Terms of Use for the reWork Tool

Compasso Association – rework-profil.ch

1. Scope and Contracting Parties

These Terms of Use govern the use of the reWork Tool (hereinafter “Tool”) at rework-profil.ch, which is operated by Compasso Association, Hegibachstrasse 47, 8032 Zurich (hereinafter “Compasso”).

The Tool is intended for employers and their employees to systematically document workplace requirements in the context of vocational reintegration.

These terms apply to both modes of use:

• Registered use (with a user account, with data storage)
• Guest mode (session-based, without data storage)

By giving active consent (checking the confirmation checkbox), the user accepts these Terms of Use. In the case of registered use by an employer, the Order Processing Addendum (Appendix 1) also becomes binding.

2. Purpose and Functionality of the Tool

The reWork Tool is a digital dialogue tool. It is designed to systematically document the requirements and conditions of a workplace in the event of an inability to work and to compile this information into a form (reWork Profile).

The tool maps job requirement profiles—not a person’s health status or individual performance capacity. The assessment of partial work capacity is conducted at a later stage and outside the tool by the responsible medical professional.

By design, the PDF form generated by the tool contains neither diagnoses nor medical findings.

3. Roles and Data Protection Responsibilities

When used by a registered employer, the following applies:

• The employer using the tool is the data controller within the meaning of Art. 5(j) of the Data Protection Act (DSG) for the personal data of its employees processed in the tool.
• Compasso is a processor within the meaning of Art. 5(k) of the DSG and processes this data exclusively on behalf of and in accordance with the employer’s instructions.
• The details of this data processing are governed by Annex 1 (ADV).

In guest mode, no personal data is collected or stored in the tool. Therefore, no data processing within the meaning of Art. 9 DSG takes place; the ADV Annex does not apply to guest mode.

Compasso is solely responsible for its own website infrastructure (e.g., audience measurement, cookies). Details are set forth in the Privacy Policy.

4. Obligations of Employers Using the Service

The employer using the tool undertakes to:

Lawfulness: to process employees’ personal data in the tool only if there is a legal basis for doing so, and to inform the affected employees appropriately in advance.

No Specially Protected Data: not to enter any data regarding health or other specially protected personal data as defined in Art. 5(c) of the Data Protection Act (DSG) into the tool. This applies in particular to:

• Free-text/comment fields and the “Additional Information” field: no diagnoses, symptoms, medication, or other health-related information
• The input fields for requirements: only workplace-related information

Images: Upload only images in which no individuals are identifiable or in which individuals have been effectively anonymized, and ensure that no health-related information is recognizable.

Third-party data: Do not enter any personal data of third parties without an appropriate legal basis.

Login credentials: Treat login credentials for the user account confidentially and protect them from unauthorized access.

5. Compasso’s Obligations and Services

Compasso makes the tool available to the extent technically feasible and ensures appropriate technical and organizational measures are in place to protect the data (see Appendix 1).

Compasso supports the proper use of the tool by providing technical guidance (info texts next to input fields).

Compasso does not guarantee uninterrupted availability. Maintenance work will be announced whenever possible.

6. Data Retention and Deletion

In guest mode, entries are not saved; they are lost when the browser is closed.

When using the tool as a registered user, profile data for the using organization is stored. Retention and deletion are governed by the ADV Appendix. Registered users will be notified prior to deletion due to inactivity.

The employer may request the deletion of data concerning them at any time.

7. Liability

Compasso is not liable for damages resulting from improper use of the tool, in particular from the entry of sensitive personal data in violation of Section 4.

Compasso’s liability is limited to cases of willful misconduct and gross negligence, to the extent permitted by law.

The employer using the tool shall indemnify Compasso against any claims by third parties arising from a breach of its obligations under Section 4.

8. Changes

Compasso may amend these Terms of Use. The version in effect at the time of use shall apply.

Significant changes will be communicated to registered users in an appropriate manner.

9. Governing Law and Jurisdiction

Swiss law applies.

The exclusive place of jurisdiction is Zurich, Switzerland.

Appendix 1: Data Processing Addendum (DPA)

Applies exclusively to registered use by employers (Art. 9 DSG)

A1. Subject Matter and Roles

This annex governs the processing of personal data that the employer using the service (data controller) has processed via the reWork Tool by Compasso (data processor).

The legal basis is Art. 9 of the DSG. To the extent applicable, the GDPR is also taken into account.

By agreeing to these Terms of Use upon registration, the parties enter into this Data Processing Agreement (DPA) in a binding manner (click-wrap agreement with logging of the time, version, and consenting party).

A2. Nature, Purpose, and Scope of Processing

Purpose: Creation and management of reWork profiles (job requirement profiles) to support professional reintegration.

Categories of data subjects: The employer’s employees; the employer’s contacts.

Categories of personal data:

• Employee data: First name, last name, gender, date of birth, email, phone number, address (street, ZIP code, city), reference number, and any additional information; working hours (workload, weekly working hours, days worked); employment details (position/occupation, department, job level, brief description of primary duties)
• Employer data: Company name, contact person, position, contact information
• Account details: Email address, password (hashed), session and login data
• Generated PDF documents, to the extent that they contain personal data
• Technical data (e.g., access data, logs)

The job requirements and general conditions recorded in the tool describe the position and do not in themselves constitute personal data.

No data requiring special protection: The tool is not designed to process personal data requiring special protection under Art. 5(c) of the Data Protection Act (DSG). By complying with Section 4, the data controller ensures that such data is not entered.

A3. Obligations of Compasso (Processor)

Binding Instructions. Compasso processes personal data exclusively in accordance with documented instructions from the controller and not for its own purposes or for the purposes of third parties. This Annex, as well as the use of the tool within the scope of its intended functions, constitutes such documented instructions. Any processing beyond this scope shall only take place if the controller orders it or if there is a legal obligation to do so; in the latter case, Compasso shall inform the controller in advance, unless prohibited by law.

Confidentiality. Compasso ensures that all persons authorized to process personal data have committed to confidentiality or are subject to a corresponding statutory duty of confidentiality. This obligation continues even after the termination of employment.

Data Security. Compasso implements the technical and organizational measures required under Art. 8 of the DSG to ensure data security commensurate with the risk. These measures are described in A9.

Support for the Data Controller. Compasso supports the data controller with appropriate measures in fulfilling its obligations, in particular in responding to requests from data subjects regarding the exercise of their rights (Art. 25–29 DSG) and in fulfilling reporting obligations in the event of data security breaches (Art. 24 DSG).

Duty to Notify. If Compasso believes that an instruction from the controller violates applicable data protection law, it shall inform the controller of this immediately.

Cooperation in Providing Evidence. Upon request, Compasso shall provide the controller with the information necessary to demonstrate compliance with these obligations.

A4. Subprocessors

The controller approves the use of the following subprocessors:

Sanity AS is used exclusively for public content (CMS); no personal data is processed in Sanity.

For transfers to third countries (specifically Auth0/USA), appropriate safeguards are in place (Swiss-U.S. Data Privacy Framework or Standard Contractual Clauses; Transfer Impact Assessment).

Compasso provides notice of intended changes to subcontractors with reasonable advance notice; the data controller may object for valid data protection reasons.

A5. Data Location and Retention

Personal data is primarily stored in Switzerland (CloudSigma AG, Zug).

Retention and Deletion:

• Registered user accounts and reWork profiles: The data is stored as long as the account is actively used. In the event of prolonged inactivity, the registered user will be notified by email that their data will be deleted after 30 days; unless otherwise indicated, the data will be deleted upon expiration of this period.
• reWork Expert (Membership): Data stored as part of a membership is not automatically deleted but only after the membership has ended.
• Guest Mode: No data is stored; session data exists only for the duration of the session.
• Upon termination of use: Deletion or return of the data within 30 days upon instruction from the data controller.

The data subject may request the deletion of data concerning them at any time.

A6. Reporting Data Breaches

Compasso reports data security breaches affecting the data subject’s data to the data subject as soon as possible after becoming aware of them.

The decision regarding the obligation to report to the FDPIC (Art. 24 DSG) rests with the data controller; Compasso provides the necessary information to assist.

A7. Data Subject Rights

If a data subject contacts Compasso directly, Compasso will forward the request to the data controller and will not respond itself, unless otherwise instructed.

Compasso assists the data controller in responding to data subject requests in a timely manner.

A8. Final Provisions

In the event of any conflict between the Terms of Use and this Appendix, the provisions of this Appendix shall prevail with regard to data protection matters.

Swiss law applies; the place of jurisdiction is Zurich.

The data protection compliance of these Terms of Use has been reviewed by datenschutzkonform.ch.

A9. Technical and Organizational Measures (TOM)

Compasso has the reWork Tool operated by its processor, W4 Marketing AG, which implements the following technical and organizational measures to ensure data security commensurate with the risk in accordance with Art. 8 of the Swiss Data Protection Act (DSG) and Art. 3 of the Swiss Data Protection Ordinance (DSV).

Confidentiality

Access Control. Access to the server infrastructure is restricted to authorized W4 personnel and is granted via SSH key-based authentication. Production and development environments are separated from one another.

Access Control. Role-based access control (RBAC) is in place within the application. Users are granted access only to the data assigned to their role. Authentication is performed via Auth0 using industry-standard security protocols (password hashing using bcrypt, support for multi-factor authentication).

Encryption. All data transmissions are encrypted in transit (TLS/HTTPS). The database is encrypted at rest. Documents sent to third parties (e.g., medical professionals) are encrypted via HIN.

Confidentiality Obligation. All individuals entrusted with the processing of personal data are bound by a duty of confidentiality. Access is granted according to the need-to-know principle.

Integrity

Privacy by Design (Art. 7 DSG). The tool is designed to reflect job requirement profiles rather than the health status of data subjects. For critical input fields (free-text/comment fields, fields regarding requirements), informational prompts instruct users not to enter health data.

Protection against unintentional disclosure. When images are uploaded, EXIF metadata (particularly geolocation, device, and timestamps) is automatically removed. A notice instructs users to upload only images that do not contain identifiable individuals.

Logging of entries and changes. The creation and modification of profiles are logged at the application level, ensuring that it remains traceable who edited the data and when.

Availability and Resilience

Backup. The database is backed up regularly and automatically. Procedures are in place for recovery following a failure.

Monitoring. The server and application are monitored; security-related events are reported. Maintenance windows are announced in advance whenever possible.

Data Location and Data Minimization

Data Location. Personal profile data is stored in Switzerland (CloudSigma AG, Zug). Processing abroad is limited to the services listed in Section A4, which provide appropriate safeguards.

Data minimization. Registration is optional. In guest mode, it is not possible to enter personal data. The tool does not store medical diagnoses or prognoses. Generated PDF documents can be downloaded directly, thereby reducing long-term storage.

Review and Evaluation

The effectiveness of the measures is reviewed regularly. The complete and currently applicable technical and organizational measures are set forth in the data processing agreement between Compasso and W4 Marketing AG, including the associated appendix.