Blog

Read our news, ideas & product updates here.

Can you trust your project management software's data privacy?

Sharing confidential information about customers, processes, employees, suppliers etc. - does that feel right to you?

When working and collaborating online, be it an online calendar, a flow planner or a project management software, your data is potentially exposed to the software provider and its data privacy regulations. Be wise and include these criteria in the decision-making process for a software to avoid data breaches.

Data privacy criteria for project management software

We would like to support you to pay special attention or focus on data privacy when choosing a project management system:

Evaluate on-premises versus cloud

On-premises software is an in-house hosted solution where the private data centers are run and maintained by the organization itself, behind its own firewall. Hence, all data remain with the organization and not with the software vendor. That gives you complete control and you can decide how to use the software. If you have the manpower and technical know-how, the on-premises version would be your preferred option regarding data privacy. Read here about advantages and prerequisites of an on-premises solution.

With a cloud solution, you give the service provider access to your data. And that is why you need to check thoroughly how the provider is handling and processing your data.

Get to know data regulations in different countries and regions

Get familiar with the data regulations of the software provider’s origin.  Majority of the software providers and sub-processors are based either in the EU or in the US. Regarding the legal basis for data processing, get yourself familiar with European versus US data regulations to know which legislation you want your provider to adhere to.

Overall, in Europe, data has long been about fundamental human rights to privacy and protection whereas the US doesn’t apply the same ‘citizen first’ approach to data handling and protection. The EU introduced GDPR as an overarching legislation to make data privacy a clear priority. The US is still trying to find a top-down solution for all federal states.

Read more details here about the difference between the US and EU data privacy approach.

Check transparency about data handling

It is not the most exciting task but by reading through the data privacy statement as well as data processing agreement of the software provider, you will learn a lot about its approach to data privacy.

Go through the following questions and find answers from the data privacy statement and data processing agreement that fulfil your expectations. You would want to find transparency, purposeful data processing, a right to withdraw, a thought-through internal process who has access to customer data etc.

  • On which platforms is the software provider collecting data from you? Besides the software application itself, it could be the website, social media, newsletter etc.
  • What is the legal basis for processing this data?
  • What is the purpose and scope of the data processing?
  • What is your right of withdrawal and right to object?
  • What is the duration of data storage?
  • Who is responsible for controlling and auditing the data processing?
  • What technical and organizational measures are put in place? How is the internal organization organized to meet the special requirements of data protection?
  • How are data breaches handled?
  • Software security: no software is perfect and error-free. Check how the Provider is handling security gaps. Open source software has the advantage that the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.

Research sub-processors

When checking the data processing agreement, check especially and carefully the sub-processors used by the software provider. Check where they are based as the legislation determines their way of processing data. For example a European service provider should also only have European sub-processors to guarantee the application of EU legislation (GDPR). Also note that sub-processors, in turn, can entrust your data to other sub-processors. So you would need to check these contractors as well.

Assess security features

Lastly, you should also investigate what the software provider offers you in terms of additional security features. Two-factor-authentication for example serves to prevent anyone from accessing or using your account, even if they know your password. This method adds an additional level of security to your project organization. With LDAP sync a worker checks  users against the organization’s LDAP. This ensures that the user is still present in LDAP. So if a user is locked or deleted in LDAP the user gets automatically locked in OpenProject. This means that the user will not be able to login to OpenProject anymore. With a group sync, the process will run every hour to automatically update group memberships based on LDAP group members. Find also out, how often and how the provider performs a back up of the data to make sure you do not lose data.

What also serves as additional security, is if the software provider offers regular updates. With a new release, also security patches can be delivered and make the software more secure.

OpenProject’s commitment to data privacy

According to OpenProject’s founder and CEO Niels Lindenthal “Data protection and information security are of central importance in our company and are one of the main motives for the development of this open source software. We are very proud of the results so far, but we still need to reduce our “data privacy debt”. We intend to invest a lot of energy and time into this. Our goal is to bring OpenProject to perfection as a lighthouse project for “Data privacy made in Europe”. We have gone to great lengths to make this policy as clear and simple as possible. We want you to understand everything. You should not have to struggle through many pages of incomprehensible legal text. We would therefore be very pleased to receive your feedback and perhaps even an exchange of ideas on the topic of data privacy and security. In this sense, this privacy policy is also consistently subject to an open source license.”

OpenProject’s systems and processes are designed around your privacy and the principle of data minimization. OpenProject GmbH meets all requirements of the EU General Data Protection Regulation. You find all details here.