum to the Service Agreement). 

With respect to recurring Services (e.g. operating and maintenance services), Taskbase may adapt the Services at any time (e.g. due to further developments), provided that this does not impair the Customer's use of the Services. Further, Taskbase reserves the right to make changes to the Services that affect the Customer's use, as well as adjustments to the fees. Taskbase will inform the Customer of such changes in an appropriate manner (e.g. via e-mail). If Taskbase increases fees in such a way that they lead to a higher total charge for the Customer, or if Taskbase significantly changes the Services to the detriment of the Customer, then Taskbase will inform the Customer sufficiently in advance and the Customer may terminate the Service Agreement as of the effective date of the changes. If the Customer fails to do so, the changes are deemed approved. Adjustments to the fees as a result of a change in legal requirements (e.g. increase of the value-added tax rate), as a result of an adjustment to inflation (in accordance with the Consumer Price Index (CPI) of the Swiss Federal Statistical Office) and increases of the fees by service partners or other third party providers of Taskbase are not considered increases of the fees and do not entitle the Customer to terminate the Service Agreement. 

Taskbase can also change the names of its Services (e.g. product names) at any time. Taskbase will inform the Customer of such changes in an appropriate manner (e.g. via e-mail). 

16.2. Contractual amendments 

Any amendments or supplements to the Service Agreement (including amendments to this provision) shall only be legally valid if concluded in writing (with handwritten signatures) or in electronic form (e.g. an electronic file which contains a scan of the signature(s) or a signature with DocuSign, Skribble or any other reputable provider of electronic signatures). 

However, Taskbase reserves the right to amend these GTC at any time. Taskbase will notify the Customer of such amendments in an appropriate manner (e.g. via e-mail). If Taskbase amends the GTC significantly to the detriment of the Customer, Taskbase will inform the Customer sufficiently in advance and the Customer may terminate the Service Agreement, which is affected by the amendments, as of the effective date of the amendments. If the Customer fails to do so, the amendments are deemed approved. 

17. Miscellaneous 

The Service Agreement sets forth the entire agreement between the Parties in relation to the subject matter thereof and shall replace all previous written or oral agreements or declarations of intention in this regard between the Parties. 

The waiver of any contractual breach or the failure to enforce any of the rights thereunder shall not be construed as a waiver to enforce other rights or the same right in the future. 

In the event that any term or part of any term of the Service Agreement is or becomes invalid or unenforceable, this shall not affect the remaining terms of the Service Agreement. An invalid or partially invalid or unenforceable or partially unenforceable clause shall be replaced by a valid clause (as the case may be by a court order), which comes as close as possible to the meaning and purpose of such clause, and the Parties undertake to sign all agreements and documents that may be necessary in that respect. The same procedure shall be followed should any gap become apparent in the Service Agreement. 

The Parties undertake to refrain from transferring/assigning the Service Agreement or any rights or obligations thereunder to any third party without the prior written approval of the other Party. 

No agency, partnership, joint venture, or employment is created as a result of the Service Agreement and neither Party has any authority of any kind to bind the other Party in any respect whatsoever. 

All notices between the Parties under the Service Agreement must be made by e-mail or letter to the addresses stated in Annex 1 to the Service Agreement. This does not apply to notices and communications on operational matters. 

18. Dispute resolution, applicable law and place of jurisdiction 

Any disagreement arising out of or in connection with the Service Agreement shall be resolved by mutual agreement if possible. If this is not possible, a mediation proceeding shall be conducted by an independent lawyer. If the disagreement cannot be resolved within 60 days of the commencement of the mediation procedure, the Parties shall be free to bring the matter to the ordinary courts. 

The Service Agreement shall be governed in all respects by the substantive laws of Switzerland, excluding the United Nations Convention on Contracts of International Sale of Goods of 11 April 1980 (CISG) and the provisions of international private law (which shall not apply). 

All disputes arising out of or in relation to the Service Agreement, including those concerning its valid conclusion, legal validity, amendment or dissolution shall fall under the exclusive jurisdiction of the courts of Zurich 1, Switzerland. 

Annex 6 – Taskbase Data Processing Addendum (DPA)

 Version: 1.3.2026 

This Annex 6 describes the data processing carried out by Taskbase under the data processing agreement (DPA) within the scope of the contract.

Information on Taskbase

1. Taskbase contact details (responsible recipient of instructions):

Taskbase AG, Samuel Portmann, CEO, Badenerstrasse 47, 8004 Zurich, Switzerland

Email: samuel@taskbase.com

2. Contact details of the contact point at Taskbase responsible for data protection issues (also Data Protection Consultant or Data Protection Officer):

Taskbase AG, Samuel Portmann, CEO, Badenerstrasse 47, 8004 Zurich, Switzerland

Email: privacy@taskbase.com

3. Contact details of Taskbase's data protection representative in the European Union, who can be contacted by supervisory authorities and data subjects for all questions relating to EU data protection law:

Jetro Capiaghi, Hammerweg 8, 83022 Rosenheim, Germany

Email: jetro@taskbase.com

Data Processing

1. General

Within the scope of the contract, the customer entrusts Taskbase with confidential data for processing, at its own discretion and on its behalf. Personal data is anonymised upon transfer through the API to Taskbase by using an arbitrarily assigned ID.

1.1 Purpose of Processing

The personal data entrusted to Taskbase by the customer and resulting therefrom is processed exclusively for the purpose of fulfilling the contract and related activities (including customer relationship management, invoicing, archiving, marketing).

1.2 Instructions

(a) Taskbase processes personal data only on documented instructions from the Controller, unless there is an obligation to process under Swiss law or Union law. In such a case, Taskbase shall inform the customer of these legal requirements prior to processing, unless the relevant law prohibits this due to an important public interest. The customer may issue further instructions throughout the duration of the processing of personal data. These instructions must always be documented.

(b) Taskbase shall inform the customer without delay if it is of the opinion that instructions issued by the customer violate applicable data protection provisions.

1.3 Duration of Processing

Personal data will be handled by Taskbase as follows after the end of the contract:

☐ Deletion/Anonymization immediately after the end of the contract

X Transfer to the customer immediately after the end of the contract and subsequent deletion/anonymization

☐ Deletion/Anonymization within [Number of days/months] after the end of the contract

☐ Transfer to the customer within [Number of days/months] after the end of the contract and subsequent deletion/anonymization

Deletion/anonymization will take place unless there are longer statutory retention obligations or legitimate interests in relation to certain personal data.

1.4 Categories of Data Subjects

Taskbase processes personal data of:

X Internal or external employees/auxiliary personnel of the customer

X End customers of the customer

☐ Internal or external employees/auxiliary personnel of the customer's business clients

☐ End customers of the customer's business clients

☐ Internal or external employees/auxiliary personnel of the customer's suppliers/partners

1.5 Categories of Personal Data

Taskbase processes the following categories of personal data:

X Private and professional contact and identification data as well as (work) organization data (Name, first name, email address, )

☐ Data on personal/professional circumstances and characteristics (e.g. nationality, date/place of birth, IDs, data on spouse or children, marital status, portrait photo, honorary office, job title, professional career, company affiliation, tasks, activities, log file analysis, entry and exit dates, insurance, qualifications, ratings/assessments, etc.)

☐ Image and/or sound recordings (e.g. audio, video, photos).

☐ Contract data (e.g. purchased products, (financial) services, date of purchase contract, purchase price, special equipment, guarantees, etc.)

X IT usage data (User ID)

☐ Payroll and time management data (e.g. payroll, special payments, garnishment, daily attendance times, reasons for absence, etc.)

☐ Creditworthiness and bank data (e.g. IBAN, card number, payment behavior, balance sheets, data from credit agencies, score values, financial circumstances, bank account, credit card number, etc.)

☐ Particularly sensitive personal data (e.g. racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the unique identification of a natural person, social assistance measures, health data or data on sexual life or sexual orientation, and data relating to criminal offences or the suspicion thereof)

1.6 Special Statutory Confidentiality Obligations

☐ Taskbase processes personal data as an auxiliary person of the customer which is additionally subject to a special statutory confidentiality obligation:

(Multiple selection possible)

☐ Official secrecy

☐ Banking secrecy

☐ Professional secrecy (e.g. trustees, tax experts, lawyers)

☐ Telecommunications secrecy

☐ Federal Act on the General Part of Social Security Law (ATSG)

X Taskbase, as an auxiliary person of the customer, does not process any personal data which is subject to a special statutory confidentiality obligation.

Location of Data Processing

2.1 Location of personal data processing

The personal data is processed in the EU/EEA. All countries, including those outside the EU/EEA, are listed in Annex 8 (Sub-Processors).

2.2 Guarantees for processing outside the EU/EEA

Taskbase ensures an adequate level of protection for personal data when processing outside the EU/EEA by concluding data processing agreements with the relevant sub-processors, in which these sub-processors are obliged to take sufficient technical and organizational measures to protect the processed personal data and/or to ensure data security appropriate to the risk, and which contain the EU Standard Contractual Clauses (SCC).

2.3 Disclosure of Personal Data to Sub-processors

The third parties listed in Annex 8 (Sub-processors) have access to and process personal data as sub-processors, or personal data is disclosed to these third parties.

Taskbase shall explicitly inform the customer at least 14 days in advance of intended changes to this list by adding or replacing sub-processors, thereby giving the customer sufficient time to raise objections to these changes before commissioning the relevant sub-processor(s).

Taskbase ensures that the sub-processor fulfils the obligations to which Taskbase is subject in accordance with these clauses, the Swiss Data Protection Act, and Regulation (EU) 2016/679 (EU GDPR).

Assistance to the Controller

(a) Taskbase shall provide the customer with all information necessary to demonstrate compliance with the obligations set out in these clauses and arising directly from the Swiss Data Protection Act and/or Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the customer's request, Taskbase shall also permit and contribute to audits of the processing activities falling under these clauses at reasonable intervals or where there are indications of non-compliance. When deciding on a review or audit, the customer may take into account relevant certifications of Taskbase.

(b) The customer can carry out the audit themselves or commission an independent auditor. Audits may also include inspections of Taskbase's premises or physical facilities and will be carried out with reasonable prior notice if applicable.

(c) Taking into account the nature of the processing, Taskbase shall assist the customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights.

(d) Apart from the obligation to assist the customer pursuant to clause 7(c), Taskbase shall also assist the customer in complying with the following obligations, taking into account the nature of the data processing and the information available to it:

(1) Obligation to carry out an assessment of the consequences of the planned processing operations for the protection of personal data (“Data Protection Impact Assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(2) Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment shows that the processing would result in a high risk, unless the customer takes measures to mitigate the risk.

Notification of Data Breaches

Taskbase shall notify the customer without undue delay, and at the latest within 36 hours of becoming aware of a personal data breach involving personal data processed on behalf of the customer. This timeline is designed to ensure that the customer retains sufficient time to fulfil its own notification obligations to the competent supervisory authority within the 72-hour period prescribed by Art. 33 GDPR.

The initial notification shall be made in text form (email sufficient) to the customer's designated contact and shall include, to the extent available at the time of notification:

(a) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected;

(b) the name and contact details of Taskbase's data protection contact point;

(c) a description of the likely consequences of the breach;

(d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Where all required information cannot be provided at the time of the initial notification, Taskbase shall provide it in phases without further undue delay. Taskbase shall additionally notify the customer by telephone if the breach is of a severity that warrants immediate escalation, as assessed by Taskbase in good faith.

Taskbase shall document all personal data breaches, including those not requiring notification to a supervisory authority, and make this documentation available to the customer upon request.

Where the customer is subject to the Swiss Federal Act on Data Protection (nDSG), Taskbase shall notify the customer without undue delay upon becoming aware of a data breach involving a likely high risk to the personality or fundamental rights of affected data subjects, in accordance with Art. 24 nDSG. The above notification timelines and content requirements apply correspondingly. Where both the GDPR and the nDSG apply, Taskbase shall fulfil whichever obligation is more stringent in the circumstances.

Annex 7 – Technical and Organizational Measures (TOM)

 Version: 1.3.2026 

This Annex 7 describes the technical and organizational measures taken by Taskbase under the data processing agreement (DPA) within the scope of the contract to protect the personal data processed and/or to ensure data security appropriate to the risk (Art. 8 DPA and Art. 3 DSV as well as Art. 32, 1 EU GDPR).

The technical and organizational measures are subject to technical progress and continuous development. Alternative or additional measures may be implemented, provided that the agreed level of protection is not compromised.

This Annex 7 is limited to the description of the technical and organizational measures that Taskbase itself has taken. Taskbase has contractually obliged its appointed sub-processors (see Annex 8) to implement appropriate technical and organizational measures. The description of these technical and organizational measures can be found in the corresponding documentation of the sub-processors. Taskbase will provide detailed information on this upon request.

1. Access Control (Physical)

Measures suitable for preventing unauthorized persons from entering facilities where personal data is processed (processing systems).

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Alarm system

- Key regulation / list

- Automatic access control system

- Reception / concierge / porter with personnel control

- Biometric access locks

- Visitor log / visitor protocol

- Magnetic or chip cards / transponder systems

- Wearing of employee / visitor badges

- Manual locking system (key)

- Escorting of visitors

- Security locks

- Security personnel

- Locking system with code lock

- Careful selection of cleaning staff

- Securing of building shafts

- Doors with external knob

- Intercom system with camera

- Video surveillance

- Light barriers / motion detectors

- Burglary-resistant windows and/or security doors

2. Access Control (System)

Measures suitable for preventing unauthorized persons from using data processing systems (e.g. computers).

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Login with passwords (e.g. username and password)

- Managing user authorizations

- Firewall

- Creating user profiles

- Use of VPN for remote access

- Password policy ("Secure Password")

- Encryption of data carriers

- General policy "Data protection and security"

- Encryption of smartphones

- Housing lock

- Encryption of notebooks / tablets

- Two-factor authentication

3. Access Control (Data)

Measures suitable for limiting the access of those authorized to use a data processing system exclusively to the personal data subject to their access authorization and preventing unauthorized reading, copying, changing, or removal of personal data (including unauthorized input into storage, as well as unauthorized acknowledgment, viewing, changing, or deletion of stored personal data):

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Physical deletion of data carriers

- Authorization concept

- Logging of access

- Minimal number of administrators

- Standard authorization profiles on a "need to know" basis

- Vault for data storage

- Data protection compliant disposal of no longer needed data carriers

- Administration of user rights by administrators

- Secure storage of storage media

- Periodic review of granted authorizations

- Data protection compliant reuse of storage media

- Standard process for granting authorizations

- "Clean-Desk/Clean-Screen" policy

- "Deletion / Destruction" policy

4. Transfer and Transmission Control

Measures suitable for preventing unauthorized reading, copying, changing, or removal of personal data during electronic transfer or transport (including via data carriers), as well as measures for checking and establishing to which bodies personal data transfer is intended or takes place using data transfer facilities.

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Email encryption

- Documentation of data recipients and the duration of the planned transfer or the deletion periods

- Use of Virtual Private Networks (VPN)

- Overview of regular retrieval and transmission processes

- Logging of access and retrievals

- Transfer in anonymized or pseudonymized form

- Provision via encrypted connections such as sftp, https

- Personal handover with protocol

- Use of electronic signature procedures

- Encryption of files

- Encryption of data carriers

5. Input Control

Measures suitable for enabling the review and establishment of whether, by whom, and when which personal data was entered, changed, or removed from data processing systems.

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Technical logging of data entry, change, and deletion

- Overview of which programs can be used to enter, change, or delete which data

- Manual or automated control of logs

- Traceability of data entry, change, and deletion by individual user names (not user groups)

- Document management

- Assignment of rights for data entry, change, and deletion based on an authorization concept

- Retention of forms from which data was transferred to automated processing

- Clear responsibilities for deletions

- Deletion concept

6. Order Control (Sub-processor Control)

Measures suitable for ensuring that the processing of personal data by sub-processors takes place only in accordance with the customer's instructions.

Taskbase ensures this through the following measures:

Organizational Measures

- Prior review of the security measures taken by the sub-processor and their documentation (e.g. ISO certification, ISMS)

- Careful selection of the sub-processor (in terms of data protection and data security) and assignment of the relevant responsibilities

- Conclusion of the necessary data processing agreement with the sub-processor (including in the form of the EU Standard Contractual Clauses, if necessary)

- Right of the customer to issue written instructions to the sub-processor

- Obligation of the sub-processor's employees to data protection (including data secrecy)

- Obligation for the sub-processor to appoint a Data Protection Officer if the corresponding obligation exists

- Agreement on effective rights of control and post-control (e.g. audits) vis-à-vis the sub-processor

- Regulation on the involvement of further sub-processors

- Ensuring the destruction or return of data after termination of the order

- In the event of longer cooperation: Ongoing review of the sub-processor and its level of protection

- Formalized order management

7. Availability Control

Measures suitable for protecting personal data against accidental or willful destruction or loss.

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Fire and smoke alarm systems

- Backup & Recovery concept (online/offline, on-site/off-site)

- Fire extinguisher server room

- Control of the backup process

- Server room temperature and humidity monitoring

- Regular tests for data restoration and logging of results

- Air-conditioned server room

- Storage of backup media in a secure location outside the server room

- Uninterruptible power supply (UPS)

- No sanitary connections in or above the server room

- Protected power strips server room

- Reporting channels and emergency plan (e.g. BSI IT-Grundschutz 100-4)

- Data protection safe (S60DIS, S120DIS, other suitable standards with source sealing, etc.)

- Multi-stage backup concept with encrypted outsourcing of backups to a disaster recovery center

- RAID System / Hard disk mirroring

- Security checks at the infrastructure and application level

- Video surveillance server room

- Standard processes for changes/leaving employees

- Alarm message in case of unauthorized access to the server room

- Anti-virus protection (incl. regular updating)

- Firewall (incl. regular updating)

- Separate partitions for operating systems and data

8. Separability (Separation Control)

Measures suitable for ensuring the separate processing of personal data collected for different purposes.

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Separation of production and test environment

- Control via authorization concept

- Physical separation (systems / databases / data carriers)

- Definition of database rights

- Multi-client capability of relevant applications

- Provision of data records with purpose attributes / data fields

9. Review, Assessment, and Evaluation

Introduction of procedures for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing.

Taskbase ensures this through the following measures:

Technical Measures

Organizational Measures

- Use of software solutions for data protection management

- Internal Data Protection Consultant or Data Protection Officer and external Data Protection Representative (EU)

- Central documentation of all procedures and regulations on data protection with access possibility for employees according to need / authorization (e.g. Wiki, intranet, etc.)

- Employee training in the area of data protection and security

- Documented security concept

- Regular sensitization of employees (at least once a year)

- Regular review of the effectiveness of the technical protection measures

- Internal / external Information Security Officer (ISO)

- Carrying out a Data Protection Impact Assessment (DPIA) if necessary

- Compliance with the information obligations pursuant to Art. 13 and 14 EU GDPR

- Formalized process for handling inquiries from data subjects

- Obligation of employees to maintain confidentiality and data protection (including data secrecy)

Incident Response Management:

Technical Measures

Organizational Measures

- Firewall (incl. regular updating)

- Documented process for detecting and reporting security incidents / data breaches (also with regard to the reporting obligation to the supervisory authority)

- Spam filter (incl. regular updating)

- Documented procedure for dealing with security incidents

- Anti-virus protection (incl. regular updating)

- Involvement of the Data Protection Consultant or Data Protection Officer and the Data Protection Representative (EU) in security incidents and data breaches

- Intrusion Detection System (IDS)

- Documentation of security incidents and data breaches, e.g. via ticket system

- Intrusion Prevention System (IPS)

- Process and responsibilities for post-processing of security incidents and data breaches

Data Protection Friendly Default Settings (Privacy by Design / Privacy by Default):

Technical Measures

Organizational Measures

- No collection of more personal data than necessary for the respective purpose

- Definition of the role for Privacy/Security by Design and Privacy/Security by Default in projects

- Sensitization of the relevant employees to Privacy/Security by Design or Privacy/Security by Default

Annex 8 – Sub-processors

Version: 1.3.2026 

This Annex 8 lists the sub-processors engaged by Taskbase. The engagement of new and the replacement of existing sub-processors is governed by the provisions of the data processing agreement (DPA).

AWS

Infrastructure

Email, first name, last name of customer employees

EU

Data Processing Agreement, Adequacy decision of Switzerland (FDPIC), EU Standard Contractual Clauses

Anthropic

LLM inference

Prompts, outputs, content for inference

EU

Standard API terms; data not used for training; no custom DPA

Microsoft Azure

EU-region LLM inference

Prompts, outputs, content for inference

EU

Standard terms; EU-region processing; data not used for training unless agreed; no custom DPA

PostHog

Product Analytics

device/browser data, user behavior

EU

Opt-in, disabled per default

ZITADEL (CAOS Ltd.)

Identity Access Management

First name, last name, email, language, and gender of users

CH

Both incl. Data Processing Agreement (DPA)

cloudscale.ch AG

Hosting

Parts of the application are hosted on Cloudscale. Cloudscale does not have access to the data.

CH

Both incl. Data Processing Agreement (DPA)

iWay AG

Email (SMTP)

Email, name and potentially learning progress

CH

Both incl. Data Processing Agreement (DPA)