Reference letters. Clear. Fair. Compliant.
Platform · Compliance5 min readFor compliance, legal & data protection officers
Platform · Compliance

Swiss law. Built in. Not glued on.

Swiss FADP, Art. 330a CO, ISO 27001 certification, full audit log and three-tier auth. Compliance is not a feature list at the end — it's built into every slice and every workflow.

14-day free trial Watch demo
  • Art. 330a CO compliance: fairness engine + compliance check
  • Swiss FADP + GDPR + FADP compliant
  • ISO 27001 · Hosted in Switzerland
Modules

What compliance means in practice

Art. 330a CO fairness engine

Bias check for gender, age, nationality — before the letter goes out. Hidden codes detected, plain-text phrasing, legally robust.

Three-tier auth

Employees, HR, admin — each tier sees what's allowed. Configurable per field (e.g. salary visible to HR + management only).

Full audit log

Who changed, read, exported what and when? Logged per slice and per workflow step, audit-ready. Export for audits.

ISO 27001 + Swiss hosting

Backend, database, verification service in the Google Cloud Zurich region. ISO 27001 certified, annual pen tests, transparent sub-processors.

Retention periods + legal hold

FADP-compliant retention periods per document type, automatic pseudonymisation on expiry, legal hold at the click of a button.

DPA + trust center

Data processing agreement on contract signature, trust center with certificates, pen-test reports and sub-processor list on request.

FAQ

Frequently asked

What does Art. 330a CO compliance mean concretely?
Art. 330a CO requires a truthful and benevolent reference letter without discriminatory hints. Our fairness engine checks exactly that — before issuance. Plus a compliance check on mandatory parts (personal data, employment duration, role, performance, conduct, closing).
Where is the data?
Backend, Firestore database and verification service in Google Cloud, region europe-west6 (Zurich). Anthropic Claude is used as a sub-processor in the EU — minimised data, no AI-side persistence.
Do you sign a DPA?
Yes — standard for Pro and Enterprise customers. Available on request for Starter and Growth. The DPA follows Swiss FADP + GDPR Art. 28, with Swiss standard contractual clauses for DACH sub-processors.
What does the audit log look like?
Per slice (position, salary, address, …) and per workflow step: timestamp, user, action (create/update/read/export), before/after value. Export as PDF and CSV. Retained 10 yrs, same as payroll data.
What's in the trust center?
ISO 27001 certificate, annual pen-test reports (summary), sub-processor list with DPA status, hosting architecture, incident history (last 12 months). Available on request within 1 business day.

Compliance that doesn't get in the way.

14 days free. DPA, audit log and three-tier auth active from day one.

Start 14-day trialSee trust center