Last updated: 12 July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller", "you") and OSHOOT AG, Industriestrasse 19, 8112 Otelfingen, Switzerland ("Processor", "we"), operator of Momo (the "Service"). It governs our processing of personal data on your behalf and reflects the requirements of the EU General Data Protection Regulation (GDPR, Art. 28) and the revised Swiss Federal Act on Data Protection (revFADP, Art. 9).
You are the Controller of the personal data you and your users enter into the Service; we act as your Processor. We process personal data only to provide the Service and only on your documented instructions, including those set out in this DPA and the Terms.
Subject matter and duration: the provision of the Service for as long as your account is active. Nature and purpose: hosting, storing and processing personal data so your organization can track time, manage absences and balances, handle expenses, and run reports. Details are in Annex 1.
You give general authorization for us to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor equivalent to those in this DPA and remain liable for their performance. We will inform you of intended changes (additions/replacements) and give you a reasonable opportunity to object on reasonable data-protection grounds.
We will notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification duties.
Your data is hosted in the European Union (Frankfurt, Germany). Where any processing by us or a sub-processor would involve a transfer outside the EEA or Switzerland, it is carried out under an adequacy decision or appropriate safeguards (e.g. EU Standard Contractual Clauses with the Swiss addendum).
On reasonable prior notice and no more than once per year (unless required by a supervisory authority), we will provide information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party reports where available.
Liability is governed by the Terms of Service. This DPA is governed by Swiss law. If there is a conflict between this DPA and the Terms regarding data protection, this DPA prevails.
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Hosting & storage | EU (Frankfurt) |
| Stripe | Subscription payments | EU / global |
| Resend | Transactional email | EU / global |
Questions about this DPA: privacy@momotime.app