OpenProject GDPR compliance and an open commitment to data privacy, and security

Secure data – secure processes: the protection of personal data is for OpenProject more than just a legal requirement. We are highly committed to data security and privacy and have this conscience deeply integrated in our company’s processes and mindset. We are a company based in the European Union and the awareness and importance for data security and privacy actions have always been a major topic for us.

The General Data Protection Regulation (GDPR) is a European regulation to harmonize the rules within the EU for handling personal data of private companies or public organizations. The GDPR also extends this EU data protection regulation law to all foreign companies processing data of EU residents. The GDPR compliance is self-evident for OpenProject.

As a firm believer in open-source, OpenProject is invested heavily in the freedom of users. This encompasses the software freedoms granted by the GPLv3 and employed by OpenProject and naturally extends to the rights and freedoms granted by the General Data Protection Regulation (GDPR). In the same transparent fashion that we develop our software, we are committed to transparency regarding data privacy protection of our users.

This document examines the aspects of data privacy in compliance with the GDPR, as well as overall data and user security mechanisms employed by OpenProject.

Our security and data privacy strategy includes all aspects of our business

  • OpenProject’s security and data privacy policies
  • Free and open source code basis for public
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of the system architecture
  • OpenProject’s data model access control
  • Systems development and maintenance
  • Services provisioning
  • Regular external security and privacy audits of  security experts

OpenProject monitors thoroughly and continuously the developments and regulations for data security, privacy and compliance within the EU and all around the globe. We take our responsibility very seriously when it comes to taking care of personal data, secure processes, secure infrastructure, and a secure application.

More eyes see more! Since we are an Open Source software, all our code is free and open source and will be reviewed not just from our Dev deam, QA and security experts but from the public.

Data Management and Portability

The GDPR  includes grants to every data subject the right to access, modify, receive, and delete their own data. We detail some of these rights of the data subject in the following segments.

OpenProject customers with admin accounts on their instance act as data controllers for their team members and have elaborate means to perform these request on behalf of the data subjects they are responsible for.

Right to Access and Rectification

With OpenProject, data controllers have fine-grained user and rights management to perform these requests. Individual data subjects can forward any request to their responsible data controller of their information.

The following resources provide additional information:

Right to Erasure (“Right to be forgotten”)

OpenProject provides means to fully erase both all identifiable information of a user from the application. If the user is still referenced from data within the instance, these references are replaced with an anonymous user to ensure the data integrity of the application.

  • Data controllers can perform the deletion through the administration.
  • Depending on the configuration of your OpenProject instance, individual data subjects may perform the deletion of their own account through the Delete Account page. If this is disabled, the request may be stated to the data controller.

Data Portability

OpenProject provides means to data controllers in order to receive all personal data connected to the OpenProject instance. This encompasses all user and system data (in the form of an SQL dump) as well as a collection of all uploaded files

Statement on Security

 

Development of OpenProject Software

At its core, OpenProject is an open-source software that is developed and published on GitHub. Every change to the OpenProject code base ends up in an open repository accessible to everyone. This results in a transparent software where every commit can be traced back to the contributor.

Automated tests and manual code reviews ensure that these contributions are safe for the entire community of OpenProject. These tests encompass the correctness of security and access control features. We have ongoing collaborations with security professionals from to test the OpenProject code base for security exploits.

We take all facets of security seriously at OpenProject. If you want to report a security concerns, have remarks, or contributions regarding security at OpenProject, please reach out to us at security@openproject.com.

OpenProject Security features

Authentication.

OpenProject administrators can enforce authentication mechanisms and password rules to ensure users choose secure passwords according to current industry standards. Passwords stored by OpenProject are securely stored using salted bcrypt. Alternatively, external authentication providers and protocols (such as LDAP, SAML) can be enforced to avoid using and exposing passwords within OpenProject.

Two-step user registration

In compliance with common requirements in works committees, ensure that new users added by project responsibles are confirmed by a superior before allowing the user to enter the system for the first time.

User management and access control.

Administrators are provided with fine-grained role-based access control mechanisms to ensure that users are only seeing and accessing the data they are allowed to on an individual project level.

Two-Factor authentication. (Cloud or Enterprise Edition)

Secure your authentication mechanisms with a second factor by TOTP standard (or SMS, depending on your instance) to be entered by users upon logging in. More information.

Information Security and Compliance

OpenProject cloud environment are hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Europe. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. Employed facilities are compliant with the ISO 27001 and 27018 standards.

OpenProject cloud environment is continuously backing up user data with data at rest being fully encrypted with AES-256.   Each individual instance is logically separated and data is persisted in a unique database schema, reducing the risk of intersection or data leaks between instances.

Production infrastructure is accessible only for a strict set of authorized system operations personnel from a secure internal maintenance VPN. Services employed by employees are secured by Two-factor-authentication where available. Access to customer data is performed only when requested by the customer (i.e., as part of a support or data import/export request).

All OpenProject GmbH employees employ industry standard data security measurements to secure their devices and access to cloud and on-premise infrastructure. All sensitive user data on laptops and workstations are encrypted and machines are maintained to receive system updates.

OpenProject Data Processing Addendum (DPA)

OpenProject complies with GDPR and we handle our customer’s data with care. As part of OpenProject GDPR compliance, we offer a Data Processing Addendum (DPA) to our clients, that state OpenProject GDPR requirements and that reflect our data privacy and security commitments to our clients.

Download OpenProject Data Processing Addendum (DPA) and send your signed version to:
security@openproject.com

OpenProject GmbH
Security and Data Privacy
Karl-Liebknecht-Str. 5
10178 Berlin
Germany

Contact the OpenProject Security Team

If you have any questions, please contact our Security team: security@openproject.com.