Userflix Trust Center
Actively monitoredUserflix is an AI-moderated customer research platform that runs and analyzes user interviews with virtual researchers. Production runs in Germany and all personal data is processed in the EU/EEA. Security is built into product and operations — from tenant isolation and AI-specific safeguards to the documentation enterprise procurement teams expect.
Documents
Policies and reports. Public documents are available directly; restricted documents are shared on request.
Privacy policy
How we collect, use, and protect personal data.
Customer terms of service
The B2B terms that govern the use of Userflix.
Sub-processor list
All third parties that process customer data on our behalf, incl. transfer safeguards.
Imprint
Legal information about the operator of Userflix.
Data processing agreement (DPA / AVV)
Art. 28 GDPR agreement in German and English, covering all subprocessors, incl. SCCs.
Security whitepaper
Architecture, encryption, tenant separation, logging, and incident handling — the questionnaire-ready summary.
Technical and organizational measures (TOMs)
Art. 32 GDPR measures document, reviewed semi-annually.
Penetration test report
Management summary of the latest external pentest incl. LLM red-teaming: date, scope, findings, remediation status.
Deletion concept
Retention periods per data type; full tenant deletion incl. backups within 30 days of contract end.
Incident & vulnerability management
Response plan, severity levels, patch SLAs, and notification windows (≤ 72h).
Subprocessors
Third parties that process customer data on our behalf. This list corresponds to Annex 2 of our DPA; customers are notified of changes 30 days in advance with a right of objection.
Hetzner
Hetzner Online GmbH, Gunzenhausen, Germany
Germany (EU/EEA)
Hosting and server infrastructure; storage of text transcripts and application data
Transfer safeguard: No third-country transfer — processing exclusively within the EU/EEA
Google Ireland Limited, Dublin, Ireland (Gemini models via Google Cloud / Vertex AI)
EU region (e.g. europe-west)
Voice-to-voice dialogue (speech understanding and synthetic voice output), image processing (vision); AI moderation
Transfer safeguard: EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses (Google Cloud CDPA)
Microsoft Azure
Microsoft Ireland Operations Limited, Dublin, Ireland
EU region (EU data residency)
AI model services (Azure OpenAI Service with OpenAI models, and Anthropic models via Azure) — processing and analysis of text transcripts, dialogue and moderation logic
Transfer safeguard: EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses (Microsoft DPA)
PostHog
PostHog, Inc., Delaware, USA (EU Cloud: AWS eu-central-1, Frankfurt)
EU (Frankfurt) — PostHog Cloud EU
Product and usage analytics
Transfer safeguard: EU-U.S. Data Privacy Framework and EU Standard Contractual Clauses; in practice no regular transfer on the EU Cloud offering