Speexx and the EU-GDPR
At Speexx, we are fully aware of just how important data protection is.
As a provider of a digital language learning platform with cloud-based systems, having the highest level of data protection is particularly important.
Speexx fulfills all requirements according to the EU General Data Protection Regulation not only in the software we offer but also as a company and is, therefore, data protection compliant in all areas according to the EU-GDPR.
General data processing
Speexx processes personal data in consideration of and in accordance with the relevant data protection rules, in particular, the GDPR and the BDSG.
Security and encryption
Security has the highest priority at Speexx and thus encrypts sensitive user data in such a way that it can only be “decrypted” and read after proper authentication – a process that is monitored by the German Society for Cyber Security (DCSO).
We are TISAX® certified
Speexx is the first digital language platform to earn the TISAX® certification for information security in the automotive industry after acceptance by the independent, accredited auditing company TÜV Rheinland.
Where is my data stored?
All personal data is stored in Munich, Germany. Thus, meeting Speexx’s high requirements and always guaranteeing the physical safety of our customers’ data.
What is stored?
Private/professional contact details or identification details provided by the client, or the persons involved. (Name, last name, email address, telephone number, nickname and time zone).
Responsible entity and data protection officer
Do you have any questions? The best way to contact the Speexx data protection officer is by e-mail at privacy@speexx.com.
General Information on Data Protection at Speexx
The term “personal data” under data protection law refers to all information that relates to an identified or identifiable individual. Speexx processes personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by Speexx takes place only when authorized by law.
Speexx only processes personal data:
- with your consent according to Art. 15 para. 3 of the German Telemedia Act (TMG) or (Art. 6 para. 1 lit. a) GDPR).
- for the performance of the contract to which the data subject is party of, or in order to take steps at the request of the data subject prior to entering into a contract or includes the execution of pre-contractual measures taken at the data subject’s request (pursuant to Art. 6 para. 1 lit. b) GDPR).
- for the fulfillment of a legal obligation (according to Art. 6 para. 1 lit. c) GDPR).
- or according to Article 6 para. 1 lit. f) GDPR, if the processing is necessary for protecting our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data.
Yes, and you can contact him at any time. Just send an email to privacy@speexx.com.
All Speexx employees are committed to full confidentiality and data protection and are made aware of the consequences in the event of a violation.
Furthermore, regular training and awareness programs are carried out on the handling of personal details and data protection regularly.
Speexx adheres to the requirements of ISO/IEC 27001 and works continuously to improve all processes and structures in data protection and information security. In addition to appointing a data protection officer and providing regular training for employees, Speexx has also appointed a data protection and information security team to ensure that security has the highest priority.
Speexx implements the recommendations and guidelines of the BSI (German Federal Office for Information Security). Speexx is also a member of industry associations such as the Cyber Security Cluster Bonn e.V. to keep up to date with the latest technologies and security updates.
According to Art. 28 EU-GDPR, Speexx is obliged as a processor to conclude a data processing agreement with our customers. We have developed a corresponding template for this, which you will receive from us when you become a client.
In the event of a data breach, transparency and timely response are particularly important. If a data breach does occur at Speexx and a customer’s data falls into the wrong hands, thereby posing a risk to the rights and freedom of the customer’s employees, Speexx will act per its legal and contractual obligations. In this case, Speexx will rectify the situation and immediately inform the affected customer. Speexx will further fulfill its legal obligations to the supervisory.
Yes, at Speexx data protection is very important to us and we see it as an essential part of our product strategy. Already during the development of our solutions, we paid close attention to principles such as data economy and state-of-the-art measures to ensure an appropriate level of protection. In the wake of the EU GDPR, we reviewed the entire product in terms of default settings and adjusted them to ensure maximum data protection while still ensuring user-friendliness. At Speexx, we check at regular intervals that all legal requirements are continuously taken account of during the product development process.
Encryption and Pseudonymization
Yes, Speexx encrypts sensitive user data so that it can be “decrypted” and read only after proper authentication.
Yes, all personal or person-related data that is transmitted by programs from Speexx to a client or other platforms, in particular also HTTPS, is encrypted by Transport Layer Security (TLS). This means that a secure connection must always first be established between the two connection partners, i.e., between client and server before any data transfer can take place.
Confidentiality & Integrity
All personal data is stored in Munich, Germany. Speexx uses the hosting services of Ingate/Equinix. The data centers used are ISO/IEC 27001 certified. Thus, the physical security of our customers’ data is always guaranteed.
Generally, only carefully selected employees at Speexx have access to customer data. Only the Product Team and the Customer Success Team are authorized to access customer data when necessary (for example, when setting up an account or processing service requests). Access rights are logged and assigned according to “need-to-know” and “least privilege” principles.
On the server-side, Speexx relies on a host-based attack detection system that monitors and regularly examines certain parameters, such as conspicuous log entries, signatures of known rootkits and Trojans, anomalies in the device file system, or classic brute force attacks. If an anomaly is detected, the employees responsible in operations and development intervene immediately to take countermeasures as quickly as possible.
Please contact us at privacy@speexx.com for a detailed list of our Technical and Organizational Measures (TOMs).
Access to the Speexx platform is only granted to those who have an assignable, personalized user account. A username and password are requested each time a user logs in. The password must be created according to the password policy. For additional security, we recommend that our customers use SAML-based authentication, which can be extended with 2-factor authentication to achieve a higher level of protection.
Purpose Limitation
At Speexx, the customer is and always remains the owner of – and responsible for – its own data, according to Art. 24 EU-GDPR. Accordingly, the customer is responsible for safeguarding the data subject rights (Chapter 3 EU-GDPR). As a processor, Speexx uses your data exclusively on your instructions and for the purposes regulated in the contract for commissioned processing. Specifically, this means that Speexx may not and will not under any circumstances sell or disclose your data to third parties, with the exception of disclosure to subcontractors, if any, as regulated in the contract for commissioned processing between Speexx and the customer.
For product development and testing purposes, Speexx reserves the right to use completely anonymized data, within the framework of the legal regulation and taking into account the recommendations of the Article 29 Working Party or the European Data Protection Board. The anonymization of the data, therefore, guarantees that no conclusions can be drawn about individuals or companies. Therefore, there is absolutely no risk for the customer.
In the event of termination of the business relationship, the customer may request the release of its data in a machine-readable format via persons authorized to issue these instructions. After the contractual relationship ends, all data will be irretrievably deleted. This usually happens within 30 days after the termination of the business relationship. In the unlikely event that Speexx ceases its business operations, the same procedure would be followed, as Speexx is merely a processor of the customer’s data and is therefore not permitted to dispose of the personal data in any other way.
Safety Verification Procedure
With the help of annual audits of our company and the Speexx platform, we check overall compliance with the legal requirements for data protection. Based on the findings of these audits, we revise and improve our documentation, processes, structures, or functionalities and develop technical and organizational measures for improvement.
Speexx conducts internal vulnerability scans at regular intervals to check our application and infrastructure. In addition, an external service provider carries out penetration tests once a year to check all Speexx systems and products for errors and vulnerabilities. The security of our systems and our application as well as the detection of attacks is of utmost importance to us.