Service Description
Scope of services, modules and editions of the Aldric platform
Version 1.0 — As of: March 2026
Note: This is a convenience translation. In the event of any discrepancy, the German version shall prevail.
This Service Description is an integral part of the General Terms and Conditions (GTC § 2) between CONPORT Services GmbH, Alte Benninghofer Str. 24, 44263 Dortmund, Germany (hereinafter "Provider") and the Customer and describes the scope of services of the SaaS platform "Aldric".
§ 1 Platform Overview
Aldric is a modular SaaS platform for compliance management. It enables organizations to address regulatory requirements such as GDPR, ISO 27001, Supply Chain Due Diligence Act, NIS2 and TISAX within an integrated solution. Each module can be used independently and combined with other modules as needed.
The platform is provided as a web-based service (Software-as-a-Service) via the internet. All data processing takes place exclusively on servers within the European Union.
1.1 Core Platform Features
The following base features are available to all customers regardless of booked modules:
- Identity and Access Control: User registration, login, optional multi-factor authentication, SSO/OIDC integration, role-based access control (RBAC) at module, function and record level.
- Tenant Management: Organizational structure with departments, teams and locations. A user can be assigned to multiple tenants.
- Tasks and Workflows: Task management with status, deadlines, priorities and assignees. RACI roles, escalations and approval workflows.
- PDF Generator: Server-side PDF generation with tenant branding, table of contents and consolidated reports.
- Audit Log: Complete change logs at record and field level. Append-only storage, exportable for audits.
- File Management: Document attachments per record with versioning and template management.
- Notifications: Email and in-app notifications with individual filter settings and digest emails.
- Multilingual Support: User interface and questionnaires available in multiple languages (German, English).
§ 2 Editions
Aldric is offered in two editions that differ in scope and intended use:
2.1 Company Edition
The Company Edition is designed for organizations that use Aldric for their own organization. The tenant corresponds to the organization itself.
- All modules available (individually bookable)
- Seat-based billing
- SSO/OIDC integration
- Role-based access control
- API access
- Standard support
2.2 Provider Edition
The Provider Edition is designed for consulting firms, service providers and resellers who provide Aldric to multiple tenants (clients).
The Provider Edition includes all features of the Company Edition plus:
- Multi-Tenant Management: Management of multiple client tenants via a central dashboard.
- White-Label Options: Custom branding with logo, colors and domain for each tenant.
- Cross-Tenant Dashboard: Consolidated overview across all managed tenants.
- Reseller and Partner Model: Sub-tenant onboarding, separate billing per tenant, commission model.
- Consultant Portal: Time-limited tenant access via invitation, dedicated consultant seats.
2.3 Edition Comparison
| Feature | Company | Provider |
|---|---|---|
| All specialist modules | Yes | Yes |
| Seat-based billing | Yes | Yes |
| SSO / OIDC | Yes | Yes |
| RBAC | Yes | Yes |
| API access | Yes | Yes |
| Multi-tenant management | — | Yes |
| White-label | — | Yes |
| Cross-tenant dashboard | — | Yes |
| Reseller / Partner model | — | Yes |
| Consultant portal | — | Yes |
§ 3 Modules
Aldric offers specialist modules in five categories. Each module can be used independently and booked individually or as part of a package. Modules integrate seamlessly via the shared platform.
3.1 Data Protection
| Module | Description |
|---|---|
| Data Protection Impact Assessment (DPIA) | Wizard-guided assessment according to Art. 35 GDPR with risk scoring, measure catalog and PDF report. |
| Art. 30 Records of Processing | Recording and management of processing activities according to Art. 30 GDPR with purposes, legal bases, recipients and TOM linking. |
| DSAR / Data Subject Rights | Processing of data subject requests with identity verification, deadline management, communication and completion report. |
| Deletion Concepts and Retention | Definition of deletion deadlines and retention rules per data type with automatic triggers and PDF export. |
| Data Processing Agreements and SCC | Management of DPAs, TOM annexes, Transfer Impact Assessments and Standard Contractual Clauses. |
| Consent Management | Management and documentation of consents, withdrawal management and evidence retention. |
| Data Protection Dashboard | Central overview of data protection status with KPIs, deadlines and action items. |
3.2 Information Security and Governance
| Module | Description |
|---|---|
| ISMS / ISO 27001 Controls | Statement of Applicability, control evaluation, internal audits and measure tracking according to ISO 27001. |
| TOM Management | Catalog of technical and organizational measures with effectiveness reviews and linking to DPIA, Art. 30 and contracts. |
| Business Continuity Management | Planning and testing of business continuity, emergency processes and recovery plans. |
| Incident and Breach Management | Reporting, timeline and root cause analysis of security incidents with reporting obligation check and authority report. |
| Risk Management | Systematic risk identification, assessment and treatment with risk matrix and measure tracking. |
| Policies and Training | Policy library, read confirmations, training records and quiz functionality. |
| Asset Management | Inventory of IT assets, data holdings and processing systems with linking to risks and measures. |
| Audit Management | Planning, execution and follow-up of internal and external audits with findings and measures. |
3.3 Supply Chain and Contract Management
| Module | Description |
|---|---|
| Supply Chain Risk and Due Diligence | Due diligence obligations along the supply chain with questionnaires, risk scores, classification and action plans. |
| Contract Database | Central contract management with deadlines, reminders, responsibilities and PDF export. Optional eSign integration. |
| Contract Partner Management | Master data management for contract partners, suppliers and service providers with compliance status and risk assessment. |
3.4 Operational Modules
| Module | Description |
|---|---|
| Whistleblower System | Anonymous reporting channel in compliance with whistleblower protection laws (HinSchG), with case management, communication and deadlines. |
| Document Management System (DMS) | Central document management with versioning, approval workflows and full-text search. |
| Task and Measure Tracking | Cross-module task management with deadlines, assignees and escalation rules. |
| Report Builder | Configurable report generator for cross-module evaluations and ad-hoc exports. |
| Form and Wizard Framework | Dynamic questionnaires with validation, conditional logic and template library. |
| Notification Center | Configurable notification rules, digest emails and escalation chains. |
3.5 Platform Core (included in all editions)
| Feature | Description |
|---|---|
| User Management and RBAC | Registration, login, MFA, role and permission management at module, function and record level. |
| Tenant Management | Organizational structure with departments, teams and locations. Multi-tenant assignment. |
| SSO / OIDC / SAML | Single Sign-On via common identity providers. SCIM provisioning optional. |
| License Management | License objects per tenant and module with plan, seats, duration and feature flags. |
| Audit Log | Complete change logs, signed events (optional), append-only storage. |
| PDF Generator | Server-side PDF generation with branding, table of contents and consolidated reports. |
| File Management | Document attachments with versioning and template management. |
| API Interface | RESTful API for integration with third-party systems. Rate limiting and API keys. |
§ 4 Seats and Billing Model
4.1 Seat Types
| Seat Type | Description |
|---|---|
| Full Access (Full Seat) | Unrestricted access to all booked modules. Edit, create and export capabilities. |
| Read Access (Read-Only Seat) | View access to data and reports without editing rights. For stakeholders, auditors and management. |
| Consultant Seat | Time-limited access to authorized tenants for external consultants (Provider Edition only). |
4.2 Billing Model
- Billing: Monthly or annually in advance (annual billing with discount).
- Basis: Number of booked seats and modules.
- Payment methods: Credit card, SEPA direct debit or bank transfer (from Enterprise tier).
- Payment processing: Via Stripe Inc. (certified PCI-DSS Level 1 payment provider).
- Invoicing: Automated invoicing via email in PDF format.
4.3 Contract Term
- Minimum term: 12 months.
- Notice period: 3 months before the end of the contract term.
- Automatic renewal: By 12 months each, unless terminated in due time.
- Free trial: 14-day free trial with full functionality.
§ 5 Storage and Limits
5.1 Storage Quotas
| Resource | Included Quota | Additional Quota |
|---|---|---|
| File storage | 10 GB per tenant | Available as paid add-on |
| Max. file size (upload) | 100 MB per file | — |
| API requests | 1,000 requests/minute | Higher limits on request |
| PDF generation | 500 PDFs/day per tenant | Higher limits on request |
| Email notifications | 10,000/month per tenant | Higher limits on request |
5.2 Fair Use Policy
Platform usage is subject to a Fair Use Policy. The Provider reserves the right to contact the Customer in cases of systematic quota exceedance and jointly agree on a solution (e.g., upgrade to a higher quota).
Automated mass requests that impact platform stability may be temporarily throttled.
§ 6 Services Not Included (Add-Ons)
The following services are not included in the standard scope and can be commissioned separately:
| Add-On | Description |
|---|---|
| Dedicated Instance | Own, isolated platform instance with dedicated resources. |
| Custom Domain | Use of a custom domain for platform access. |
| Extended Storage Quotas | Additional file storage beyond the included quota. |
| Premium Support | Extended support hours, dedicated contact person, shorter response times. |
| Custom Integrations | Customer-specific connections to third-party systems (ERP, HR, SIEM, etc.). |
| Data Migration | Assistance with migrating existing data from other systems. |
| Training | Individual onboarding training and workshops (remote or on-site). |
§ 7 Changes and Versioning
7.1 Right to Modify
The Provider continuously develops the platform. Changes to the scope of services are handled as follows:
- Enhancements: New features and modules are made available without separate notice and documented in the release notes.
- Material changes: Functional changes that affect existing workflows are announced at least 30 days in advance.
- Deprecations: Discontinuation of modules or material features is announced at least 6 months in advance.
7.2 Versioning
This Service Description is versioned. The current version of this Service Description is available on the Provider's website. Material changes are communicated to the Customer via email.
7.3 Extraordinary Termination Right
Material deterioration of the scope of services entitles the Customer to extraordinary termination in accordance with the provisions of the GTC.
§ 8 Technical Requirements
8.1 System Requirements
The following is required to use the platform:
- Browser: Current version of Chrome, Firefox, Safari or Edge.
- Internet connection: Stable broadband connection (recommended: min. 10 Mbit/s).
- Screen resolution: Minimum 1280 × 720 pixels (recommended: 1920 × 1080).
- JavaScript: Must be enabled in the browser.
- Cookies: Session cookies must be allowed.
8.2 Availability and SLA
Availability guarantees and response times are governed by the Service Level Agreement (SLA).
8.3 Data Backup
The Provider creates daily automated backups of all customer data. The retention period for backups is 30 days. Backups are encrypted and stored geo-redundantly within the EU.
§ 9 Final Provisions
This Service Description is an integral part of the GTC. In the event of any conflict between this Service Description and the GTC, the GTC shall prevail, unless this Service Description expressly provides otherwise with regard to the scope of services.
The final provisions of the GTC shall apply, in particular with regard to the applicable law (German law) and the place of jurisdiction (Dortmund).
As of: March 2026