Go back to website

Data Processing Addendum (DPA)

1. Roles of the Parties

  • Customer as Controller – Customer acts as the controller of personal data stored in its tenant on the TF Platform (“The Future Platform”).

  • Simptel as Processor – Simptel acts as processor only with respect to personal data in Customer’s tenant and processes such data solely on Customer’s documented instructions.

  • Customer Responsibility – Customer is responsible for:

    • Selecting its hosting region (Azure, AWS, or Google Cloud);

    • Managing tenants, access rights, and identity configurations;

    • Configuring and managing third-party integrations.

While the TF Platform makes integrations easy, all third-party integrations (and their API keys or credentials) remain Customer’s sole responsibility.

2. Subject Matter and Scope

Simptel processes Customer Personal Data only for the provision of the TF Platform, an identity and security platform.

3. Processing Location

  • Tenant Data – Customer Personal Data is processed exclusively in the region selected by Customer (Azure, AWS, or Google Cloud). Simptel does not replicate or transfer tenant data outside the selected region.

  • DNS Services – The TF Platform uses Google DNS for the tfplatform.com domain, which may involve processing outside the selected region.

  • TLS Certificates – TLS certificates are issued by Let’s Encrypt by default. Customers may alternatively provide their own certificates.

  • Customer Organizational Data – Data relating to Customer’s own organization (e.g., billing, invoicing, contracting, and account administration) is processed in the Netherlands by Simptel. For these purposes, Simptel also uses the following service providers:

    • Bird.com – communications;

    • Azure Marketplace – subscriptions and procurement;

    • Stripe – payments and billing;

    • Moneybird – bookkeeping and accounting.

This processing is separate from Customer’s tenant data.

4. Nature and Purpose of Processing

Simptel processes Customer Personal Data solely to:

  • Host, encrypt, and secure tenant data in the chosen region;

  • Provide the features and functionality of the TF Platform;

  • Manage billing, invoicing, and contracting for Customer’s organization.

5. Categories of Data and Data Subjects

  • Categories of Data: Identity data, authentication data, access logs, and any other information uploaded or configured by Customer.

  • Data Subjects: End-users of Customer’s tenant, such as employees, partners, or customers.

Customer determines what data is processed.

6. Security Measures

Simptel maintains technical and organizational measures appropriate to the risk, including:

  • Encryption – All tenant data is encrypted at rest and in transit using AES-based best practices;

  • TLS – Secured by Let’s Encrypt or Customer-provided certificates;

  • Access Controls – Strict authentication and authorization measures;

  • Logging & Monitoring – Security and compliance monitoring;

  • Tenant Isolation – Logical and physical separation of tenants;

  • Certifications – Simptel is ISO/IEC 27001:2022 certified and maintains SOC 2 Type II compliance, supported by yearly independent audits.

7. Sub-Processors

Authorized sub-processors are limited to:

For Tenant Data

  • Google – DNS services for tfplatform.com;

  • Let’s Encrypt – TLS certificate authority;

  • Cloud provider chosen by Customer – Azure, AWS, or Google Cloud, in the region selected by Customer.

For Customer Organizational Data

  • Bird.com – communications;

  • Azure Marketplace – subscription and procurement;

  • Stripe – payments and billing;

  • Moneybird – bookkeeping and accounting.

Simptel Entities

  • Simptel B.V. – Netherlands;

  • Simptel Services B.V. – Netherlands;

  • Simptel India Private Limited – India

Simptel will update this list at least 30 days before engaging a new sub-processor.

8. International Data Transfers

  • Tenant Data – Remains in the Customer-selected region, except for DNS services.

  • TLS Certificates – Let’s Encrypt may process limited technical data (domain validation) outside the selected region.

  • Customer Organizational Data – Processed in the Netherlands, with Stripe and Bird.com potentially involving transfers outside the EEA.

  • Where transfers outside the EEA/UK occur, Simptel ensures appropriate safeguards, including Standard Contractual Clauses.

9. Assistance to Customer

Simptel will assist Customer, where reasonably possible, with:

  • Responding to data subject rights requests;

  • Supporting Data Protection Impact Assessments (DPIAs);

  • Providing documentation to demonstrate GDPR compliance.

10. Return or Deletion of Data

Upon termination of services, Simptel will delete or return Customer Personal Data, unless retention is required by law.

11. Audit Rights

Simptel provides documentation and evidence of compliance, including ISO 27001 and SOC 2 reports. Customer may conduct audits with reasonable notice and subject to confidentiality.

12. Liability

Each party’s liability under this DPA is subject to the limitations of liability agreed in the Terms & Conditions.

13. Governing Law

This DPA is governed by the laws of the Netherlands.

PreviousPrivacy StatementNextSub-processors

Last updated