Speexx and the EU-GDPR

Your data is safe with us!

As a provider of a cloud-based digital people development platform, ensuring the highest level of data protection is of paramount importance. Speexx meets all requirements of the EU General Data Protection Regulation (EU-GDPR) not only within its software offerings but also as an organization, ensuring full compliance with data protection standards across all areas.

General data processing

Speexx processes personal data in consideration of and in accordance with the relevant data protection rules, in particular, the GDPR and the BDSG.

Security and encryption

Security has the highest priority at Speexx and thus encrypts sensitive user data in such a way that it can only be “decrypted” and read after proper authentication – a process that is monitored by the German Society for Cyber Security (DCSO).

We are TISAX® certified

Speexx has obtained TISAX® certification for information security in the automotive industry, issued by the independent and accredited auditing organization TÜV Rheinland.

Speexx ISO 27001
Deutsche Cyber- Sicherheitsorganisation
NIS2 Certificate
Cybervadis logo
CSA Cloud Security Alliance
Speexx has TISAX certification

Where is my data stored?

All personal data is stored in Munich, Germany. Thus, meeting Speexx’s high requirements and always guaranteeing the physical safety of our customers’ data.

What is stored?

Private/professional contact details or identification details provided by the client, or the persons involved. (Name, last name, email address, telephone number, nickname and time zone).

Responsible entity and data protection officer

Do you have any questions? The best way to contact the Speexx data protection officer is by e-mail at privacy@speexx.com.

FAQ

General Information on Data Protection at Speexx

Legal Basis

The term “personal data” under data protection law refers to all information that relates to an identified or identifiable individual. Speexx processes personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by Speexx takes place only when authorized by law.  Speexx processes personal data exclusively under the following conditions: With your consent, pursuant to Art. 15 para. 3 of the German Telemedia Act (TMG) or Art. 6 para. 1 lit. a) GDPR. For the performance of a contract to which the data subject is a party, or to take steps at the data subject’s request prior to entering into a contract, including the execution of pre-contractual measures (pursuant to Art. 6 para. 1 lit. b) GDPR). For the fulfillment of a legal obligation, as required under Art. 6 para. 1 lit. c) GDPR. To protect legitimate interests, pursuant to Art. 6 para. 1 lit. f) GDPR, where processing is necessary to safeguard our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms requiring the protection of personal data.

Yes, and you can contact him at any time. Just send an email to privacy@speexx.com.

All Speexx employees are committed to full confidentiality and data protection and are made aware of the consequences in the event of a violation. Furthermore, regular training and awareness programs are carried out on the handling of personal details and data protection regularly.

Speexx is certified according to ISO/IEC 27001 and is NIS2 compliant. The company continuously enhances its processes and structures related to data protection and information security. In addition to appointing a Data Protection Officer and conducting regular employee training, Speexx has established a dedicated data protection and information security team to ensure that security remains a top priority. Speexx follows the recommendations and guidelines of the BSI (German Federal Office for Information Security). Furthermore, Speexx is an active member of industry associations such as the Cyber Security Cluster Bonn e.V., enabling the company to stay informed about the latest technologies and security developments.

According to Art. 28 EU-GDPR, Speexx is obliged as a processor to conclude a data processing agreement with our customers. We have developed a corresponding template for this, which you will receive from us when you become a client.

In the event of a data breach, transparency and timely response are particularly important. If a data breach does occur at Speexx and a customer’s data falls into the wrong hands, thereby posing a risk to the rights and freedom of the customer’s employees, Speexx will act per its legal and contractual obligations. In this case, Speexx will rectify the situation and immediately inform the affected customer. Speexx will further fulfill its legal obligations to the supervisory.

At Speexx, data protection is of utmost importance and an integral part of our product strategy. From the very beginning of our solution development process, we prioritize principles such as data minimization and state-of-the-art measures to ensure an appropriate level of protection. In response to the EU GDPR, we conducted a comprehensive review of our product’s default settings and made adjustments to ensure maximum data protection without compromising user-friendliness. Speexx also conducts regular audits to ensure that all legal requirements are consistently incorporated into the product development process.

Encryption and Pseudonymization

Yes, Speexx encrypts sensitive user data so that it can be “decrypted” and read only after proper authentication.

Yes, all personal or person-related data transmitted by Speexx programs to clients or other platforms, including HTTPS connections, is encrypted using Transport Layer Security (TLS). This ensures that a secure connection is always established between the two connection partners – client and server – before any data transfer occurs.

 Confidentiality & Integrity

All personal data is stored in Munich, Germany. Speexx uses the hosting services of Ingate/Equinix. The data centers used are ISO/IEC 27001 certified. Thus, the physical security of our customers’ data is always guaranteed.

At Speexx, access to customer data is strictly limited to carefully selected employees. Only the Product Team and Customer Success Team are authorized to access customer data, and only when necessary – for example, during account setup or while processing service requests. Access rights are logged and assigned based on the “need-to-know” and “least privilege” principles.

On the server side, Speexx employs a host-based attack detection system that monitors and routinely examines specific parameters, such as suspicious log entries, signatures of known rootkits and Trojans, anomalies in the device file system, or classic brute force attacks. If an anomaly is detected, the responsible teams in operations and development intervene immediately to implement countermeasures as quickly as possible. For a detailed list of our Technical and Organizational Measures (TOMs), please contact us at privacy@speexx.com.

Access to the Speexx platform is only granted to those who have an assignable, personalized user account. A username and password are requested each time a user logs in. The password must be created according to the password policy. For additional security, we recommend that our customers use SAML-based authentication, which can be extended with 2-factor authentication to achieve a higher level of protection.

Purpose Limitation

At Speexx, the customer is and always remains the owner of, and responsible for, their own data, in accordance with Art. 24 of the EU-GDPR. This means the customer is responsible for safeguarding the data subject rights outlined in Chapter 3 of the EU-GDPR. As a processor, Speexx processes your data exclusively on your instructions and for the purposes specified in the contract for commissioned processing. Specifically, Speexx will never sell or disclose your data to third parties, except for subcontractors, if applicable, as regulated in the contract for commissioned processing between Speexx and the customer. For product development and testing purposes, Speexx reserves the right to use fully anonymized data within the framework of legal regulations and in line with the recommendations of the Article 29 Working Party or the European Data Protection Board. Anonymization ensures that no conclusions can be drawn about individuals or companies, eliminating any risk to the customer.

In the event of termination of the business relationship, the customer may request the release of their data in a machine-readable format through authorized representatives. Once the contractual relationship ends, all data will be irretrievably deleted, typically within 30 days of termination. In the unlikely event that Speexx ceases its business operations, the same procedure will apply, as Speexx acts solely as a processor of the customer’s data and is not permitted to handle personal data in any other way.

 Safety Verification Procedure

With the help of annual audits of our company and the Speexx platform, we check overall compliance with the legal requirements for data protection. Based on the findings of these audits, we revise and improve our documentation, processes, structures, or functionalities and develop technical and organizational measures for improvement.

Speexx conducts internal vulnerability scans at regular intervals to check our application and infrastructure. In addition, an external service provider carries out penetration tests once a year to check all Speexx systems and products for errors and vulnerabilities. The security of our systems and our application as well as the detection of attacks is of utmost importance to us.