Can you trust your project management software's data privacy?

Sharing confidential information about customers, processes, employees, suppliers etc. - does that feel right to you?

When working and collaborating online, be it an online calendar, a flow planner or a project management software, your data is potentially exposed to the software provider and its data privacy regulations. Be wise and include these criteria in the decision-making process for a software to avoid data breaches.

Data privacy criteria for project management software

We would like to support you to pay special attention or focus on data privacy when choosing a project management system:

Evaluate on-premises versus cloud

On-premises software is an in-house hosted solution where the private data centers are run and maintained by the organization itself, behind its own firewall. Hence, all data remain with the organization and not with the software vendor. That gives you complete control and you can decide how to use the software. Si vous possédez le personnel et le savoir-faire technique, la version autohébergée devrait être votre option préférée pour la confidentialité des données. Read here about advantages and prerequisites of an on-premises solution.

With a cloud solution, you give the service provider access to your data. And that is why you need to check thoroughly how the provider is handling and processing your data.

Get to know data regulations in different countries and regions

Get familiar with the data regulations of the software provider’s origin. Majority of the software providers and sub-processors are based either in the EU or in the US. Regarding the legal basis for data processing, get yourself familiar with European versus US data regulations to know which legislation you want your provider to adhere to.

Overall, in Europe, data has long been about fundamental human rights to privacy and protection whereas the US doesn’t apply the same ‘citizen first’ approach to data handling and protection. The EU introduced GDPR as an overarching legislation to make data privacy a clear priority. The US is still trying to find a top-down solution for all federal states.

Read more details here about the difference between the US and EU data privacy approach.

Check transparency about data handling

It is not the most exciting task but by reading through the data privacy statement as well as data processing agreement of the software provider, you will learn a lot about its approach to data privacy.

Go through the following questions and find answers from the data privacy statement and data processing agreement that fulfil your expectations. You would want to find transparency, purposeful data processing, a right to withdraw, a thought-through internal process who has access to customer data etc.

• On which platforms is the software provider collecting data from you? Besides the software application itself, it could be the website, social media, newsletter etc.
• What is the legal basis for processing this data?
• What is the purpose and scope of the data processing?
• What is your right of withdrawal and right to object?
• What is the duration of data storage?
• Who is responsible for controlling and auditing the data processing?
• What technical and organizational measures are put in place? How is the internal organization organized to meet the special requirements of data protection?
• How are data breaches handled?
• Software security: no software is perfect and error-free. Check how the Provider is handling security gaps. Open source software has the advantage that the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.

Research sub-processors

When checking the data processing agreement, check especially and carefully the sub-processors used by the software provider. Check where they are based as the legislation determines their way of processing data. For example a European service provider should also only have European sub-processors to guarantee the application of EU legislation (GDPR). Also note that sub-processors, in turn, can entrust your data to other sub-processors. So you would need to check these contractors as well.

Assess security features

Lastly, you should also investigate what the software provider offers you in terms of additional security features. Two-factor-authentication for example serves to prevent anyone from accessing or using your account, even if they know your password. Cette méthode ajoute un niveau de sécurité supplémentaire à l’organisation de votre projet. With LDAP sync a worker checks users against the organization’s LDAP. Cela garantit que l’utilisateur est toujours présent dans LDAP. Ainsi, si un utilisateur est verrouillé ou supprimé dans LDAP, il est automatiquement verrouillé dans OpenProject. Cela signifie que l’utilisateur ne pourra plus se connecter à OpenProject. Avec une synchronisation de groupe, le processus s’exécutera toutes les heures pour mettre automatiquement à jour les adhésions aux groupes en fonction des membres du groupe LDAP. Find also out, how often and how the provider performs a back up of the data to make sure you do not lose data.

What also serves as additional security, is if the software provider offers regular updates. With a new release, also security patches can be delivered and make the software more secure.

OpenProject’s commitment to data privacy

According to OpenProject’s founder and CEO Niels Lindenthal “Data protection and information security are of central importance in our company and are one of the main motives for the development of this open source software. We are very proud of the results so far, but we still need to reduce our “data privacy debt”. We intend to invest a lot of energy and time into this. Our goal is to bring OpenProject to perfection as a lighthouse project for “Data privacy made in Europe”. Nous nous sommes efforcés de rendre cette politique aussi claire et simple que possible. Nous voulons que vous compreniez tout. Vous ne devriez pas avoir à vous débattre au travers de nombreuses pages de texte juridique incompréhensible. Nous serions donc très heureux de recevoir vos commentaires et peut-être même d’échanger des idées sur le thème de la confidentialité et de la sécurité des données. In this sense, this privacy policy is also consistently subject to an open source license.”

OpenProject’s systems and processes are designed around your privacy and the principle of data minimization. OpenProject GmbH meets all requirements of the EU General Data Protection Regulation. You find all details here.