Security & Infrastructure – Technical and Organisational Measures

1. Architecture Overview

SimpleAct is operated as SaaS in a clear layered architecture. Access is only via encrypted connections (TLS). The application and data layers are entirely within the EU (Germany, Hetzner Nuremberg and EU-West for Supabase).

Components: (1) Client/browser over HTTPS, (2) Application layer with API, RBAC/2FA, audit log and multi-tenancy, (3) Data layer with PostgreSQL, encrypted storage and automated backups every 3 days. All services run in the EU.

2. Hosting & Infrastructure

2.1 Data Centre and Data Location

Hosting is with Hetzner in Nuremberg (Germany). The database (PostgreSQL) is operated via Supabase in the EU-West region. Thus, the data location is entirely within the EU; no US or non-European cloud providers are used for application or customer data.

2.2 Backup Strategy

Automated backups run every 3 days. Backups are held in Falkenstein (Hetzner). Retention periods and recovery procedures are defined and described in the DPA documentation.

2.3 Encryption

• In transit: All connections (client–server, server–database) use TLS (HTTPS).
• At rest: Data is stored with encryption at rest at the services used (e.g. Supabase, storage).

3. Access & Authentication

RBAC

Access to functions and data is controlled via role-based access control (RBAC). Roles define which actions a user may perform; assignment is at tenant level.

Multi-Tenancy Isolation

Customer data is strictly separated by tenant. Queries and access are implemented so that no cross-tenant access to data is possible (tenant isolation at application and data layer).

2FA (TOTP)

Two-factor authentication (2FA) via TOTP (e.g. authenticator apps) is offered and can be enabled by users to further secure the account.

Session invalidation

Sessions are invalidated on logout. On password change or security-relevant actions, sessions can be terminated. Tokens are stored in httpOnly cookies to reduce XSS risk.

4. Logging & Auditability

Append-only audit log

Security- and privacy-relevant events (e.g. login, changes to AI systems, exports, role changes) are recorded in an audit log. The log is append-only (no user-driven deletion or modification) to hinder tampering and ensure traceability.

Versioning & snapshotting

Where required by the product, changes are versioned (e.g. compliance documents, risk assessments). Snapshotting or point-in-time views can be used for exports and evidence.

5. Data Processing

Processing of personal data follows GDPR principles (lawfulness, purpose limitation, data minimisation, storage limitation, integrity and confidentiality). We maintain a record of processing activities under Art. 30 GDPR.

DPA / Data processing agreement (Art. 28 GDPR)

A data processing agreement (DPA) is available. Contractual arrangements for processing are in place with all subprocessors (e.g. Hetzner, Supabase, Stripe, Brevo), or standard contractual clauses are used where required.

Subprocessors – transparency

The list of subprocessors (name, purpose, location) is provided on request or in our privacy and contract documentation. Customers are informed of changes in line with contractual information obligations.

6. Security Testing

We rely on regular security measures in the development and operations process (e.g. dependency checks, secure configuration).

• Penetration test: Last pen test: 4 days ago.
• External review: External security assessment: 2 weeks ago.

7. Contact

For questions on security and data protection: info@simpleact.de.