OpenProject GDPR compliance and an open commitment to data privacy, and security

Secure data - secure processes: the protection of personal data is for OpenProject more than just a legal requirement. We are highly committed to data security and privacy and have this conscience deeply integrated in our company’s processes and mindset. We are a company based in the European Union and the awareness and importance for data security and privacy actions have always been a major topic for us.

The General Data Protection Regulation (GDPR) is a European regulation to harmonize the rules within the EU for handling personal data of private companies or public organizations. The GDPR also extends this EU data protection regulation law to all foreign companies processing data of EU residents. The GDPR compliance is self-evident for OpenProject.

As a firm believer in open-source, OpenProject is invested heavily in the freedom of users. This encompasses the software freedoms granted by the GPLv3 and employed by OpenProject and naturally extends to the rights and freedoms granted by the General Data Protection Regulation (GDPR). In the same transparent fashion that we develop our software, we are committed to transparency regarding data privacy protection of our users.

This document examines the aspects of data privacy in compliance with the GDPR, as well as overall data and user security mechanisms employed by OpenProject.

Our security and data privacy strategy includes all aspects of our business

  • OpenProject’s security and data privacy policies
  • Free and open source code basis for public
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of the system architecture
  • OpenProject’s data model access control
  • Systems development and maintenance
  • Services provisioning
  • Regular external security and privacy audits of security experts

OpenProject monitors thoroughly and continuously the developments and regulations for data security, privacy and compliance within the EU and all around the globe. We take our responsibility very seriously when it comes to taking care of personal data, secure processes, secure infrastructure, and a secure application.

More eyes see more! Since we are an Open Source software, all our code is free and open source and will be reviewed not just from our Dev deam, QA and security experts but from the public.

Data Management and Portability

The GDPR includes grants to every data subject the right to access, modify, receive, and delete their own data. We detail some of these rights of the data subject in the following segments.

OpenProject customers with admin accounts on their instance act as data controllers for their team members and have elaborate means to perform these request on behalf of the data subjects they are responsible for.

Right to Access and Rectification

With OpenProject, data controllers have fine-grained user and rights management to perform these requests. Individual data subjects can forward any request to their responsible data controller of their information.

The following resources provide additional information:

Right to Erasure (“Right to be forgotten”)

OpenProject provides means to fully erase both all identifiable information of a user from the application. If the user is still referenced from data within the instance, these references are replaced with an anonymous user to ensure the data integrity of the application.

  • Data controllers can perform the deletion through the administration.
  • Depending on the configuration of your OpenProject instance, individual data subjects may perform the deletion of their own account through the Delete Account page. If this is disabled, the request may be stated to the data controller.

Data Portability

OpenProject provides means to data controllers in order to receive all personal data connected to the OpenProject instance. This encompasses all user and system data (in the form of an SQL dump) as well as a collection of all uploaded files

Application Security

Please see this dedicated page for our statement on security and advisories.

Information Security and Compliance

OpenProject cloud environment are hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Europe. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. Employed facilities are compliant with the ISO 27001 and 27018 standards.

OpenProject cloud environment is continuously backing up user data with data at rest being fully encrypted with AES-256. Each individual instance is logically separated and data is persisted in a unique database schema, reducing the risk of intersection or data leaks between instances.

Production infrastructure is accessible only for a strict set of authorized system operations personnel from a secure internal maintenance VPN. Services employed by employees are secured by Two-factor-authentication where available. Access to customer data is performed only when requested by the customer (i.e., as part of a support or data import/export request).

All OpenProject GmbH employees employ industry standard data security measurements to secure their devices and access to cloud and on-premises infrastructure. All sensitive user data on laptops and workstations are encrypted and machines are maintained to receive system updates.

OpenProject Data Processing Agreement (DPA)

OpenProject complies with GDPR and we handle our customer’s data with care. As part of OpenProject GDPR compliance, we offer a Data Processing Agreement (DPA) to our clients, that state OpenProject GDPR requirements and that reflect our data privacy and security commitments to our clients. The DPA can be signed directly in your OpenProject Cloud environment.

Contact the OpenProject Security Team

If you have any questions, please contact our Security team: