OpenProject's commitment to data privacy and security
The purpose of OpenProject is to improve the results of a project team. It is about networking people so that they can work together effectively towards a common goal. The processing of personal and business data is an inevitable requirement for the use of OpenProject. Of course, you want to protect your confidential data that encompasses data about your projects, customers, business processes, suppliers, employees etc.
Data protection and information security are of central importance to OpenProject and are one of the main motives for the development of this open source software.
We want to take care of the privacy, integrity and confidentiality of your data, as well as the security of our infrastructure. This article will give you an overview of how OpenProject takes care of your data and how we prioritize data privacy and security.
OpenProject’s statement about data privacy
OpenProject’s founder and CEO Niels Lindenthal expresses: “Data protection and information security are of central importance in our company and are one of the main motives for the development of this open source software. Our goal is to bring OpenProject to perfection as a lighthouse project for “Data privacy made in Europe”. We have gone to great lengths to make this policy as clear and simple as possible. We want you to understand everything. You should not have to struggle through many pages of incomprehensible legal text. We would therefore be very pleased to receive your feedback and perhaps even an exchange of ideas on the topic of data privacy and security. In this sense, this privacy policy is also consistently subject to an open source license.
OpenProject – With Open Source and Open Mind.”
Where you get in touch with us
You can get in touch with us at OpenProject in several ways. If you visit our website, contact us, use our SaaS platform or use our software provision service, the processing of certain personal data is required. This processing is always carried out in accordance with the General Data Protection Regulation and in compliance with German data privacy regulations.
These are the potential points of interaction between you and OpenProject:
- Websites
- Contact via email, telephone or contact form
- Newsletter
- OpenProject Enterprise Cloud (SaaS)
- OpenProject Enterprise On-Premises (your server)
- OpenProject Community Platform
- OpenProject Release API
- Job applications
We are transparent about data processing
In our data privacy statement, we define in detail for all areas where we process your data:
- legal basis for data processing
- scope of data processing
- purpose of data processing
- duration of the data storage
- right of withdrawal
So that you know when data is processed and under which terms and conditions.
Our legal basis of data processing is the GDPR
As a European company based in Berlin, OpenProject complies with European and national data protection regulations. We process your data strictly confidentially and only for the purpose we informed you of when collecting the data. Our benchmark for processing your data is the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data privacy regulations. This of course applies to all touch points mentioned above. Complying with GDPR also means that you have the Right to object to the processing of your personal data (Article 21 GDPR).
OpenProject’s technical and organizational data security measures
We implement technical and organizational security measures to protect your personal data from accidental or willful manipulation, loss, destruction or unauthorized access. We continuously improve our security measures in line with technological developments.
OpenProject makes sure your data is treated with confidentiality and integrity. We designed processes to make sure data breaches are tracked and reported, regularly tested and evaluated. Please find more details here.
Choose OpenProject on-premises for full data control
OpenProject is available not only as a cloud solution but also as Enterprise on-premises version, installed in your own environment. This provides you with full data control. If you have the manpower and technical know-how, the on-premises version would be your preferred option regarding data privacy. Read about advantages and prerequisites of an on-premises solution.
The servers for OpenProject cloud are based in the EU
The OpenProject cloud environment is hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Ireland. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. Employed facilities are compliant with the ISO 27001 and 27018 standards. We offer secure hosting of your OpenProject cloud also in a German data center on request.
We are transparent about our sub-processors
Outside its core competences (e.g. hosting as mentioned above) OpenProject is using sub-processors to provide the best services. Please find the complete list with description of data handling here.
OpenProject - proudly open source for more security
A considerable advantage of the OpenProject application as open source software is the great freedom that the open source license grants to users and developers. This gives every user the possibility to view the source code of this software, to modify it and to install and operate it within their own infrastructure. An open source software can also provide higher security as the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.
OpenProject evolves and we provide regular software updates
The OpenProject team together with the community is constantly developing and upgrading the software. New versions are regularly released and can include security patches and unreleased patches to improve the software. Every new software version will be tested by OpenProject prior to the deployment. In case the update requires a downtime, OpenProject will inform the customer of the scheduled downtime with a 3 days notice.
We offer you additional security features
Additional security features for you as the software users, can increase data privacy as well. OpenProject offers two-factor-authentication. This serves to prevent anyone from accessing or using your account, even if they know your password. This method adds an additional level of security to your project organization. With LDAP sync a worker checks users against the organization’s LDAP. This ensures that the user is still present in LDAP. So if a user is locked or deleted in LDAP the user gets automatically locked in OpenProject. This means that the user will not be able to login to OpenProject anymore. With a group sync, the process will run every hour to automatically update group memberships based on LDAP group members.
Additional security is also provided by OpenProject’s regular and secure backups to make sure you won’t lose data.
Database: Automated backups are performed, retained for 30 days to allow for point-in-time data restoration within that time frame. Both snapshots and transaction logs are securely stored in S3.
Attachments: Attachments are stored securely in S3 as well. The S3 storage is encrypted and replicated across multiple availability zones within the same region.
OpenProject’s complete legal information
This article was meant to provide you with an overview of OpenProject’s high commitment to data privacy. Please find all legal information like the data privacy statement, data processing agreement etc. here.