SIMtrix
S
SIMtrix
EntrarTestar grátis

Data Processing Agreement (DPA)

Date: March 16, 2026 · Effective from execution of the Main Agreement

PART II: ENGLISH

DATA PROCESSING AGREEMENT (DPA)

SIMtrix — SMS and Call Integration with Bitrix24

Date: March 16, 2026

Validity: From the date of execution until termination of the Main Agreement (SIMtrix Terms of Service) or upon expiration thereof

1. DEFINITIONS

The following terms have the meanings set out below:

1.1. "Main Agreement" — The Terms of Service of the SIMtrix service available at https://simtrix.app, governing the provision of the SIMtrix service by the Processor to the Controller.

1.2. "This Agreement" — This Data Processing Agreement (DPA).

1.3. "Personal Data" — Any information relating to an identified or identifiable natural person, as defined in Article 4(1)(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR").

1.4. "Processing" — Any operation performed on Personal Data, such as collection, recording, organization, arrangement, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in Article 4(2) GDPR.

1.5. "Data Subject" — An identified or identifiable natural person to whom Personal Data relates.

1.6. "Controller" (Data Controller) — A legal entity (Customer) that determines the purposes and means of Processing of Personal Data. As defined in Article 4(7) GDPR.

1.7. "Processor" (Data Processor) — ANTENA sp. z o.o. based in Gdynia, ul. Działdowska 16, 81-208 Gdynia, Poland, Tax ID: 9581754603, Registration Number: 541828792, which processes Personal Data on behalf of the Controller. As defined in Article 4(8) GDPR.

1.8. "SIMtrix Service" — A SaaS (Software as a Service) platform serving as a technological bridge connecting an Android phone's SIM card with the Bitrix24 CRM system, enabling sending and receiving SMS messages and making and receiving phone calls directly from the Bitrix24 interface.

1.9. "Sub-Processor" — Any natural or legal person (other than the Controller) that processes Personal Data on behalf of the Processor, as described in Article 28(2) GDPR and Chapter 4 of This Agreement.

1.10. "Data Breach" — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, as defined in Articles 33 and 34 GDPR.

1.11. "Data Protection Laws" — GDPR and all applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679.

1.12. "EEA" — European Economic Area (European Union, Iceland, Liechtenstein, Norway).

2. SCOPE AND SUBJECT MATTER OF PROCESSING

2.1. Categories of Personal Data:

  • Phone numbers of contacts in the Bitrix24 CRM database
  • SMS message content
  • Communication metadata (timestamp of send/receive, call duration, connection status, SMS delivery status)
  • Phone call recordings (in audio format, if recording option is enabled by the Controller)
  • OAuth authorization tokens to Bitrix24
  • Push notification tokens (Firebase Cloud Messaging)

2.2. Categories of Data Subjects:

  • Business contacts stored in the Controller's Bitrix24 CRM (leads, potential and actual customers, business partners)
  • Persons with whom the Controller communicates through the SIMtrix service
  • Employees/contractors of the Controller who have access to Personal Data through Bitrix24 CRM

2.3. Purpose of Processing:

  • Provision of the SIMtrix service: mediation of communication between Bitrix24 CRM and the Android phone's SIM card
  • Transmission of commands (call initiation, SMS sending) from the Bitrix24 interface to the phone
  • Registration of incoming calls and SMS in the CRM system
  • Provision of communication history in Bitrix24
  • Provision of technical support and debugging (in limited scope, with Controller consent)

2.4. Nature of Processing:

  • Transmission: intercepting commands from CRM, encryption, transmission to Android phone via WebSocket/REST API
  • Temporary SMS content storage: encrypted with AES-256-GCM, automatically deleted after 7 days
  • Temporary recording storage: stored on server for maximum 24 hours after upload to Bitrix24, then automatically deleted
  • Metadata storage: phone numbers, timestamps, statuses — stored for up to 90 days for audit and debugging purposes
  • Transmission to Bitrix24: all return data (incoming SMS, calls, recordings) transmitted directly to Bitrix24 upon Controller's instruction

2.5. Duration of Processing:

  • Processing continues for the duration of the SIMtrix subscription (Main Agreement) and 30 days after its termination (for archival and audit purposes)
  • Personal Data will be deleted or returned to the Controller within 30 days of termination of the Main Agreement, unless EU or applicable law requires longer retention

2.6. Location of Processing:

  • Processing takes place exclusively within the EEA, primarily in the Federal Republic of Germany (VPS server hosted by OVH SAS, managed by the Processor)
  • Metadata transmission via Firebase Cloud Messaging (FCM) to the USA is based on EU-US Data Privacy Framework and standard contractual clauses

3. OBLIGATIONS OF THE PROCESSOR

3.1. Processing Only on Instruction

  • The Processor processes Personal Data only on documented instructions from the Controller, refraining from any Processing inconsistent with such instruction, unless required by EU or applicable law
  • Each Processing instruction should be documented through: the SIMtrix interface (option selection in admin panel), Bitrix24 API documentation, or prior written agreements
  • The Processor shall promptly notify the Controller of any Processing instruction that it believes constitutes a violation of Data Protection Laws

3.2. Confidentiality

  • The Processor ensures that natural persons authorized to process Personal Data have committed to confidentiality or are subject to an appropriate statutory confidentiality obligation, as required by Article 28(3)(a) GDPR
  • The Processor ensures written confidentiality agreements with each employee who has access to Personal Data
  • Confidentiality obligations continue after termination of employment or engagement

3.3. Security of Processing

  • The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR
  • A detailed description of technical and organizational measures is provided in Annex 2 of This Agreement

3.4. Sub-Processors

  • The Processor shall not engage any Sub-Processor without prior explicit written authorization from the Controller
  • The Processor shall provide the Controller with a list of authorized Sub-Processors (Annex 3)
  • The Processor shall inform the Controller with reasonable notice (minimum 14 days) of any intended changes concerning the addition or replacement of Sub-Processors
  • The Controller has the right to object to the appointment of a new Sub-Processor on reasonable grounds within 14 days of notification
  • In the event of objection, the Controller may terminate the Main Agreement without penalty if the change is unacceptable to it
  • The Processor shall ensure that Sub-Processors are bound by the same level of data protection obligation as the Processor

3.5. Assistance in Exercising Data Subject Rights

  • The Processor shall assist the Controller in fulfilling its obligations towards Data Subjects by implementing appropriate technical and organizational measures, taking into account the nature of Processing. The Processor shall assist the Controller in exercising Data Subject rights, including:
    • Right of access (Article 15 GDPR) — The Processor shall provide relevant data in a format intelligible to the Controller
    • Right to rectification (Article 16 GDPR) — The Processor shall enable correction of inaccurate data or deletion
    • Right to erasure (Article 17 GDPR) — The Processor shall delete Personal Data upon the Controller's request, unless applicable law requires retention
    • Right to restrict processing (Article 18 GDPR) — The Processor shall restrict Processing if requested by the Controller
    • Right to data portability (Article 20 GDPR) — The Processor shall provide Personal Data in a structured, commonly used, machine-readable format
    • Right to object (Article 21 GDPR) — The Processor shall cease Processing upon the Controller's request
  • The Processor shall respond to requests within 10 working days of receipt (or sooner if feasible)

3.6. Assistance in Security and Breach Response

  • The Processor shall assist the Controller in ensuring compliance with Articles 32, 33, 34, and 35 GDPR by:
    • Conducting Data Protection Impact Assessments (DPIA), if necessary
    • Performing security testing and vulnerability assessments
    • Providing information necessary to demonstrate compliance

3.7. Deletion and Return of Data

  • Upon termination of the SIMtrix service, the Processor shall, upon the Controller's instruction:
    • Delete or return all Personal Data (depending on the Controller's instruction)
    • Delete existing backup copies, unless EU or applicable law requires retention
  • If the Controller requests data return, the Processor shall deliver it in a structured, commonly used, machine-readable format (CSV, JSON, XML or other agreed format)
  • Confirmation of deletion shall be provided in writing within 30 days

3.8. Documentation and Audits

  • The Processor shall document all Processing and maintain records as required by Article 28(3)(e) GDPR
  • The Processor shall provide the Controller with information necessary to demonstrate compliance with GDPR
  • Upon the Controller's request (subject to reasonable limitations), the Processor shall permit audits and inspections conducted by the Controller or its auditor (see Chapter 10)

3.9. International Data Transfers

  • If Processing involves transfers of Personal Data outside the EEA, the Processor shall implement protection mechanisms in accordance with Chapter V GDPR (e.g., EU-US Data Privacy Framework, standard contractual clauses)
  • Details of transfers are provided in Chapter 6 of This Agreement

4. OBLIGATIONS OF THE CONTROLLER

4.1. Legitimate Purpose of Processing

  • The Controller is responsible for ensuring that the Processing of Personal Data has a legitimate legal basis as required by Article 6 GDPR
  • The Controller is responsible for ensuring that any Personal Data entrusted to the Processor is processed in accordance with Article 9 GDPR (special categories of data)
  • The SIMtrix Service is NOT intended for processing special category data within the meaning of Article 9 GDPR. The Controller undertakes not to intentionally use the Service for the transmission or processing of such data. If special category data appears in the content of communications, the Controller bears sole responsibility for ensuring an appropriate legal basis and protective measures in accordance with Article 9(2) GDPR.

4.2. Processing Instructions

  • The Controller shall issue clear and documented instructions regarding the Processing of Personal Data
  • Instructions shall include: purpose of Processing, categories of Personal Data, categories of Data Subjects, duration of Processing, location of Processing, and rights of Data Subjects
  • Instructions are conveyed to the Processor through: (a) acceptance of SIMtrix Terms of Service, (b) configuration of options in the admin panel, (c) written instructions (email, ticketing system)

4.3. Compliance with Law

  • The Controller shall ensure that the Processing of Personal Data complies with Data Protection Laws
  • The Controller is responsible for establishing the legal basis for Processing and informing Data Subjects of Processing (Articles 13, 14 GDPR)

4.4. Responsibility to Data Subjects

  • The Controller is primarily responsible to Data Subjects for the exercise of their rights
  • The Controller is responsible for handling requests for access, rectification, deletion, and other claims by Data Subjects
  • The Processor shall assist the Controller in exercising these rights (see Chapter 3.5)

5. SUB-PROCESSORS

5.1. List of Authorized Sub-Processors

  • The Processor engages the following Sub-Processors:
    1. OVH SAS, 2 Rue Kellermann, 59100 Roubaix, France — Server hosting (VPS infrastructure in Germany, managed by Processor, PostgreSQL database, storage), location: Germany (EEA)
    2. Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA — Firebase Cloud Messaging (FCM), data transfer based on EU-US Data Privacy Framework and standard contractual clauses (SCCs)
    3. Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, UK — Payment processing (Paddle is an independent data controller for payment data, not a Sub-Processor per se, listed for transparency)

5.2. Change of Sub-Processors

  • The Processor shall notify the Controller with reasonable notice (minimum 14 days) of any intended change with respect to the addition or replacement of Sub-Processors
  • Notification shall include information about the new Sub-Processor and the reason for the change
  • The Controller has the right to object to the new Sub-Processor on reasonable grounds within 14 days
  • If the Controller objects, the Controller may terminate the Main Agreement without penalty

5.3. Sub-Processor Obligations

  • Each Sub-Processor is bound to maintain the same level of personal data protection as the Processor
  • The Processor enters into written agreements with each Sub-Processor imposing data processing obligations on terms that ensure no less protection of Personal Data than the provisions of This Agreement
  • The Processor remains fully responsible to the Controller for the performance of the Sub-Processor's obligations

6. DATA TRANSFERS OUTSIDE THE EEA

6.1. Transfer Mechanisms

  • The majority of Processing takes place within the EEA (OVH servers in Germany)
  • Transfers to the USA (Firebase Cloud Messaging) are based on:
    • EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023)
    • Standard Contractual Clauses (SCCs) contained in Google LLC's Terms of Service
    • Transfer assessment conducted by Google

6.2. Right to Information About Transfers

  • The Controller has the right to request information about all transfers of Personal Data outside the EEA
  • The Processor shall provide such information within 10 working days

6.3. Right to Object

  • If the Controller does not agree to transfer outside the EEA, the Controller has the right to terminate the Main Agreement without penalty
  • The Controller must make such declaration within 30 days of notification of the transfer

7. SECURITY OF PROCESSING

7.1. General Principles

  • The Processor implements and maintains technical and organizational measures ensuring a level of security appropriate to the risk, as required by Article 32 GDPR
  • Such measures include encryption, pseudonymization, access controls, security testing, monitoring, and incident response

7.2. Detailed Technical Measures

  • A detailed description of technical measures is provided in Annex 2 — Technical and Organizational Measures
  • Key measures include:
    • Data in transit encryption: TLS 1.3 (HTTPS, WSS)
    • Data at rest encryption: AES-256-GCM
    • Tenant data isolation: PostgreSQL Row-Level Security (RLS)
    • Access control: JWT + refresh tokens, SSH key authentication
    • Monitoring: Grafana + Prometheus
    • Backup with encryption
    • Docker containerization

7.3. Security Review

  • The Processor conducts regular security reviews (minimum 1x/year)
  • Penetration testing conducted at least annually by an independent auditor
  • Results are documented and available upon the Controller's request

7.4. Access Management

  • Access to Personal Data is limited to Processor employees/contractors who:
    • Have been granted authorization in accordance with the principle of least privilege
    • Are subject to confidentiality obligations
    • Have received training in data protection
  • Access is monitored and logged

8. DATA BREACHES

8.1. Notification Obligation

  • The Processor shall promptly notify the Controller, and in any case within 48 hours of discovering a Data Breach, of any Data Breach, unless the Breach is unlikely to result in risk to the rights and freedoms of Data Subjects
  • Notification shall include:
    • Description of the Breach and its scope
    • Categories and approximate number of affected Data Subjects
    • Categories and approximate number of affected Personal Data records
    • Possible consequences of the Breach
    • Remedial measures taken or proposed
    • Contact details of the person responsible in the Processor

8.2. Assistance in Communication with Supervisory Authority

  • The Processor shall assist the Controller in preparing notification to and communication with the relevant data protection supervisory authority
  • The Processor does not notify the supervisory authority directly; notification is the responsibility of the Controller
  • The Controller has the obligation to notify the supervisory authority within 72 hours of discovering the Breach if it constitutes a risk to rights and freedoms

8.3. Documentation

  • The Processor shall document all Breaches and actions taken in response
  • Documentation is available for review by the Controller upon request

9. DATA SUBJECT RIGHTS

9.1. Exercising Rights

  • The Processor shall assist the Controller in exercising Data Subject rights in accordance with Chapter 3.5 of This Agreement
  • In case of a direct request from a Data Subject, the Processor shall promptly notify the Controller

9.2. Limitations

  • The Processor will not directly fulfill Data Subject requests without instruction from the Controller
  • All requests are forwarded to the Controller within 2 working days

10. AUDITS AND INSPECTIONS

10.1. Right to Audit

  • The Controller has the right to conduct an audit or inspection of the Processor's premises, systems, and documentation to verify compliance with This Agreement and Data Protection Laws
  • Audits may be conducted directly by the Controller or by an independent auditor/consultant designated by the Controller

10.2. Limitations and Procedures

  • Audits may be conducted a maximum of 1 time per year, unless a previous audit revealed significant violations
  • The Controller must submit an audit request with a minimum of 14 days' notice
  • Audits shall take place only during business hours (9:00-17:00 in German time zone)
  • Audits must not interfere with the operational functioning of systems
  • Audits may be conducted only at the Processor's premises or through remote review of documentation and systems

10.3. Audit Costs

  • Audit costs (including independent auditor fees, if the auditor is not an employee of the Controller) shall be borne by the Controller
  • The Processor shall not incur additional operational costs for auditing, except for the time of its employees directly involved in the audit

10.4. Confidentiality

  • If an audit is conducted by a third party (auditor), that party must sign a confidentiality agreement
  • The Processor may require that technologically sensitive information (e.g., infrastructure source code, passwords) be redacted or not disclosed

10.5. Audit Report

  • The audit report must be submitted to the Processor for approval as to factual accuracy before final publication
  • The Processor has the right to correct factual errors in the report within 10 days

11. DELETION AND RETURN OF DATA UPON TERMINATION

11.1. Controller Instructions

  • Upon termination or dissolution of the Main Agreement, the Controller shall issue instructions to the Processor regarding Personal Data:
    • Return: The Processor shall return all Personal Data in a structured, commonly used, machine-readable format
    • Deletion: The Processor shall securely delete all Personal Data

11.2. Time to Execute

  • Instructions shall be executed within 30 days of termination of the Main Agreement
  • If data return is technically impossible, the Processor shall notify the Controller and make all efforts to enable return in another format

11.3. Exceptions

  • The Processor may retain Personal Data if required by EU or applicable law
  • In such case, the Processor shall notify the Controller of:
    • The legal basis for retention
    • The retention period
    • Technical measures ensuring security

11.4. Confirmation

  • After deletion or return of Personal Data, the Processor shall provide the Controller with written confirmation within 5 days

12. LIABILITY

12.1. Processor Liability Cap

  • Limitation of Processor liability:
    • The total liability of the Processor to the Controller (or third parties) shall not exceed the sum of fees actually paid by the Controller for the SIMtrix service during the 3 months preceding the event giving rise to the claim
    • In no case shall it exceed 5,000 EUR
  • These limits apply to all claims, regardless of their legal basis (contract, tort, warranty, etc.)

12.2. Exclusions from Liability Cap

  • The liability cap does not apply to:
    • Damages for breach of confidentiality by the Processor
    • Damages for breach of Personal Data security resulting from gross negligence of the Processor
    • Claims for violation of Data Subject rights resulting from the Processor's action or omission contrary to the Controller's instructions
    • Claims for violation of Articles 28, 32, 33 GDPR (Processor obligations regarding confidentiality, security, breach notification)
    • Obligations arising from Article 82 GDPR (GDPR violations)

12.3. Comparative Responsibility

  • If a Breach results partly from the action or omission of the Controller, the Processor's liability shall be reduced proportionally to the degree of the Controller's fault

12.4. No Liability For:

  • Loss of revenue, profits, opportunity, data, reputation, or other indirect, incidental, punitive, or special damages
  • Action or omission of the Controller or unrelated third parties
  • Force majeure (vis major)
  • Service interruptions due to technical causes not arising from Processor negligence

13. TERM AND TERMINATION

13.1. Effective Date

  • This Agreement becomes effective on the date the Main Agreement (SIMtrix Terms of Service) is executed

13.2. Duration

  • This Agreement continues for the entire duration of the Main Agreement (SIMtrix subscription)
  • This Agreement shall remain in force for 30 days after termination of the Main Agreement to enable return or deletion of Personal Data

13.3. Termination

  • This Agreement shall terminate automatically upon termination of the Main Agreement
  • Provisions regarding confidentiality, security, liability, and Data Subject rights shall survive for 5 years after termination

14. GOVERNING LAW AND JURISDICTION

14.1. Governing Law

  • This Agreement shall be governed by the laws of the Republic of Poland, excluding its conflicts of law provisions

14.2. Jurisdiction and Dispute Resolution

  • Any disputes arising from or related to This Agreement shall be resolved by the courts of the Republic of Poland
  • The competent court is the Regional Court (Sąd Rejonowy) competent for the Processor's registered office, i.e., Regional Court Gdańsk-Północ in Gdańsk (for civil matters)
  • The parties agree to the exclusive jurisdiction of such courts
  • Prior to initiating court proceedings, the parties undertake to attempt resolution of the dispute through mediation

14.3. Language of Agreement

  • This Agreement is executed in Polish and English (Part II below)
  • In case of discrepancy between the Polish and English versions, the Polish version shall prevail

15. FINAL PROVISIONS

15.1. Integration

  • This Agreement, together with the Main Agreement, constitutes the entire agreement between the parties regarding the Processing of Personal Data
  • This Agreement supersedes any prior understandings regarding the Processing of Personal Data between the parties

15.2. Amendment of Provisions

  • No amendment to This Agreement shall be valid unless made in writing and signed by both parties
  • The Processor may unilaterally amend This Agreement to comply with changes in Data Protection Laws, with notice to the Controller of at least 30 days
  • In case of change in Data Protection Laws requiring immediate implementation, the Processor shall notify the Controller immediately

15.3. Severability

  • If any provision of This Agreement is found invalid or unenforceable, the remaining provisions shall remain in force
  • An invalid provision shall be replaced with a valid provision that achieves, to the greatest extent, the purpose of the invalid provision

15.4. Waiver of Rights

  • Failure to enforce any provision of This Agreement does not constitute a waiver of that provision
  • Failure by one party to effectively exercise a right does not deprive the other party of the right to demand performance

15.5. Notices

  • All notices required under This Agreement shall be delivered in writing (email, registered letter, courier) to the addresses below:
    • For the Processor: ANTENA sp. z o.o., ul. Działdowska 16, 81-208 Gdynia, compliance@simtrix.app
    • For the Controller: email address provided during SIMtrix service registration

15.6. Parties to the Agreement

  • This Agreement is entered into between:
    • Processor: ANTENA sp. z o.o., ul. Działdowska 16, 81-208 Gdynia, Poland, Tax ID: 9581754603, Registration Number: 541828792
    • Controller: a legal entity (Customer) accepting the SIMtrix Terms of Service, identified through registration information in the admin panel

ANNEX 1: DESCRIPTION OF PERSONAL DATA PROCESSING

ElementDescription
Data Controller (Powierzający)SIMtrix customer — a legal entity using the service
Data Processor (Przetwarzający)ANTENA sp. z o.o., Gdynia, Poland
Subject Matter of ProcessingPhone numbers, SMS content, call recordings, communication metadata, OAuth tokens
Purpose of ProcessingProvision of SIMtrix service — mediation of SMS and phone call communication
Categories of Data SubjectsCustomer business contacts in CRM (leads, contacts, clients)
Nature of OperationsTransmission, temporary storage, logging, encryption
Retention PeriodSMS — 7 days, recordings — 24 hours, metadata — 90 days, total — subscription duration + 30 days
Processing LocationEEA, primarily Germany (OVH), partially USA (FCM via EU-US DPF)

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

A. TECHNICAL MEASURES

MeasureDescription
Encryption in TransitTLS 1.3 (HTTPS), WSS for WebSocket; all connections between clients and server encrypted
Encryption at RestAES-256-GCM for: SMS content, OAuth tokens, temporary recordings
Password Hashingbcrypt with salt, minimum 10 rounds
TokenizationJWT with refresh tokens, token expiration: 15 minutes, refresh: 7 days
Access ControlSSH key authentication (ed25519), no SSH passwords
Data IsolationPostgreSQL Row-Level Security (RLS) — each tenant sees only its data
Application FirewallWAF via Caddy; rate limiting; CORS
DDoS ProtectionCaddy reverse proxy; request rate limiting
MonitoringGrafana + Prometheus; application logging; alerting
BackupDaily database backups with encryption; 30-day retention; restore test 1x/month
ContainerizationDocker with minimal base images; stateless containers
Vulnerability ScanningTrivy on Docker images; OWASP ZAP on API; frequency: 1x/week
Penetration TestingIndependent auditor; frequency: 1x/year

B. ORGANIZATIONAL MEASURES

MeasureDescription
Confidentiality AgreementsEach employee/contractor signs NDA before access to Personal Data
TrainingData protection and information security training for all employees with access; frequency: 1x/year
Access ControlPrinciple of Least Privilege (PoLP); access review 1x/quarter
Logging and AuditingLogging of all Personal Data access; log retention: 90 days
Incident ManagementBreach response procedure; designated team; drills: 2x/year
Password ManagementPassword manager for shared passwords; rotation every 90 days
Vulnerability ManagementVulnerability registry; remediation plan; prioritization by CVSS
DocumentationSystem documentation, security procedures, continuity plans; offline storage
Physical SecurityServer on dedicated physical infrastructure from OVH; access controlled by provider
Remote AccessVPN for system access; MFA (Multi-Factor Authentication) mandatory
Security IncidentsMonthly incident report to Controller upon request

ANNEX 3: LIST OF SUB-PROCESSORS

1. OVH SAS

  • Name: OVH SAS
  • Address: 2 Rue Kellermann, 59100 Roubaix, France
  • Website: https://www.ovhcloud.com
  • Type of Service: Infrastructure hosting (VPS in Germany, managed by Processor, PostgreSQL database, storage)
  • Personal Data Processed: All Personal Data (stored on physical server in Germany)
  • Processing Location: Germany (EEA)
  • Transfer Basis: Infrastructure in EEA — no transfer outside EEA
  • Agreement: OVH General Terms of Service contain GDPR clauses
  • DPA: Available on OVH website (https://www.ovhcloud.com/en/personal-data-protection/)

2. Google LLC

  • Name: Google LLC
  • Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Website: https://www.google.com
  • Type of Service: Firebase Cloud Messaging (FCM) — push notifications to Android app
  • Personal Data Processed: Push notification tokens (FCM registration tokens), transmission metadata
  • Processing Location: USA (outside EEA)
  • Transfer Basis: EU-US Data Privacy Framework (DPF) — adequacy decision of European Commission of 10 July 2023
  • Agreement: Firebase Terms of Service (https://firebase.google.com/terms)
  • DPA: Google Data Processing Addendum (https://cloud.google.com/terms/data-processing-addendum)
  • Notes: Google is certified under EU-US DPF; FCM tokens do not contain SMS content or recordings, only session identifiers

3. Paddle.com Market Limited

  • Name: Paddle.com Market Limited
  • Address: 15 Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, UK
  • Website: https://www.paddle.com
  • Type of Service: Merchant of Record (MoR) — payment processing, invoicing
  • Personal Data Processed: Payment data (first name, last name, email address, credit card version — LAST 4 digits only), IP addresses, user agent
  • Processing Location: United Kingdom (EEA) and USA
  • Transfer Basis: Standard Contractual Clauses (SCCs)
  • Agreement: Paddle Terms of Service (https://www.paddle.com/legal)
  • Notes: Paddle is an independent data controller for payment data — not a Sub-Processor per se under Article 28 GDPR; listed for informational transparency

End of Data Processing Agreement (DPA) — SIMtrix

To sign this DPA, contact: support@simtrix.app