Simpliant

T&C, Terms of Use and Data Processing Agreement Simpliant App

1. Overview of the Simpliant Group and Scope of the GTC

The Simpliant Group consists of three companies: Simpliant PartG mbB, Simpliant GmbH, and Simpliant Technologies GmbH, all located at Fasanenstraße 12, 10623 Berlin.

  • Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB (PR 1584, District Court Berlin Charlottenburg): A law firm specializing in legal advice in the areas of data protection and compliance.

  • Simpliant GmbH (HRB 203376, District Court Berlin Charlottenburg): A management consultancy focusing on the function of the external data protection officer and consulting in the field of information security.

  • Simpliant Technologies GmbH (HRB 247115, District Court Berlin Charlottenburg): Focused on providing software services, particularly via a self-service online portal.

2. Parties and Conclusion of Contract

The following General Terms and Conditions (GTC) apply between Simpliant Technologies GmbH, Fasanenstraße 12, 10623 Berlin (support@simpliant.eu) as the provider and business customers as customers. The services are offered exclusively to entrepreneurs within the meaning of § 14 BGB (German Civil Code). The contract between the provider and the customers is concluded by creating a user account and booking a product in the Simpliant Technologies SaaS online portal.

Depending on the individual nature of the respective product or service, Simpliant Legal PartG or Simpliant GmbH may offer supplementary consulting services. In such cases, the specific agreements concluded with the respective customers take precedence and may supplement, amend, or modify specific provisions of these GTC. Mandatory legal provisions, particularly professional regulations, remain unaffected by the provisions of these GTC.

3. Subject Matter of the Contract

The provider offers customers a SaaS and self-service online portal on various topics, including but not limited to data protection, IT security, compliance, and other legal topics.
The respective subject matter of the contract as well as the essential performance features result from the service description in Appendix A to these GTC and the information presented on the respective booking page.

4. Remuneration and Usage Rights

The remuneration is determined per product and results from the relevant product and service description in Appendix A to these GTC and the information on the respective booking page.
For payment processing, we use a payment service provider (Stripe, Inc. 354 Oyster Point Boulevard, South San Francisco, California, 94103, USA), which displays the respective product price in a booking overview before payment. The customer must ensure that only authorized employees initiate payments.

After payment of the fee, the user is permitted to use the platform according to the agreed license term. In the event that a customer wishes to invite more than 250 users to the platform, the provider reserves the right to limit the number of users that can be added or to agree on separate remuneration with the customer. This restriction serves to maintain the system performance and security of the platform.

5. Termination

Each contracting party is entitled to terminate this contract at any time without giving reasons. Unless otherwise stipulated in Appendix A, monthly termination of the respective product is possible. The termination takes effect at the end of the month in which it was declared.

Termination of this contract does not establish a claim for a refund of amounts already paid. After termination, the provider reserves the right to terminate the customer's and users' access to the platform and to delete customer data.

6. Data Backup and Support

It is the customer's responsibility to independently back up all relevant data and store it in a secure location without a separate request from the provider.

Unless otherwise agreed, the products, as self-service products, do not include individual support. Where appropriate, the provider reserves the right to charge a service fee of EUR 50.00 net plus VAT per hour or part thereof for support requests. However, this only applies if the customer has been informed of this in advance.

7. Liability and Industrial Property Rights

The provider is liable for slight negligence only in the event of a breach of duties, the fulfillment of which enables the proper execution of the contract in the first place and on the compliance with which the contractual partner regularly relies and may rely (essential contractual duties).

In this case, liability is limited to the foreseeable, contract-typical damage at the time of conclusion of the contract. This does not apply to damages resulting from injury to life, body, or health, nor if the provider has acted with gross negligence or intent.

The content and technical implementation of the respective products are subject to industrial property rights and may not be made accessible to third parties or reproduced without the provider's consent. In the event of infringement of these property rights, the provider reserves the right to claim damages and assert other claims.

8. Data Protection

Data processing by the provider is described in the respectively linked privacy policy. If data processing on behalf according to Art. 28 Para. 3 GDPR exists, Part B of these GTC applies. Separate contracts may be concluded for other data protection constellations (joint responsibility, processing as controller).

The customer must ensure that the respective data protection regulations are complied with. The provider has no information about the data protection measures in place at the customer's premises unless the customer is also a client of the consulting companies (Simpliant Legal PartG mbB and Simpliant GmbH).

Against this background, it is the customer's responsibility to implement the specific data protection requirements within their own area of responsibility. This does not affect the provider's support within the framework of legal and contractual requirements (in particular, the implementation according to Art. 28 GDPR in conjunction with the applicable data processing agreement).

9. Amendment of the GTC and Miscellaneous

The provider reserves the right to amend and adapt the GTC, provided that this does not unreasonably restrict the customer's legal position. This applies in particular to product adjustments, product additions, and technical changes to the platform. Material contractual changes (especially regarding remuneration, main performance components) are excluded from this. If the change significantly affects the customer's legal position, an amendment is only permissible if the customer has been informed thereof and has not objected.

German law applies, excluding the norms of international private law. The place of jurisdiction is Berlin (Germany).

Appendix A. Product and Service Directory

#Product/Module NameDescription and Service ComponentsPrices (excluding VAT)
1.1Simpliant Training: Data Protection for EmployeesWe offer online training as 'Software as a Service' (SaaS) specifically for employees in the area of data protection. By booking this training, you receive the right to complete the training program once and print a certificate at the end of the course. Furthermore, the booking allows continuous use of the training material for a period of 12 months at no additional cost.License fee one-time per user as shown on the booking page
1.2Simpliant Training: IT Security for EmployeesWe offer online training as 'Software as a Service' (SaaS) specifically for employees in the area of IT security. By booking this training, you receive the right to complete the training program once and print a certificate at the end of the course. Furthermore, the booking allows continuous use of the training material for a period of 12 months at no additional cost.License fee one-time per user as shown on the booking page
1.3Simpliant Whistleblower: Digital Reporting ChannelWe offer a digital solution as 'Software as a Service' (SaaS) for the efficient handling of reports according to the German Whistleblower Protection Act (HinSchG). This SaaS solution includes the technical provision of a digital reporting channel and is primarily focused on the management of reports.69.00 EUR monthly
1.4Simpliant Whistleblower: Outsourcing to Simpliant Legal PartG mbB (incl. Reporting Channel)The law firm Simpliant Legal PartG mbB, Fasanenstraße 12, 10623 Berlin, offers you a total of 12 consulting hours per year for 250.00 EUR monthly to comprehensively support you in the role of the reporting officer. These flexibly usable consulting hours can be used for a wide range of activities, including advice on setting up the reporting officer, drafting guidelines, and professionally handling reports, all in accordance with the requirements of the Whistleblower Protection Act.Basic price: 250.00 EUR monthly, includes up to 12 consulting hours annually. Additional consulting hours are billed separately: 280.00 EUR per hour.
1.5Leibniz01: AI-powered Transcription and Meeting DocumentationInvitation via meet@meeting-summary.com, user participation via audio recording in the browser, transcription on German servers, and optionally AI-generated summary using the OpenAI API. Single users receive a free license for testing purposes (Fair Use).35.00 EUR per user per month (net)

Appendix B. Data Processing Agreement according to Art. 28 GDPR for Simpliant App

If personal data is processed by Simpliant (Processor) on behalf of the customer as controller (Controller) in the provision of the Simpliant App, the current Standard Contractual Clauses based on the EU Commission Implementing Decision (EU) 2021/915 of June 2021 on standard contractual clauses between controllers and processors pursuant to Art. 28(7) GDPR are concluded to comply with the requirements of Art. 28(3) and (4) GDPR (EU-SCC).

Supplementary data processing agreements may apply to other Simpliant products. These modify and supplement the following data processing agreement, which in this case is to be regarded as a framework data processing agreement.

The EU-SCCs apply, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915, subject to the following provisions:

  • In Clause 1(a), OPTION 1 (Article 28(3) and (4) GDPR) is applied.
  • Clause 5 does not apply.
  • In Clause 7.7, OPTION 2 is applied, and the period for prior notification of sub-processors is set at 14 days.
  • In Clause 8(c)(iv), Option 1 is applied.
  • In Clause 9.1(b) and Clause 9.1(c) as well as Clause 9.2, OPTION 1 is applicable.

Explanation of Application:

ClauseContent of the ClauseOur ApplicationMeaning of Our Application
1aPurpose and scope of the Standard Contractual Clauses.OPTION 1Focuses on compliance with Article 28(3) and (4) GDPR.
5Optional clause for the accession of other parties.Not applicableThis clause is not included in the contract.
7.7Requirements for the use of sub-processors.OPTION 2 with 14-day periodSets a 14-day notification period.
8(c)(iv)Specific provisions for data transfers.OPTION 1Specifies the application of Option 1.
9.1(b) and 9.1(c) and 9.2Rules for audits and reviews.OPTION 1Application of Option 1, which provides specific conditions for audits.

Annex I – LIST OF PARTIES

Controller:

Respective customer as Controller

Processor:

Simpliant Technologies GmbH,
Fasanenstraße 12, 10623 Berlin
Contact person: Steffen Groß, Managing Director

Annex II – DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data are processed

Employees and contact persons of the responsible customer (Controller), users of the Simpliant platform

Categories of personal data processed

For users: First name, last name, email address, user ID, company name (optional); For orderers/customers: Payment data, billing information, bank details, credit card data (for payment processing).

In the context of using Simpliant Training: Identification data, contact data, employment information, training progress data, usage data, technical data, feedback and ratings.

In the context of using the Simpliant Whistleblower reporting channel: Report identification data, contact details of the reporter (if not anonymous), details of the report, date and time of the report, communication logs, technical data (such as IP address, device type), usage data of the reporting channel, information on witnesses, accused persons, other parties involved, and evidence (depending on the content of the report).

Nature of the processing

Processing in the context of providing and managing the Simpliant SaaS platform.

Purpose(s) for which the personal data is processed on behalf of the controller

Hosting a SaaS portal for the provision and execution of products and services focusing on data protection, information security, compliance, and productivity. The respective processing purposes also result from the main contract.

Duration of the processing

Duration of the contract term or until account deletion by the user/customer.

Sub-processors

A list of current sub-processors can be found in Annex IV.

Annex III – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING MEASURES TO ENSURE THE SECURITY OF THE DATA

The following describes the technical and organizational measures of Simpliant Technologies GmbH.

Additionally, the technical and organizational measures of the sub-processors apply. The technical and organizational measures of our hosting provider can be found here:

https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

Measures to ensure the confidentiality, integrity, availability, and resilience of processing systems and services

MeasureDescription
Entry and Access ControlAlarm system, key management, role-based authorization concept, password policy, secure authentication processes with 2-factor authentication.
Measures to Control Data TransferSecure document and collaboration platforms
Regulations for data transfer according to risk classification, Secure paper and data carrier destruction by certified disposal companies
Measures for Data SeparationSeparation of test and production systems, Control through role- and function-based access control concepts
Input ControlTechnical logging of data entry, changes, and deletion. Management of log data for error and security management
Availability and ResilienceIntrusion detection systems, Use of virus scanners and regular updates, Backup and recovery concept.
Measures for Restoring AvailabilityIncident management, defined communication channels, emergency plans

Measures for the regular testing, assessment and evaluation of the effectiveness of technical and organisational measures for ensuring the security of the processing.

MeasureDescription
Data Protection Management SystemDefined processes for compliance with GDPR requirements, Regular assessment of the effectiveness of technical and organizational measures, Trained employees committed to confidentiality/data secrecy
Service Provider ManagementCareful selection, integration, and management of service providers. Contractual assurance of compliance with data protection and data security requirements.

Measures for pseudonymisation and encryption of personal data;

MeasureDescription
Hard Drive EncryptionEncrypted connections via SFTP, HTTPS

Certifications and security measures in the context of hosting and providing the training platform:

MeasureDescription
Information Security Management SystemCertifications: ISO 27001, 27017 & 27018 (Heroku, Salesforce)

ANNEX IV - LIST OF SUB-PROCESSORS

The Processor uses the following sub-processors to provide the services specified in this agreement:

#Service Provider NameTask and PurposeLocation of Processing (Data Center)
1Salesforce.com (SFDC Ireland Limited)Hosting and provision of the training platform via HerokuEU
2Okta, Inc.Authentication and authorization service via auth0EU
3Stripe, Inc.Payment processingEU
4Vimeo.com Inc.Video streamingUSA (Self-certification under EU-U.S. Data Privacy Framework (DPF))
5Sendinblue GmbH (Brevo)Transactional emails and email notifications as part of platform provisionEU

Appendix C. Data Processing Agreement according to Art. 28 GDPR for Leibniz01

according to Art. 28 GDPR

between

the Customer (Controller)
– hereinafter "Controller" –

and

Simpliant Technologies GmbH (Processor)
Fasanenstraße 12
10623 Berlin
– hereinafter "Processor" –

1. Subject Matter and Duration

1.1 Subject Matter

The subject matter of this agreement is the processing of personal data by the Processor in connection with the provision of an AI-powered service for creating meeting summaries. This includes, in particular, audio recording, transcription, and the creation of meeting summaries.

1.2 Duration

This agreement is valid for the duration of the underlying main service agreement regarding the use of the Leibniz01 platform, unless terminated earlier according to Section 10.

2. Nature and Purpose of Processing

2.1 Nature of Processing

  • Recording of meeting audio
  • Transcription of audio recordings
  • Creation of meeting summaries
  • Storage of meeting data
  • User management
  • Access control

2.2 Purpose of Processing

  • Creation of meeting minutes
  • Creation of automated meeting summaries
  • Provision of contractually agreed services
  • Technical support

3. Categories of Data Subjects and Personal Data

3.1 Categories of Data Subjects

  • Meeting organizers
  • Meeting participants

3.2 Categories of Personal Data

Meeting Organization Data

  • Names
  • Email addresses
  • Meeting event data (e.g., meeting details, organizer and participants, agenda, notes)

Audio and Text Data

  • Voice recordings (temporary)
  • Meeting transcripts
  • Generated summaries

Technical Data

  • User IDs
  • Device information
  • Connection data
  • Usage statistics

4. Technical and Organizational Measures

4.1 Access Control

  • Secure authentication for web access
  • Enforcement of strong passwords
  • Access logging

4.2 Security of Audio Recording

  • Secure audio transmission via browser (SSL)
  • Temporary storage of recordings
  • Encryption during transmission
  • Access restrictions

4.3 Security of Processing

  • Secure transcription process through separate audio transcription
  • Protective measures for AI processing (no direct association of the organization with the OpenAI GPT API token)
  • Data isolation

4.4 General Security Measures

  • Network security
  • Encryption standards
  • Incident response

5. Sub-processors

5.1 Authorized Sub-processors

  1. OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland – Provision of the AI API.

  2. Heroku Inc., 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA – Provision of hosting infrastructure.

  3. Auth0 Inc. (a company of Okta), 10800 NE 8th Street, Suite 700, Bellevue, WA 98004, USA – Provision of authentication services for the web application.