The purpose of OpenProject is to improve the results of a project team. It is about networking people so that they can work together effectively towards a common goal. The processing of personal and business data is an inevitable requirement for the use of the OpenProject Enterprise edition.
Of course, you want to protect your confidential data that encompasses data about your projects, customers, business processes, suppliers, employees etc.
Data protection and information security are of central importance to OpenProject and are one of the main motives for the development of this open source software.
We want to take care of the privacy, integrity and confidentiality of your data, as well as the security of our infrastructure. This article will give you an overview of how OpenProject takes care of your data and how we prioritize data privacy and security.
OpenProject’s statement about data privacy
OpenProject’s founder and CEO Niels Lindenthal expresses: “Data protection and information security are of central importance in our company and are one of the main motives for the development of this open source software. We are very proud of the results so far, but we still need to reduce our “data privacy debt”. We intend to invest a lot of energy and time into this. Our goal is to bring OpenProject to perfection as a lighthouse project for “Data privacy made in Europe”.
OpenProject – With Open Source and Open Mind.”
Where you get in touch with us
You can get in touch with us at OpenProject in several ways. If you visit our website, contact us, use our SaaS platform or use our software provision service, the processing of certain personal data is required.
This processing is always carried out in accordance with the General Data Protection Regulation and in compliance with German data privacy regulations.
These are the potential points of interaction between you and OpenProject:
- Contact via email telephone or contact form
- OpenProject Enterprise Cloud (SaaS)
- OpenProject Enterprise On-Premises (your server)
- OpenProject Community Platform
- OpenProject Release API
We are transparent about data processing
In our data privacy statement, we define for all areas where we process your data:
- legal basis for data processing
- scope of data processing
- purpose of data processing
- duration of the data storage
- right of withdrawal
So that you know when data is processed and under which terms and conditions.
Our legal basis of data processing is the GDPR
As a European company based in Berlin, OpenProject complies with European and national data protection regulations. We process your data strictly confidentially and only for the purpose we informed you of when collecting the data. Our benchmark for processing your data is the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data privacy regulations.
This of course applies to all touch points mentioned above.
OpenProject’s technical and organizational data security measures
We implement technical and organizational security measures to protect your personal data from accidental or willful manipulation, loss, destruction or unauthorized access. We continuously improve our security measures in line with technological developments.
OpenProject makes sure your data is treated with confidentiality and integrity. We designed processes to make sure data breaches are tracked and reported, regularly tested and evaluated. Please find more details here.
Choose OpenProject on-premises for full data control
OpenProject is available not only as a cloud solution but also as on-premises version, installed in your own environment. This provides you with full data control. If you have the manpower and technical know-how, the on-premises version would be your preferred option regarding data privacy. Read here about advantages and prerequisites of an on-premises solution.
The servers for OpenProject cloud are based in the EU
The OpenProject cloud environment is hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Ireland. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. Employed facilities are compliant with the ISO 27001 and 27018 standards.
Nevertheless, OpenProject is planning to migrate the server solution this year (2021) to a subcontractor that is also headquartered in the EU.
We are transparent about our sub-processors
Outside its core competences (e.g. hosting as mentioned above) OpenProject is using sub-processors to provide the best services. Please find the complete list with description of data handling here. The aim for OpenProject in 2021 is to work on the sub-processors list and replace ones based outside the EU with a service provider headquartered in the EU to guarantee highest GDPR compliance.
OpenProject – proudly open source for more security
A considerable advantage of the OpenProject application as open source software is the great freedom that the open source license grants to users and developers. This gives every user the possibility to view the source code of this software, to modify it and to install and operate it within their own infrastructure.
An open source software can also provide higher security as the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.
OpenProject evolves and we provide regular software updates
The OpenProject team together with the community is constantly developing and upgrading the software. New versions are regularly released and can include security patches and unreleased patches to improve the software.
Every new software version will be tested by OpenProject prior to the deployment. In case the update requires a downtime, OpenProject will inform the customer of the scheduled downtime with a 3 days notice.
We offer you additional security features
Additional security features for you as the software users, can increase data privacy as well.
OpenProject offers two-factor-authentication. This serves to prevent anyone from accessing or using your account, even if they know your password. This method adds an additional level of security to your project organization.
With LDAP sync a worker checks users against the organization’s LDAP. This ensures that the user is still present in LDAP. So if a user is locked or deleted in LDAP the user gets automatically locked in OpenProject. This means that the user will not be able to login to OpenProject anymore. With a group sync, the process will run every hour to automatically update group memberships based on LDAP group members.
Additional security is also provided by OpenProject’s regular and secure backups to make sure you won’t lose data.
Database: Automated backups are performed, retained for 30 days to allow for point-in-time data restoration within that time frame. Both snapshots and transaction logs are securely stored in S3.
Attachments: Attachments are stored securely in S3 as well. The S3 storage is encrypted and replicated across multiple availability zones within the same region.
OpenProject’s complete legal information
This article was meant to provide you with an overview of OpenProject’s high commitment to data privacy. Please find all legal information like the data privacy statement, data processing agreement etc. here.