Secure data - secure processes: the protection of personal data is for OpenProject more than just a legal requirement. We are highly committed to data security and privacy and have this conscience deeply integrated in our company’s processes and mindset. We are a company based in the European Union and the awareness and importance for data security and privacy actions have always been a major topic for us.
The General Data Protection Regulation (GDPR) is a European regulation to harmonize the rules within the EU for handling personal data of private companies or public organizations. The GDPR also extends this EU data protection regulation law to all foreign companies processing data of EU residents. The GDPR compliance is self-evident for OpenProject.
As a firm believer in open-source, OpenProject is invested heavily in the freedom of users. This encompasses the software freedoms granted by the GPLv3 and employed by OpenProject and naturally extends to the rights and freedoms granted by the General Data Protection Regulation (GDPR). In the same transparent fashion that we develop our software, we are committed to transparency regarding data privacy protection of our users.
This document examines the aspects of data privacy in compliance with the GDPR, as well as overall data and user security mechanisms employed by OpenProject.
OpenProject monitors thoroughly and continuously the developments and regulations for data security, privacy and compliance within the EU and all around the globe. We take our responsibility very seriously when it comes to taking care of personal data, secure processes, secure infrastructure, and a secure application.
More eyes see more! Since we are an Open Source software, all our code is free and open source and will be reviewed not just from our Dev deam, QA and security experts but from the public.
The GDPR includes grants to every data subject the right to access, modify, receive, and delete their own data. We detail some of these rights of the data subject in the following segments.
OpenProject customers with admin accounts on their instance act as data controllers for their team members and have elaborate means to perform these request on behalf of the data subjects they are responsible for.
With OpenProject, data controllers have fine-grained user and rights management to perform these requests. Individual data subjects can forward any request to their responsible data controller of their information.
The following resources provide additional information:
OpenProject provides means to fully erase both all identifiable information of a user from the application. If the user is still referenced from data within the instance, these references are replaced with an anonymous user to ensure the data integrity of the application.
OpenProject provides means to data controllers in order to receive all personal data connected to the OpenProject instance. This encompasses all user and system data (in the form of an SQL dump) as well as a collection of all uploaded files
OpenProject cloud environment are hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Europe. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. Employed facilities are compliant with the ISO 27001 and 27018 standards.
OpenProject cloud environment is continuously backing up user data with data at rest being fully encrypted with AES-256. Each individual instance is logically separated and data is persisted in a unique database schema, reducing the risk of intersection or data leaks between instances.
Production infrastructure is accessible only for a strict set of authorized system operations personnel from a secure internal maintenance VPN. Services employed by employees are secured by Two-factor-authentication where available. Access to customer data is performed only when requested by the customer (i.e., as part of a support or data import/export request).
All OpenProject GmbH employees employ industry standard data security measurements to secure their devices and access to cloud and on-premises infrastructure. All sensitive user data on laptops and workstations are encrypted and machines are maintained to receive system updates.
OpenProject complies with GDPR and we handle our customer’s data with care. As part of OpenProject GDPR compliance, we offer a Data Processing Agreement (DPA) to our clients, that state OpenProject GDPR requirements and that reflect our data privacy and security commitments to our clients. The DPA can be signed directly in your OpenProject Cloud environment.
If you have any questions, please contact our Security team: firstname.lastname@example.org.