1. Subject matter, duration, type and purpose of processing
SimpleAct processes personal data only on behalf of the customer to provide the contracted SaaS platform for AI governance, documentation, governance workflows, audit playbooks, incident management and runtime monitoring. Processing begins when the customer account or productive tenant is set up and ends when the main contract terminates and agreed return or deletion processes have been completed.
- Subject matter: provision, operation, support and protection of the SimpleAct SaaS platform.
- Type of processing: collection, recording, organization, storage, structuring, retrieval, transfer, alignment, restriction and deletion of personal data within the platform.
- Purpose: contract performance, tenant operation, user administration, evidence management, support, security, logging and billing.
- Duration: for the term of the main contract; afterwards according to customer instructions, subject to statutory retention obligations.
2. Categories of data subjects and personal data
The specific scope depends on how the customer uses the platform. Typical categories include the following:
- Data subjects: customer users, contacts, employees, supplier contacts, applicants or other persons referenced in governance, compliance or documentation processes.
- Master data: name, business email address, role, organization, responsibilities.
- Account and authentication data: login metadata, session data, 2FA status, magic-link or token metadata.
- Content data: information on AI systems, governance evidence, actions, reviews, tickets, documentation and audit content, where entered by the customer.
- Technical metadata: IP address, request metadata, audit logs, system logs, security and operational events.
- Billing and contract data: plan, billing address, contacts, payment status and billing-related metadata.
3. Customer instructions
SimpleAct processes personal data only on documented customer instructions unless the processor is required to process the data by law.
- Instructions are issued in text form, including through contract documents, email to the named contacts, support tickets or documented approvals in the operating process.
- Instruction authority lies with the admin or contractual contacts designated by the customer.
- If SimpleAct considers an instruction unlawful under data protection law, SimpleAct informs the customer without undue delay before carrying it out.
4. Technical and organisational measures (TOMs)
SimpleAct applies appropriate technical and organisational measures based on the risk of the processing, including in particular:
- TLS encryption in transit and encrypted communication between key system components.
- Role-based access control, tenant separation and least-privilege principles.
- Logging of security- and governance-relevant events in audit and system logs.
- Backup and restore procedures with documented retention and recovery workflows.
- Patch, update and vulnerability management for the production environment.
- Access protection and authorization control for support and administrative access.
5. Sub-processors, processing location and third countries
SimpleAct uses sub-processors where required for hosting, database operations, transactional email or payment processing. Processing takes place primarily within the EU; where third-country involvement exists, appropriate safeguards are used.
- Core processing locations are within the EU, in particular Germany and EU regions of the infrastructure used.
- Current sub-processors are transparently identified in the privacy and contractual documentation.
- Changes to sub-processors are communicated to the customer in advance in an appropriate form; the customer may object for a material data protection reason.
- Sub-processors are contractually bound so that a protection level in line with Art. 28 GDPR is maintained.
6. Assistance with data subject rights and compliance duties
SimpleAct assists the customer in fulfilling its data protection obligations under Art. 28 GDPR to the extent possible and appropriate, taking into account the nature of the processing.
- Support for access, rectification, erasure and restriction requests.
- Support for data portability and provision of relevant exports.
- Support in responding to requests from supervisory authorities where processing at SimpleAct is concerned.
- Support for security assessments, DPIAs and required consultations where the processing at SimpleAct is concerned.
- Provision of available information on TOMs, sub-processors and operational processes to the extent needed by the customer.
7. Personal data breaches
SimpleAct informs the customer without undue delay of confirmed personal data breaches affecting customer data.
- Notification is made without inappropriate delay after confirmed awareness of the breach.
- Where available, the notice includes the type of incident, affected systems or data categories, known effects and measures already taken.
- SimpleAct assists the customer in investigating, containing and documenting the incident insofar as customer data processed by SimpleAct is concerned.
- Notifications to authorities or data subjects remain, as a rule, the customer’s responsibility as controller unless the law provides otherwise.
8. Audit and inspection rights
SimpleAct enables the customer to verify compliance with the obligations under this DPA in an appropriate manner.
- Provision of suitable evidence such as whitepapers, TOM descriptions, audit information, security documents or questionnaire responses.
- Remote audits and document reviews take precedence over on-site inspections where sufficient for verification.
- On-site audits are possible with appropriate prior notice, subject to confidentiality and operational continuity, and without affecting other customers.
- The customer bears the costs of separate audits unless a material breach attributable to the provider is proven.
9. Return, deletion and confidentiality after termination
After termination of the main contract, SimpleAct deletes or returns customer personal data in accordance with customer instructions unless statutory retention obligations or justified evidence interests prevent immediate deletion.
- Customer content and evidence can be exported before the contract ends where supported by product functions or support processes.
- Billing or commercial records subject to legal retention remain excluded from immediate deletion.
- Employees and engaged persons of SimpleAct are bound to confidentiality.
- The liability and contractual provisions of the main agreement remain applicable; this DPA specifies the parties’ data protection obligations.
