Data Processing Agreement
Mast Finance Sàrl — Effective date: 24 February 2026 — Version 1.0
1. Contractual Framework
This Data Processing Agreement ("DPA") forms an integral part of, and is incorporated into, the Terms of Service between Mast Finance Sàrl ("Mast Finance" or "Processor") and the customer ("Controller"). In the event of conflict, this DPA prevails with respect to data protection matters.
This DPA reflects the requirements of the EU General Data Protection Regulation (GDPR), in particular Article 28, and the Swiss Federal Act on Data Protection (revFADP / nDSG).
2. Definitions
Terms not defined in this DPA have the meanings given in the Terms of Service or applicable data protection law. In this DPA:
- Controller: the customer, who determines the purposes and means of processing Customer Data.
- Processor: Mast Finance Sàrl, who processes personal data on behalf of the Controller.
- Customer Data: personal data provided by or generated on behalf of the Controller through use of the Service.
- Subprocessor: any third party engaged by Mast Finance to process Customer Data.
3. Subject Matter, Nature, and Duration
Mast Finance processes Customer Data on behalf of the Controller for the purpose of providing the Service, including hosting, storage, transmission, retrieval, computation, analysis, generation of outputs, customer support, security operations, and deletion.
Processing takes place for the duration of the subscription and any agreed data export or wind-down period following termination.
4. Categories of Personal Data and Data Subjects
Personal data processed may include:
- business contact and account data (names, roles, contact and company details);
- authentication and access data (user IDs, login events, session data, device identifiers);
- technical and usage data (logs, metadata, IP addresses, timestamps);
- billing and subscription data;
- Customer Data, which may include financial, accounting, expense, and treasury data relating to employees, contractors, customers, suppliers, or other individuals.
Data subjects may include: the Controller's employees and contractors, customers, suppliers, and any other individuals whose personal data is included in Customer Data.
5. Controller Obligations
The Controller:
- confirms it has a lawful basis for providing personal data to Mast Finance;
- is responsible for ensuring transparency toward data subjects;
- is responsible for the accuracy, legality, and completeness of instructions;
- will ensure Customer Data does not contain special categories of personal data (Art. 9 GDPR) unless expressly agreed in writing.
6. Processor Obligations
Mast Finance shall:
- process Customer Data only on documented instructions from the Controller;
- ensure authorised personnel are bound by appropriate confidentiality obligations;
- implement and maintain appropriate technical and organisational security measures;
- not process Customer Data for its own purposes or disclose it to third parties except as required to provide the Service or comply with law;
- inform the Controller promptly if an instruction infringes applicable data protection law.
Service Data: Mast Finance acts as an independent data controller with respect to Service Data (account metadata, usage logs, feature adoption data, and other technical/behavioural data generated through interaction with the Service, excluding Customer Data). Mast Finance may collect, use, and analyse Service Data for legitimate internal business purposes as described in its Privacy Policy.
7. Security Measures
Mast Finance implements appropriate technical and organisational security measures, including encryption of data in transit and at rest, access controls, logging and monitoring, incident response procedures, and regular security assessments.
8. Subprocessors
The Controller grants Mast Finance general authorisation to engage subprocessors. Mast Finance maintains a publicly available list at mastfinance.io/subprocessors.
The Controller may object to a new subprocessor on reasonable data protection grounds within 14 days. If the objection cannot be resolved, the Controller may terminate the relevant service upon written notice.
Mast Finance imposes equivalent data protection obligations on subprocessors and remains liable for their acts and omissions.
Current Subprocessors
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, email delivery | Switzerland (eu-central-2), EU (eu-central-1 for SES) |
| Stripe | Payment processing | US (EU-US Data Privacy Framework) |
| Sentry GmbH | Error tracking and performance monitoring | EU (Frankfurt) |
9. International Data Transfers
Customer Data is primarily processed within Switzerland (AWS Zurich). Where transfers outside Switzerland or the EEA are necessary, appropriate safeguards are ensured, including:
- adequacy decisions recognised under GDPR or Swiss nDSG;
- Standard Contractual Clauses (SCCs) approved by the European Commission, or Swiss equivalent clauses recognised by the FDPIC;
- other recognised transfer mechanisms as applicable.
10. Assistance to the Controller
Mast Finance shall provide reasonable assistance with:
- responding to data subject requests;
- meeting security and breach notification obligations;
- conducting data protection impact assessments, where required.
Such assistance may be subject to reasonable fees where it requires material effort beyond standard service delivery.
11. Personal Data Breaches
Mast Finance shall notify the Controller without undue delay (within 72 hours where feasible) after becoming aware of a breach affecting Customer Data, providing details of the nature, scope, consequences, and remedial measures.
12. Deletion and Return of Data
Upon termination:
- Customer Data remains available for export for 30 days;
- after this period, Customer Data is deleted or anonymised unless retention is required by law;
- Mast Finance will provide written confirmation of deletion upon request.
13. Audit Rights
Audit rights are satisfied exclusively through the following remote mechanisms:
- completion of Mast Finance's standard security and compliance questionnaire;
- provision of relevant third-party audit reports, certifications, or summaries (such as SOC 2 Type II, ISO 27001, or equivalent).
No physical or on-site audits are granted. Audit requests may be submitted to contact@mastfinance.io and may be made no more than once per calendar year, except following a confirmed breach.
14. Liability
Liability is subject to the limitations in the Terms of Service, to the extent permitted by applicable data protection law.
15. Governing Law and Jurisdiction
This DPA is governed by and construed in accordance with Swiss law, excluding conflict of law rules. The parties submit to the exclusive jurisdiction of the courts of Lausanne, Switzerland. Nothing in this section limits a data subject's right to bring proceedings in any competent jurisdiction as permitted by applicable data protection law.