This Privacy Policy provides information on the processing of personal data when visiting the nordnung.ai website, contacting us, requesting demos, and carrying out test calls.
Personal data means any information relating to an identified or identifiable natural person.
3. Accessing the website
When you access our website, we process technically necessary connection data to provide the website, ensure stability and security, and detect attacks or misuse.
In particular, we process:
IP address
date and time of access
requested content
browser type and version
operating system
referrer URL
status codes
server and security logs
Processing is based on Art. 6(1)(f) GDPR. Our legitimate interest is the secure, stable, and efficient provision of the website.
Server and security logs are generally deleted after 14 days unless longer storage is required to investigate security incidents.
4. Contacting us
If you contact us by email, contact form, or other means, we process the data you provide in order to handle your request.
This may include, in particular:
name
company
business contact details
content of the request
time of the request
communication history
Processing is based on Art. 6(1)(b) GDPR where your request relates to entering into or performing a contract. Otherwise, processing is based on Art. 6(1)(f) GDPR. Our legitimate interest is handling inquiries and initiating business relationships.
Contact and demo requests are generally deleted 12 months after the last relevant contact unless statutory retention obligations or ongoing contractual relationships require otherwise.
5. Demos and test calls
Demos and test calls can be requested or conducted via the website. For such test calls, we process the communication and contact data required.
In particular, we process:
name
company
phone number
email address
scheduling data
call metadata
call content
where applicable, recordings and transcripts
Test calls may be recorded for demonstration, documentation, and quality assurance purposes. Recording takes place only after prior notice and, where required, on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Otherwise, processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
Recordings of test calls and related transcripts are generally deleted after 30 days unless longer storage is required in individual cases or expressly agreed.
6. AI-supported demo features
During test calls, chats, or product demos, you may interact with AI-supported features. Unless this is already obvious from the circumstances, we provide transparent notice of this.
To provide such features, content required for the specific processing may be transmitted to the AI components used for that purpose. Under our current operating model, AI processing is carried out via Microsoft Azure within the EU. We only share data required for the respective function.
Please do not transmit unnecessary sensitive information, passwords, or other secrets during demos.
7. Cookies, consent, and audience measurement
On your first visit, a consent banner asks which categories of cookies and similar technologies we may use. Before you consent, no analytics, tracking, or marketing technologies requiring consent are loaded; Google Consent Mode v2 defaults to “denied”.
We store your choice for twelve months in a strictly necessary cookie (“nn_consent”) and mirrored in your browser’s local storage (Section 25 (2) no. 2 TDDDG, Art. 6 (1)(f) GDPR). You can enable the following categories individually:
Necessary: core functions such as page navigation, language selection, and storing your consent. Always active.
Tracking & analytics: Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to measure how the website is used, with truncated IP addresses. Names, email addresses, or phone numbers are never sent to Google.
Marketing: measuring the success of our advertising — where activated, via the Meta Pixel and the server-side Meta Conversions API (Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland) and, where applicable, Google Ads. Contact details are SHA-256-hashed exclusively server-side before any transfer to Meta; browser and server events are deduplicated via a shared event ID.
Comfort: stores settings to make using the website more convenient.
The legal basis for the optional categories is your consent (Art. 6 (1)(a) GDPR, Section 25 (1) TDDDG). You can withdraw or adjust your consent at any time with effect for the future — via the “Manage consent” link in the footer or directly here:
Current status of your selection: No selection made
8. Recipients
Recipients of personal data may include, in particular:
internal departments of SecureVibe IT Solutions GmbH
technical service providers for hosting and infrastructure
Microsoft Azure within the EU, where AI features are used
Google Ireland Limited, where you have consented to tracking & analytics
Meta Platforms Ireland Limited, where you have consented to marketing and Meta services are active
9. Third-country transfers
Our goal is processing within Germany or the EU.
If, in individual cases, a third-country connection cannot be excluded, for example due to group-related support access by a provider used, such processing only takes place in compliance with Art. 44 et seq. GDPR and on the basis of appropriate safeguards.
Where you have consented to Google Analytics, Google Ads, or Meta services, data may be transferred to the United States. Google LLC and Meta Platforms, Inc. are certified under the EU-US Data Privacy Framework (adequacy decision under Art. 45 GDPR).
10. Storage period
Unless a specific storage period is stated in this Privacy Policy, we process and store personal data only for as long as required for the respective purpose or as long as statutory retention obligations apply.
The following standard periods currently apply in particular:
server and security logs: 14 days
contact and demo requests: 12 months after the last contact
test-call recordings: 30 days
test-call transcripts: 30 days
11. Obligation to provide data
Provision of data generated during technical operation of the website is required to use the website.
Provision of contact and communication data is voluntary. Without this information, we may not be able to process inquiries, or may only be able to process them in part.
12. Data subject rights
Within the legal requirements, you have the right of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing based on Art. 6(1)(f) GDPR.
Where processing is based on your consent, you may withdraw that consent at any time with effect for the future.
You can contact us at contact@securevibe.de to exercise your rights.
13. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority.
14. Automated decision-making
When merely visiting this website, no exclusively automated decision-making within the meaning of Art. 22 GDPR takes place.
Part B: Web App / Product
1. Scope
These notices apply to the use of the web app and the nordnung AI product.
nordnung AI is intended exclusively for companies and their authorized employees and other authorized users.
2. Data protection roles
We process data in connection with nordnung AI in different data protection roles.
2.1 Processing under our own responsibility
In particular, we act as an independent controller where we process personal data for the following purposes:
contract initiation and contract administration
user and tenant management
billing
operation of the web app
IT security
misuse detection
error analysis
incident handling
legal documentation and evidence
product-related communication
Legal bases include Art. 6(1)(b), (c), and (f) GDPR.
2.2 Processing on behalf of the customer
Where we process content that our customers or their authorized users upload to nordnung AI or have processed via nordnung AI, we generally act as processor on behalf of the respective customer.
This includes, in particular:
tickets
chat content
telephony transcripts
image uploads
workflow parameters
workflow results
system and asset contexts
knowledge base content
RAG-related search data
customer-specific agent logs
In these cases, the respective customer determines the data protection purposes and means of processing.
3. User accounts, authentication, and tenant separation
For use of the web app, we process data required for authentication, authorization, tenant separation, and security.
This includes in particular:
user identifier
name
business contact data
roles and permissions
tenant assignment
login timestamps
IP address
device and browser information
security logs
session data
Permissions are assigned based on roles and tenants. Administrative access is logged. Enhanced safeguards are in place for highly privileged access.
Processing is based on Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
4. Tickets, chat, and phone agent
nordnung AI may process tickets, chats, and telephone interactions to handle support cases.
The phone agent is used to communicate with callers, structure problem intake, and coordinate further agents or workflows. The phone agent itself does not perform system changes.
Under our current operating model, no audio is stored for real support calls. However, calls may be transcribed.
In particular, we process:
name
company affiliation
business contact data
ticket content
chat content
call metadata
call content
transcripts
technical context data
communication history
Where this data concerns customer-specific content, processing is carried out on behalf of the respective customer.
5. Vision agent and image uploads
The vision agent can process images uploaded by users to better diagnose technical incidents or device problems.
In particular, we process:
uploaded images
device-related metadata
associated case or ticket information
derived technical guidance
The system is designed for use on corporate devices and in corporate processes. Special categories of personal data are not intended to be processed. However, complete technical prevention of inadmissible content is not possible in every case. If our systems detect indications of passwords or other critical content, a security flag or warning may be set.
Please upload only images required for technical processing.
6. Workflows, assets, applications, and agents
nordnung AI can execute or prepare workflows across multiple assets and applications. This includes in particular the Endpoint Agent, VM Agent, critical systems agent, and cloud agent.
Depending on configuration and approval level, the following data may be processed in particular:
user and account information
system states
device and asset information
application and connection data
workflow parameters
approval information
execution logs
result data
audit information
Processing is carried out for support automation, incident handling, technical administration, documentation, traceability, and governance.
Actions with relevant impact on persons or systems are rule-based and under human control. Under our current operating model, such measures must be approved or initiated by authorized personnel. Fully autonomous decision-making with legal or similarly significant effects on natural persons is not intended.
7. Approval levels
Depending on customer settings, the following approval levels can be used for the Endpoint Agent in particular:
Stage 1: each action requires approval
Stage 2: initial approval, then autonomous execution in user context
Stage 3: initial approval, then autonomous execution of defined administrative actions on the client
The selected approval level is determined by the respective customer. The customer is responsible for choosing a configuration appropriate to the respective risk profile and ensuring that only duly authorized employees grant approvals.
8. Credentials and secrets
Credentials are managed as separate entities and independently of direct user interaction. Under our current operating model, credentials are managed via HashiCorp Vault and stored encrypted.
The following applies in particular:
Credentials are assigned only to approved assets or applications.
Credentials are injected only into assets approved for that purpose.
The LLM does not receive credentials in plaintext.
If passwords or secrets are detected in chats or screenshots, a security warning may be issued.
The following data is processed in particular:
credential metadata
assignments to assets or applications
technical injection events
approval information
access audits
9. Knowledge base and RAG
Support cases can be documented in a tenant-separated knowledge base. Previous entries can be used through search- and retrieval-supported methods to handle current incidents faster.
In particular, we process:
case descriptions
solution paths
processing steps
entry versions
search queries
hit information
relevance data
Knowledge base and RAG are operated in a tenant-separated manner.
10. AI models (Microsoft Azure and AWS)
To provide selected AI functions, certain inputs and contexts may be transmitted to the AI components used.
This may include in particular:
ticket and chat content
image content
technical context data
workflow contexts and status information
Under our current operating model, AI processing takes place exclusively within the EU. Voice and voice-related functions are processed via Microsoft Azure (OpenAI models); for individual agent functions, models are used via Amazon Web Services (AWS) in an EU region. We transmit only the data required for the respective function. Customer content is not used to train the models.
11. Recipients
Recipients of personal data may include, in particular:
internal departments of SecureVibe IT Solutions GmbH
customers as controllers within their own processes
Microsoft Azure within the EU, where AI voice features are used
Amazon Web Services (AWS) within the EU, where AI agent features are used
easybell GmbH as SIP/telephony provider, where telephony features are used
12. Third-country transfers
Our goal is processing within Germany or the EU.
If, in individual cases, a third-country connection cannot be excluded, such processing takes place only in compliance with Art. 44 et seq. GDPR and on the basis of appropriate safeguards.
13. Storage period
Unless otherwise agreed with the respective customer, the following standard retention periods generally apply for the web app:
user and contract data: for the duration of the contractual relationship and thereafter only within statutory retention obligations
security logs: 30 days
audit, approval, and workflow logs: 12 months
tickets, chat content, and transcripts: 180 days after case closure
image uploads: 30 days after closure of the associated case
knowledge base entries and versions: until deleted by the customer or until 30 days after contract end
credential metadata and access audits: for the duration of assignment and for 12 months thereafter
backups: 30 days
Upon legitimate deletion request, production data is deleted or anonymized without undue delay in the live system. Data contained in backups is overwritten within regular backup cycles.
14. Obligation to provide data
Providing certain data is required for use of nordnung AI. Without user, communication, ticket, or system data, certain functions cannot be provided or cannot be provided in full.
15. Data subject rights
Where we process personal data under our own responsibility, data subjects have the statutory rights of access, rectification, erasure, restriction of processing, data portability, and objection.
Where we process data exclusively on behalf of a customer, we forward corresponding requests to the respective customer or support the customer in handling them.
Data protection inquiries can be sent to contact@securevibe.de.
16. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority.
17. Automated decision-making
Under the current operating model of nordnung AI, exclusively automated decision-making within the meaning of Art. 22 GDPR with legal effect or similarly significant effect is not intended.