1. Definitions
“Controller”, “Processor”, “Personal Data”, “Processing”, “Sub-processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in Article 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). Where Customer is subject to other data protection laws (for example, the California Consumer Privacy Act, as amended by the CPRA), the equivalent terms apply.
2. Roles of the parties
Customer is the Controller of Personal Data submitted to the Service. Simulix is the Processor, acting on Customer's documented instructions. Each party is responsible for compliance with its own obligations under applicable data protection law.
3. Scope and purpose of Processing
Simulix processes Personal Data only on Customer's documented instructions, which include: (a) the API calls Customer makes to /v1/* endpoints; (b) configuration set in Customer's organization (plan tier, rate limit tier, scoped API keys); and (c) any explicit written instructions Customer provides to support@simulix.com. If Simulix considers an instruction to violate applicable data protection law, Simulix will inform Customer without undue delay.
4. Categories of Data Subjects and Personal Data
The categories of Data Subjects and Personal Data processed by Simulix are described in our Privacy Policy § 1 (“Data we collect”).
Customer is responsible for the lawfulness of any Personal Data contained in simulation request payloads submitted to the Service. Customer determines whether such payloads contain Personal Data; Simulix processes whatever Customer submits via the API in accordance with this DPA.
5. Customer instructions
Customer may instruct, modify, or withdraw instructions to Simulix at any time, in writing, via support@simulix.com. Where Simulix cannot comply with an instruction (whether for technical, legal, or contractual reasons), Simulix will notify Customer of the inability to comply and the reason for it.
6. Confidentiality of personnel
Simulix ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory. Confidentiality obligations survive termination of the relevant personnel's engagement with Simulix.
7. Security measures
Simulix implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Current measures include, without limitation:
- Encryption in transit. TLS 1.2 or higher on all customer-facing endpoints, terminated at Cloudflare with ongoing certificate renewal.
- Encryption at rest. Vendor-default encryption-at-rest configurations on Postgres (Neon) and Redis (Railway, co-located). API keys are stored as SHA-256 hashes; raw keys are shown to the operator exactly once at issuance and never retained.
- Access controls. Per-key authentication on all production API surfaces (Bearer key or session cookie), per-key rate limiting, Stripe-shaped idempotency enforcement on POST creation flows, and scoped vendor tokens for all infrastructure access.
- Secrets rotation. Documented rotation procedures for Stripe, Resend, Honeycomb, and other vendor credentials, executed on schedule and on suspected compromise.
- Continuous security review. Automated scanners (bandit, semgrep, pip-audit, pnpm audit) gate every pull request. A full manual security review is conducted quarterly. The most recent review summary is available on our security page.
- Telemetry without PII. Distributed-trace spans tag organization and user identifiers (UUIDs) but never raw email addresses, raw API keys, or raw session tokens.
8. Sub-processors
Simulix engages the sub-processors listed in our Privacy Policy § 3 (Subprocessors). Each sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.
Simulix will provide Customer at least thirty (30) days' prior notice of the addition or replacement of a sub-processor by updating the Privacy Policy sub-processor table. Customer may object to such a change within the notice period by emailing support@simulix.com; if the parties cannot resolve the objection in good faith, Customer's sole remedy is to terminate the affected portion of the Service.
9. Data Subject requests
Taking into account the nature of the Processing, Simulix assists Customer, by appropriate technical and organizational measures, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising rights under applicable data protection law (including access, rectification, erasure, restriction, portability, and objection).
Customer should route Data Subject requests through support@simulix.com. Simulix processes requests on a manual basis today; a self-serve dashboard surface for Data Subject Requests is on our post-launch roadmap.
10. Personal Data Breach notification
Simulix will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Notification will describe, to the extent then known: the nature of the breach; the categories and approximate number of Data Subjects affected; the categories and approximate number of Personal Data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
Initial notification may be incomplete; Simulix will supplement the notification as additional information becomes available.
11. Data Protection Impact Assessment cooperation
On Customer's reasonable request, Simulix provides cooperation with Customer's Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to Simulix. Cooperation requests should be sent to support@simulix.com.
12. International data transfers
Personal Data may be transferred to the United States and to other jurisdictions where our sub-processors operate, as listed in the sub-processor table. Where transfers are subject to GDPR, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) as published in Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference.
13. Audits
Customer may, at its own expense and on at least thirty (30) days' prior written notice, audit Simulix's compliance with this DPA. Audits are limited to no more than one per twelve-month period except where required by a supervisory authority or following a Personal Data Breach.
Simulix may satisfy audit requirements by providing reasonable documentary evidence of compliance, including security review summaries, sub-processor agreements, and certifications where available. Simulix does not currently hold SOC 2, ISO 27001, or similar third-party certifications. Customer may request ad-hoc evidence by contacting security@simulix.com.
14. Data return and deletion
On termination of the underlying subscription, Customer may export account-tier Personal Data through the dashboard or by request to support@simulix.com within thirty (30) days. After this thirty-day window, account-tier Personal Data is purged on an operational basis. Subscription-cancellation processing today downgrades the organization's plan tier to sandbox and revokes any live API keys; full automated purge of customer-supplied simulation payloads is on the post-launch roadmap.
Backups retained by sub-processors (notably Neon's point-in-time recovery window) follow the respective sub-processor's retention policy and roll off thereafter without further intervention from Simulix.
15. Term and termination
This DPA is coextensive with Customer's subscription to the Service. The data return and deletion obligations in § 14 survive termination for as long as is necessary to give them effect.
16. Governing law
This DPA is governed by the laws of the State of [Delaware, USA], matching the governing-law clause of the underlying Terms of Service. Where mandatory provisions of Customer's local data protection law apply, those provisions take precedence over the chosen governing law to the extent required.