Trust and Compliance

SoftBCom Berlin GmbH – Platform and Project Solutions

Hosting & Infrastructure

• The QAWacht SaaS platform and other project-based solutions from SoftBCom are primarily operated on dedicated cloud servers hosted by Hetzner Online GmbH in Germany.
• For customers outside the EU (primarily in the Americas region), RunPod, Inc. (USA) is engaged as an additional infrastructure provider for compute-intensive AI processing tasks. RunPod provides GPU cloud infrastructure dedicated to these workloads.
• All data centers involved are ISO/IEC 27001 certified or equivalent and meet requirements for physical security, power supply, access control, and redundancy.

Data Residency & Data Protection

• Personal data of the customer is processed and stored exclusively within the geographic region contractually or product-specifically defined:
  
  
  • For customers based in Germany: exclusively within Germany (e.g., on servers operated by Hetzner Online GmbH).
  • For customers in other EU member states: within the European Union.
  • For customers in third countries: within the region contractually defined (e.g., EU data center), where technically available. If no EU infrastructure is contractually specified (primarily for customers in the Americas), compute-intensive processing may take place on RunPod, Inc. (USA) infrastructure under the EU Standard Contractual Clauses.
• Data is not transferred outside the defined region. Where processing outside this region is technically or functionally necessary (e.g., for external AI services or GPU compute workloads on RunPod), the data is anonymized or pseudonymized beforehand to ensure no personal reference remains as defined under the GDPR.
• SoftBCom complies with the requirements of the GDPR, particularly Articles 5, 6, 28, and 32.

Access Controls

• Access is granted exclusively for maintenance and service purposes to authorized personnel based on role-based permissions.
• IP filters are used.
• Automatic session timeouts can be activated if needed.

Encryption

• Data is transmitted via TLS 1.2+.
• Security-relevant configuration data (e.g., API keys, tokens, access credentials) is encrypted using AES encryption.

Backup & Recovery

• Application-specific backups are executed according to predefined backup plans.
• Recovery testing is carried out in accordance with the established contingency plan.

Incident Management

• Internal processes are in place for the detection, documentation, and evaluation of security incidents.
• SoftBCom is committed to reporting relevant incidents to affected customers in accordance with Article 33 of the GDPR.

Penetration Testing & Technical Assessments

• Internal security reviews are conducted prior to each major release or project-specific deployment.
• External penetration tests by independent IT partners can be arranged on request (subject to cost reimbursement).

Subprocessors & Responsibilities

• A current list of active subprocessors is published here: https://www.softbcom.com/trust/subprocessors
• Data processing is carried out in accordance with the DPA (Data Processing Agreement) and the documented Technical and Organizational Measures (TOM).

BSFZ Seal

• We are pleased to announce that SoftBCom Berlin GmbH has been awarded the BSFZ seal by the Bescheinigungsstelle Forschungszulage (BSFZ).
• The certification confirms that our R&D activities meet the criteria of §2(1) of the German Research Allowance Act (FZulG) and are eligible for support under Germany’s research tax incentive program.
• The certified project focuses on the development of an autonomous, AI-driven system designed for real-time customer service operations.
• The BSFZ seal highlights our ongoing commitment to innovation in AI-based service automation.

ISO Compliance Statement

• SoftBCom aligns with the core principles of ISO/IEC 27001 and implements them within its internal information security management framework.

Billing & Payment Security

• QAWacht uses Stripe Payments Europe, Ltd. as its payment processor.
• Stripe is certified under PCI DSS Level 1, the highest international standard for payment security.
• All payment data is transmitted via TLS encryption and stored by Stripe using AES-256 encryption.
• SoftBCom systems do not process or store raw payment card information; instead, tokenization ensures that only non-sensitive references are used in transactions.
• For international data transfers, Stripe relies on the EU Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework, ensuring GDPR-compliant handling of customer data.

Web Services & Customer Engagement

• The public-facing websites and customer-facing marketing tools of SoftBCom (including webinar registration and lead forms) are operated via HubSpot, Inc..
• HubSpot provides ISO 27001 certification, SOC 2 reports, and enforces encryption both in transit (TLS 1.2+) and at rest (AES-256).
• Contact data collected via HubSpot is processed in line with the SoftBCom Data Processing Agreement and is subject to the EU Standard Contractual Clauses for transfers outside the EU.
• No payment or conversation transcript data is processed within HubSpot.

Documents:

1. Privacy Policy

2. SaaS Terms of Use

3. General Terms and Conditions (GTC)

4. Data Processing Agreement (AVV / DPA)

5. Technical and Organizational Measures (TOM)

6. List of Subprocessors

7. Data Processing principles for QAWacht

8. Online Subscription Agreement

This agreement governs the contractual relationship between SoftBCom and the customers of the QAWacht platform and other SaaS services.

http://softbcom.com/trust/Online-subscription-agreement

9. Accessibility Statement under the German Accessibility Strengthening Act (BFSG)

https://softbcom.com/accessibility