Compliance & sovereignty
This page is an honest summary of the current compliance posture of the SIMOSphere AI platform operated by SIMO GmbH — what is in place today, what is in preparation, and where we deliberately are not yet. No marketing slogans, no wall of logos for certificates we do not hold.
1. DSGVO / GDPR
Status: Structural coverage ~85 % (internal maturity self-assessment, no external audit).
- Data-processing agreement (DPA) under GDPR Art. 28 available on request as a customised template. → Request DPA template
- Subprocessor list: 8 active subprocessors, documented with a four-week change-notice period (GDPR Art. 28 (2)). → See list below
- EU-only hosting: platform compute and backups at Hetzner (Germany); LLM inference at Modal Labs in Frankfurt (modal-eu region).
- Data-subject rights (Art. 15–22): self-service export in the tenant workspace; manual deletion pipeline with a documented GDPR deletion matrix.
- DPIA (Art. 35): completed for PostHog tracking; further DPIAs are run per new AI feature before activation.
2. EU AI Act (VO (EU) 2024/1689)
Status: Structural coverage ~68 %. Risk classification: predominantly minimal / limited risk, with individual workflows under transparency obligations (Art. 50).
- Role: SIMO GmbH acts as both provider for the platform and deployer for third-party GPAI models (Apertus 8B, Mistral family).
- Art. 50 transparency obligation active: All AI responses are flagged as AI-generated via an
X-AI-Disclosureheader and visible UI indicators. - Model cards: Apertus 8B (Swiss AI) and the Mistral family (Mistral 7B, Codestral, Magistral) are documented with provider, license, training cut-off and usage limits.
- LLM invocation log (AI-LOG-01): every model call is logged with model ID, tenant hash, token count and response hash for 30 days.
- No high-risk system: no feature currently falls under Annex III (no biometric scoring, no HR screening, no education ranking).
3. ISO/IEC 27001 (ISMS)
Status: In preparation Structural coverage ~70 % (Annex A gap analysis). Certification audit targeted for 2027; currently no ISO 27001 certificate issued.
- Asset inventory, risk register, statement of applicability and incident response are being established; document control runs through the repository.
- Hetzner, our hosting provider, is ISO/IEC 27001 certified — the infrastructure layer already benefits from that.
4. BSI C5 (Cloud Computing Compliance Criteria Catalogue)
Status: Preparation Q4 2026 Mapping of C5:2020 controls against existing measures is in progress, starting with OPS, IDM, CKM. No attestation issued today.
5. BFSG / WCAG 2.2 AA (Barrierefreiheit)
Status: Partially compliant with WCAG 2.2 AA and EN 301 549 V3.2.1. Statement of Accessibility under §14 BFSG published; bilingual VPAT 2.5 Rev INT available as the detail document.
6. Schrems II & internationale Datentransfers
Status: TIA methodology (Transfer Impact Assessment) documented; EU SCC 2021/914 in place for every US subprocessor where US processing is involved.
- Default path: EU processing. US transfers occur only when a tenant deliberately enables a US connector (e.g. Tavily, Stripe, Microsoft Graph).
- Stripe and Microsoft are certified under the EU-US Data Privacy Framework.
7. Data sovereignty — storage locations
| Data type | Storage location | Encryption |
|---|---|---|
| Tenant databases (PostgreSQL) | Hetzner, DE | TLS in-transit, LUKS at-rest, Spalten-Verschlüsselung für Secrets (KEK rotiert) |
| Backups (daily, 30 days) | Hetzner Storage Box, DE | AES-256, separater KEK-Pfad |
| LLM prompts & responses | Modal Labs, Frankfurt (modal-eu) | TLS in-transit, no-retention beim Modell-Backend |
| File uploads | Hetzner + Cloudflare R2 (EU-Buckets) | TLS in-transit, AES-256 at-rest |
| Authentication secrets (JWT, MFA) | Hetzner, DE | Argon2id für Passwörter, KEK-getrennt von JWT-Secret |
| Payment data | Stripe (EU + US, DPF-zertifiziert) | PCI-DSS Level 1 (Stripe) |
| Support tickets (Zammad) | Hetzner, DE | TLS in-transit, LUKS at-rest |
8. Subprocessors
Complete, maintained list of the 8 active subprocessors with role, processed data, region and contractual basis. Customers are notified four weeks in advance of any change by email (GDPR Art. 28 (2)).
| Provider | Role | Region | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Servers, storage, backups | DE | DPA, ISO 27001 |
| Cloudflare, Inc. | DDoS, WAF, DNS, Tunnel | Global (EU-fronted) | DPA, EU SCC 2021/914, ISO 27001 |
| Modal Labs, Inc. | LLM compute (EU region) | EU (Frankfurt) | DPA, EU SCC, No-Retention |
| Stripe, Inc. | Payments | EU + US | DPA, EU SCC, EU-US DPF |
| Tavily, Inc. | Web search (tenant opt-in) | US | DPA, EU SCC |
| Microsoft Corp. (Graph) | M365 connector (tenant opt-in) | EU (Tenant Choice) | DPA, EU SCC, EU-US DPF |
| GitHub, Inc. | Source-code hosting (no tenant data) | US | DPA, EU-US DPF |
| GitGuardian, Inc. | Secret scanning on push (no tenant data) | EU | DPA |
The full internal source for this list is maintained in docs/compliance/DP-AVV-01-subprocessors.md and reviewed at least quarterly.
9. Certificates
We list only certificates that actually exist. As of today there are no external audit certificates yet — the placeholders are kept visible as an honest signal.
10. Contact & requests
For compliance enquiries, DPA requests, vendor reviews or auditor access:
- Email: [email protected]
- Data protection: [email protected]
- Accessibility: [email protected]
- Mail: SIMO GmbH, attn. «Compliance», Würzburger Straße 152, 63743 Aschaffenburg, Deutschland