The Synergy Group AG
EN DE FR IT
Beratung buchen

Compliance Information

Effective date: 1 January 2026
Last updated: 7 April 2026
Document version: 1.0

Compliance Information

The Synergy Group AG (“TSG”) is committed to operating its products and services in compliance with applicable data protection legislation and industry best practices. This page provides an overview of our compliance posture, data sovereignty measures, and AI governance framework.

1. Data Protection Framework

1.1 Swiss Federal Act on Data Protection (nDSG)

TSG is a Swiss company subject to the revised Swiss Federal Act on Data Protection (nDSG / revFADP), which entered into force on 1 September 2023. Our data processing activities comply with the nDSG, including:

  • Transparency — We inform data subjects about the collection and processing of their personal data through our Privacy Policy.
  • Purpose limitation — Personal data is collected for specified, explicit purposes and not processed in a manner incompatible with those purposes.
  • Data minimisation — We collect only the personal data necessary for the stated purposes.
  • Accuracy — We take reasonable steps to ensure personal data is accurate and up to date.
  • Storage limitation — Personal data is retained only as long as necessary for the purposes for which it was collected.
  • Security — Appropriate technical and organisational measures protect personal data against unauthorised access, loss, or destruction.
  • Data subject rights — We facilitate the exercise of data subject rights, including access, rectification, deletion, and data portability.

TSG maintains a Register of Processing Activities (Verzeichnis der Bearbeitungstätigkeiten) as required by Art. 12 nDSG.

1.2 EU General Data Protection Regulation (GDPR)

Where TSG processes personal data of individuals in the European Economic Area (EEA) or where our services are directed at individuals in the EEA, we align our practices with the GDPR. This includes:

  • Identifying a valid legal basis for each processing activity (Art. 6 GDPR);
  • Conducting Data Protection Impact Assessments (DPIAs) where required (Art. 35 GDPR);
  • Entering into Data Processing Agreements (DPAs) with sub-processors;
  • Implementing Standard Contractual Clauses (SCCs) where data is transferred to processors outside Switzerland and the EEA;
  • Maintaining documentation to demonstrate compliance (accountability principle).

1.3 Scope of Compliance

TSG does not specifically target the California market and therefore does not claim compliance with the California Consumer Privacy Act (CCPA). TSG’s primary compliance obligations are under Swiss and EU data protection law.

2. Data Sovereignty

2.1 Swiss-Hosted Infrastructure

All production workloads, databases, and customer data are hosted on Exoscale, a Swiss and European cloud infrastructure provider, in their Zürich data centre. This ensures:

  • Swiss data sovereignty — Customer data is stored and processed within Switzerland;
  • No US CLOUD Act exposure — Exoscale is not subject to US jurisdiction or compulsory disclosure orders from US authorities;
  • Physical security — Exoscale’s Zürich facility is ISO 27001 certified with 24/7 physical access controls.

2.2 Sub-Processors

TSG engages a limited number of sub-processors to deliver its services. Key sub-processors include:

  • Exoscale (A1 Digital International GmbH) — Cloud infrastructure, Zürich, Switzerland
  • Stripe (Stripe Payments Europe, Ltd.) — Payment processing, Ireland/EU
  • Clerk (Clerk, Inc.) — Authentication and identity management, United States (SCCs in place)
  • Anthropic (Anthropic, PBC) — AI inference (request-scoped), United States (DPA with no-training clause)
  • OpenAI (OpenAI, LLC) — AI inference (request-scoped), United States (DPA with no-training clause)
  • ElevenLabs — Voice synthesis (request-scoped), United States (DPA in place)
  • Deepgram — Speech-to-text (request-scoped), United States (DPA in place)

For US-based AI providers, data is transmitted on a request-scoped basis only (no persistent storage) and is not used for model training. Appropriate contractual safeguards (SCCs and DPAs) are in place.

3. AI Governance

3.1 Constitutional Rules

TSG operates its AI-powered features under a set of 10 constitutional rules that govern all AI agent behaviour across the platform:

  1. Human oversight — AI agents assist human decision-making; they do not make autonomous decisions with material consequences.
  2. Transparency — Users are informed when they are interacting with AI-generated content.
  3. No training on client data — Client data is never used to train or fine-tune AI models. All AI provider agreements include explicit no-training clauses.
  4. Data minimisation — AI prompts contain only the minimum data necessary for the requested task.
  5. Output verification — AI outputs intended for external use (emails, reports, recommendations) require human review before dispatch.
  6. Audit trail — All AI agent actions are logged with timestamps, inputs, and outputs for accountability.
  7. Graceful degradation — If an AI provider is unavailable, the system falls back to deterministic rules rather than failing silently.
  8. No hallucination of facts — AI prompts inject verified database facts (names, amounts, dates) and instruct the model to use only those facts.
  9. Scope limitation — Each AI agent operates within a defined scope and cannot access data or systems outside its mandate.
  10. Periodic review — AI agent behaviour, prompts, and outputs are reviewed quarterly for accuracy, bias, and alignment with these rules.

3.2 AI Provider Relationships

TSG acts as the data controller for all personal data processed through AI features. AI providers (Anthropic, OpenAI, ElevenLabs, Deepgram) act as data processors under data processing agreements that specify:

  • Processing only on TSG’s documented instructions;
  • No use of data for training, fine-tuning, or model improvement;
  • Deletion of data after processing (no persistent storage by the provider);
  • Appropriate technical and organisational security measures.

4. Information Security

4.1 Security Controls

TSG has implemented a comprehensive set of technical and organisational security controls aligned with the ISO 27001 framework (self-assessed). Key measures include:

  • Encryption in transit — All data transmitted between clients and TSG services is encrypted using TLS 1.2 or higher.
  • Encryption at rest — Customer data stored on Exoscale is encrypted at rest using AES-256.
  • Access control — Role-based access controls (RBAC) with principle of least privilege. Multi-factor authentication (MFA) required for all administrative access.
  • Network security — Firewalls, intrusion detection, and network segmentation isolate production environments.
  • Secrets management — Credentials and API keys are stored in a dedicated vault, never in source code.
  • Monitoring and alerting — Real-time monitoring with Grafana dashboards and automated alerts for anomalous activity.
  • Backup and recovery — Daily automated backups with documented recovery procedures.

4.2 Penetration Testing

TSG conducts penetration testing of its externally facing infrastructure and applications. Annual penetration tests are planned, with results driving remediation priorities. Critical vulnerabilities are addressed within 48 hours of discovery.

4.3 Incident Response

TSG maintains a documented Breach Notification Procedure that includes:

  • Detection and classification of security incidents within 4 hours;
  • Notification to the Swiss Federal Data Protection and Information Commissioner (FDPIC) within 72 hours for incidents involving personal data, as required by Art. 24 nDSG;
  • Notification to affected data subjects without undue delay where the incident is likely to result in high risk;
  • Post-incident review and lessons-learned process.

5. Data Subject Rights

Under the nDSG and GDPR, you have the right to:

  • Access — Request a copy of the personal data we hold about you;
  • Rectification — Request correction of inaccurate or incomplete data;
  • Deletion — Request deletion of your personal data (subject to legal retention obligations);
  • Data portability — Receive your data in a structured, machine-readable format;
  • Objection — Object to processing based on legitimate interests;
  • Restriction — Request restriction of processing in certain circumstances;
  • Withdraw consent — Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact andre@thesynergygroup.ch. We will respond within 30 calendar days.

6. Trust Centre

For detailed compliance documentation, including our Records of Processing Activities, Data Protection Impact Assessments, International Transfers Register, and Security Compliance documentation, please refer to the TSG Trust Centre. Access to detailed technical documentation is available on request for enterprise clients and regulatory authorities.

7. Regulatory Contact

If you believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern, Switzerland
www.edoeb.admin.ch

For individuals in the EEA, you may also lodge a complaint with the supervisory authority in your country of residence.

8. Contact

For any compliance-related enquiries, please contact:

The Synergy Group AG
c/o HAFIDA Treuhand AG
Dorfstrasse 59
8126 Zumikon, Switzerland
Email: andre@thesynergygroup.ch

Scroll to Top