Data protection in the iSolve.IT product
Information on the processing of personal data when the iSolve.IT software is used by our customers. As of: July 2026.
Scope. This statement describes the data processing in the iSolve.IT product when it is used at a customer. For processing when visiting our marketing website i-solve.it, see the website privacy policy.
Note: This text is a generic template and does not replace individual legal advice. Specific contractual arrangements arise from the license agreement, the Terms and Conditions and the data processing agreement (DPA) concluded with the customer.
1. Our role under the GDPR
When iSolve.IT is used, we process personal data predominantly on behalf of our customers. Under data protection law, the customer ("customer" or "controller" within the meaning of Art. 4 No. 7 GDPR) is responsible for the content processed in the product. We, Albrecht Services GmbH, Ochsenmattstr. 10, 79618 Rheinfelden, are in this constellation the processor pursuant to Art. 28 GDPR.
The specific obligations, instructions, sub-processor arrangements, and technical and organizational measures are governed by the data processing agreement (DPA), which takes effect immediately upon the license agreement becoming effective.
2. Who is affected
- The customer's employees who use iSolve.IT as end users via web chat or messenger.
- The customer's administrators who configure the product and grant approvals.
- Other individuals whose data is processed as part of the content (e.g., individuals named in actions or tickets).
Rights of access, rectification, erasure, and objection of these data subjects are primarily to be directed to the customer (controller). We support the customer in fulfilling these obligations pursuant to Art. 28 (3) (e) and (f) GDPR.
3. Which categories of data we process on behalf
- Identification and contact data: names, business email addresses, messenger IDs of the end users.
- Communication content: questions, answers, and attachments from chats on the web or in the messenger, including automatic summaries.
- Ticket content: title, description, to-do lists, comments, ratings, responsibility, due date, history.
- Knowledge content: manually maintained articles as well as article drafts automatically generated from resolved cases (before and after anonymization).
- System profile data: the technical setup maintained by the customer (OS, Office versions, mail and auth system, domain, printers, notes). Not personal, but context-shaping.
- Action and approval data: requests for standard changes, approval decisions, status, involved individuals.
- AI call metadata: per AI call, the model used, tokens consumed, phase, cost – without duplicating the question content itself.
- Audit log: complete logging of relevant admin actions (who, what, when), including login events.
- Technical logs: server, application, and connection logs to ensure secure operation.
4. Purposes of processing
- Answering employee inquiries in IT and office support.
- Preparing and executing standard changes in the IT systems connected by the customer (e.g., Microsoft 365, Google Workspace, Active Directory, Linux, Synology, Adobe, Jira, Jamf Pro, Slack).
- Building and maintaining a company-specific knowledge base (incl. anonymization).
- Managing tickets, handovers to internal IT, escalations, and ratings.
- Monitoring the business applications configured by the customer and the Microsoft 365 service health.
- Reporting, AI cost transparency, and audit log as a compliance basis for the customer.
5. Storage location and operating model
iSolve.IT is offered in two operating models:
- Cloud operation by us: The application runs in German data centers of our hosting partner uvensys GmbH.
- Self-hosting by the customer: The application runs as a Docker container on infrastructure operated by the customer. In this case, we have no ongoing access to the data stored in the tenant, unless explicit access is granted as part of contractually agreed support services.
In both models, a dedicated single-tenant instance runs per customer – there is no mixing of data between customers.
6. Sub-processors
We use the following sub-processors within the meaning of Art. 28 (4) GDPR. A current overview is available in the admin area of the tenant; in the DPA, the customer commits to approving the sub-processors listed here.
6.1 Google Cloud / Vertex AI (AI processing)
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Model: Google Gemini, obtained via Google Cloud Vertex AI.
Processing region: European Union (Vertex AI EU region).
Subject matter: Processing of employee inquiries, generation of answers and action proposals, classification, generation of knowledge article drafts.
Model training: Under the Google Cloud terms, Google does not use the customer data processed via Vertex AI to train its own AI models.
Contract: Google Cloud Data Processing Addendum (Art. 28 GDPR).
Data protection / Data Governance: cloud.google.com/vertex-ai/generative-ai/docs/data-governance
6.2 uvensys GmbH (hosting, only for cloud operation)
Provider: uvensys GmbH.
Processing region: Germany.
Subject matter: Provision of the server infrastructure (compute, storage, network) for the cloud operation of iSolve.IT.
Contract: Data processing agreement pursuant to Art. 28 GDPR.
With self-hosting by the customer, this sub-processor is entirely omitted; the customer provides the infrastructure themselves.
6.3 Providers connected by the customer are not our sub-processors
When iSolve.IT executes actions in Microsoft 365, Google Workspace, Exchange Online, Active Directory, Linux, Synology, the Adobe Admin Console, Jira, Jamf Pro, Slack, Zulip, or other systems connected by the customer, this is done with the credentials and in the name of the customer. These providers are processors or contractual partners of the customer, not of us. The customer is responsible for the contractual and data protection bases there.
7. Transfer to third countries
In the standard setup of iSolve.IT, no transfer of personal data to third countries outside the EU/EEA takes place:
- Vertex AI is obtained in an EU region; the request content does not leave the EU.
- Hosting (cloud operation) takes place in Germany at uvensys GmbH.
- With self-hosting, the customer determines the storage location themselves.
If the customer configures provider connections in the admin area (e.g., Microsoft 365, Google Workspace), any third-country transfer within the scope of these providers is the responsibility of the customer.
8. Encryption and security
- Transport encryption: All connections to the application, between the application and the database, and to providers are TLS-encrypted.
- Credential storage: All credentials stored in the tenant (Microsoft 365, Google Workspace, Exchange, Adobe, Active Directory, Linux, Synology, Jira, Jamf Pro, Slack, SSH proxy, messenger) are stored encrypted in the database, never in plain text.
- Secure local access: For company-internal systems (Active Directory, Linux, NAS, internal web services) there is an integrated encrypted SSH proxy via a jump host with host key verification.
- Passwordless login: One-time code to the company email; optional domain allowlist. Web chat always requires login (no anonymous inquiries).
- Governance for actions: Four-eyes principle, M-of-N multi-approval, owner direct path, strict mode, allowlist mode. Security-critical actions (MFA reset, device wipe, password actions) are in strict mode by default.
- Audit log: Complete log of relevant admin actions.
9. Anonymization of AI-generated knowledge articles
When an employee marks a conversation as resolved or an admin closes a ticket, the AI creates an article draft for the knowledge base. Before the draft is stored, the following attributes are automatically removed or replaced:
- Names of individuals
- Email addresses
- IP addresses
- Identifying timestamps
Publishing a draft requires approval by an administrator (solution review). Duplicates are detected automatically.
10. Anonymization upon account deletion
When a user account is deleted, the conversation and ticket content of the affected user is anonymized so that reporting (metrics, resolution rate, AI costs) is retained, but there is no longer any personal reference to the affected individual.
11. Retention periods
- Conversations and tickets: until manual deletion by the user or the admin function, or until anonymization as part of an account deletion.
- AI call metadata: configurable by the controller in the admin area (e.g., only the last 90 days).
- Audit log: generally for the period defined by the controller, taking into account statutory retention obligations.
- Knowledge articles: until explicit deletion by an administrator.
- Technical logs: regularly rotated after a maximum of 30 days, unless a specific incident requires longer storage in an individual case.
12. Rights of the data subjects
Data subjects have the rights under Art. 15 et seq. GDPR (access, rectification, erasure, restriction, data portability, objection, and complaint to a supervisory authority).
The exercise of these rights is to be asserted primarily against the controller (the customer / employer of the data subject). We support the controller in fulfilling these rights in accordance with the obligations under Art. 28 (3) (e) and (f) GDPR.
13. Data processing agreement (DPA)
The complete data processing agreement, including technical and organizational measures (TOM), is part of the license agreement. The points summarized here are for information purposes and do not replace the DPA.
14. Contact
For data protection-related inquiries, please contact: info@i-solve.it.
15. Changes to this information
We reserve the right to adapt this information in order to align it with current legal requirements and with changes to our services. For existing customers, the individually agreed DPA takes precedence; changes affecting sub-processors are communicated in accordance with the notification and objection rights agreed therein.