GDPR & Swiss FADP Compliance with Exolynk: How We Effectively Protect Personal Data
Reading time: 3 minutes
Table of contents
Introduction
When I recently published our blog post about one-click data recovery, a colleague asked a very valid question: How does Exolynk ensure compliance with the GDPR and the Swiss Data Protection Act—especially when it comes to deleted data and backups?
A good question. Because data protection in a low-code system like Exolynk is not only technically challenging, but also essential for earning the trust of our customers and their end users. In this article, I’ll explain how we at Exolynk handle personal data in a legally compliant way—and how our platform helps businesses implement GDPR and the Swiss DPA in their daily operations.
Deletion Truly Means Deletion – Including History and Backups
A key principle of the GDPR is the “right to be forgotten.” When personal data is deleted, it must truly—completely—disappear. In Exolynk, this happens in multiple stages:
- Active Deletion: When a record is deleted, the system removes the data from the active table. It is immediately no longer visible or usable in the operational system.
- 90-Day History: For traceability reasons (e.g., user errors or audits), the record remains in a history log for an additional 90 days. During this time, an administrator can restore the data if needed.
- Automatic Deletion: After this period, the historical data is automatically and permanently deleted—with no possibility of recovery.
- Backup Lifecycle: Historical data may still exist in our system backups for a maximum of 30 more days. After that, these backups are either deleted or overwritten, making it impossible to retroactively reconstruct personal data.
Conclusion: After a maximum of 120 days, a deleted record is completely removed—from active use, history, and backups. This ensures compliance with Article 17 of the GDPR and the revised Swiss DPA.
Transparency & Purpose Limitation in Data Collection
Another core principle of data protection laws is the duty of transparency: Every individual has the right to know what personal data is stored about them—and for what purpose.
pIn a low-code system like Exolynk, where customers define their own fields and data structures, this can be especially challenging. That’s why we’ve implemented two key features:
Purpose Binding for Variables
When creating new data fields (variables), users can directly specify the intended use of the information from a data protection standpoint. These purposes are written in full sentences for maximum clarity. Examples:
- “We use the salutation for targeted personal greetings in emails.“
- “The email address is used for sending pet information and system notifications.”
- “The phone number is used to make contact as part of the service agreement.”
This ensures transparency right from the data modeling stage.
Overview of Data Processing & Storage Locations
To support companies with internal documentation and compliance, Exolynk provides a centralized overview that includes:
- All defined personal data fields, including their purposes
- The respective storage location of the data within the system
- Assignment to the valid Data Processing Agreement (DPA)—the contractual basis for data processing
This overview helps data protection officers keep internal records up to date and efficiently respond to information requests—fully in line with Art. 30 of the GDPR and Art. 12 ff. of the Swiss Data Protection Act, FADP.
Swiss Hosting with the Highest Security Standards
Data protection doesn’t start with software architecture—it begins with infrastructure. That’s why we host the Exolynk platform exclusively in certified Swiss data centers.
Our infrastructure partners are:
- ISO 27001 certified – for information security management
- PCI-DSS certified – for the secure handling of sensitive data (e.g., payment information)
What does that mean in practice?
- All data is stored in Switzerland and therefore subject to strict Swiss data protection laws
- No third-party access, no international data transfers
- Our data centers are physically and digitally secured on multiple levels
- Processing occurs exclusively on GDPR-compliant systems with regularly audited security policies
For companies with especially high requirements—such as those in healthcare, the public sector, or finance—we also offer the option to run Exolynk on-premises. This means our customers can operate the entire platform on their own infrastructure or in a private cloud—retaining full control over data storage and access.
Everyday GDPR Compliance Through Smart Standards
At Exolynk, we view data protection not as a one-time project, but as an ongoing process. Our platform is designed to structurally support companies in ensuring data protection compliance in everyday operations, through:
- Automated deletion schedules
- Transparent data models with purpose binding
- Traceable change logs
- Overviews of storage locations & processing agreements
- Hosting with certified partners
- Option for self-hosting (on-premises)
- Regular updates aligned with legal changes
Conclusion: Data Protection in Practice – Consistently Implemented
Data protection isn’t just a legal obligation—it’s a promise of quality. With Exolynk, we ensure that personal data is not only protected but also handled in full compliance with the law—transparently, automatically, and traceably.
If you’d like to learn more about how Exolynk can support your GDPR and Swiss Data Protection Act, FADP compliance, feel free to contact us—or try our platform firsthand.y
