Processing of personal data
Status of this document: 2024-09-22
Purpose of this document
This document outlines how personal data flows through the OpenProject software and aims to assist data controllers in organizations using OpenProject on their own infrastructure in creating GDPR-compliant data protection documentation.
Note: Customers of the OpenProject GmbH that subscribed to the OpenProject Enterprise Edition Cloud (a software-as-a-service) please check the following legal documents:
Groups of personal data
OpenProject is a project management and team collaboration software. The personal data processed by the software can be categorized into four different groups:
- User master data: essential for administering user accounts.
- Functional assignments: connects users to various entities such as work packages, projects, teams, budgets, time logs, etc.
- Logfiles: automatically generated records of user activity.
- Content data: Person mentioned in text or shown in pictures. Those persons do not necessarily need to be a user.
A: Usage without user account
Depending on the individual permission and authentication settings an OpenProject project can be accessed for read-only anonymously without a user account. The OpenProject community platform is an example of an OpenProject installation where individual projects where set to public.
Anonymity is not complete because the underlying webserver might still generate its common logfile (weblog).
B: User master data
To sign-in to the OpenProject platform, the registration of a user account is required. For registered user’s the following personal data are processed:
User profile (bu-01)
- Name
- Username
- Avatar
User settings (bu-02)
- Email address
- Notification settings
- Email reminder settings
- Language settings
- Time zone settings
- Display settings (contrast modes, custom themes)
User authentication (bu-03)
- Access tokens
- User sessions
- Password (encrypted)
- Phone number for sending one-time passwords via SMS
- OATH secret codes
User notification settings (bu-04)
- Default notification settings
- Project-specific notification settings
- Default email reminder settings
- Project-specific email reminder settings
User roles and permissions (bu-05)
- Group memberships
- Project roles
- Global roles
User rates (bu-06)
- Default hourly rate
- Hourly rate per project
Note: Administrators can add so-called custom fields to their OpenProject installation which extend the data fields of a user.
C: Using OpenProject
Depending on the individual use and permissions of the user the following personal data is processed:
Boards (cb-01)
- Assignment of a person to a work package (author, assignee, responsible, user custom fields)
- Change history
- Person mentioned in a board
Budgets (cb-02)
- Assignments of a person to a budget
- Change history
- Person mentioned in a budget description
Comments (cc-01)
- Author of a comment
- Change history
- Reactions of a user to a comment
- Person mentioned in a comment
Email notifications (ce-01)
- Email header including sender and recipients
- Person mentioned in an email
Files (cf-01)
- Assignment of a files to an uploader or creator
- Change history
- Person mentioned in a file (incl. file attributes)
GitHub pull requests (cg-01)
- Assignment of a person to a pull request in GitHub (author, reviewer, participant)
- Change history
GitLab merge requests and issues (cg-02)
- Assignment of a person to a merge request or issue in GitLab (author, reviewer, participant)
- Change history
Meetings (cm-01)
- Assignment of a person (author, invitee, participant) to a meeting
- Change history
- Person mentioned in an agenda item
Projects (cp-01)
-
Assignment of a person to a project (author, project member)
-
Change history
-
Person mentioned in a project overview
-
Person mentioned in a project attribute
-
Persons mentioned in a project status information
Project calendars (cp-02)
- Assignment of objects shown in the calendar (meetings, work packages, versions, milestones) to a person
- Change history
- Person mentioned in a calendar item
Project news (cp-03)
- Author of a project news
- Change history
- Person mentioned in a project news
Team planner (ct-01)
- Assignment of a work package to a person
- Change history
- Persons mentioned in team planners
Time tracking (ct-02)
- Assignments of a time entry to a person
- Change history
- Person mentioned in a time entry
Wiki pages (cw-01)
- Assignment of an wiki page edit to a person (author, contributor)
- Change history
- Person mentioned in a wiki page
Work packages (cw-02)
- Assignment of a work package to a person
- Change history
- Person mentioned in a list or project schedule
- Person mentioned in an attribute or text field
- Person mentioned in a linked file
- Person mentioned in a linked pull request (i.e. GitHub or GitLab)
D: Logging
Logged information
Activities in OpenProject are automatically journalized. It allows users to understand the change history of those objects (e.g. the baseline comparison).
Independently of the change history every interaction (i.e. web request) of a browser or other client results in an entry written to the server logfiles. These files support the operation of the application as they provide information on faulty behavior of the system (i.e. bugs and lack of performance).
Those log files contain the following person related data:
- id of the user performing the request
- time of the request
- url called
- parameters sent to the server as part of the request which comprises the user’s input in the form of e.g. work package title and description, wiki page content, comment text, SAML user information etc.
Note: Passwords are not logged in plain text.
The data listed above is generated upon entering the application. When actually processing the request within the application, events deemed noteworthy by the developers might be logged additionally. An example of this are failed login attempts.
Retention period
Logfiles are automatically removed based on a first-in-first-out mechanism. This is done to limit the disk space which ensures the server’s operation and at the same time serves as a means to erase the log entries once they have served their purpose of supporting operations. By default the retention period is determined by the size of the logfile. Once the logfile reaches its storage limit, the oldest entries are removed.
As such, the log entries are not kept for a fixed period of time. If there are a lot of requests, old entries are removed faster then if there are less requests. Administrators of an OpenProject installation might decide to configure a different behavior that factors in the age of the log entries.
Technical documentation
Detailed technical information about the logging mechanism can be found in the operations documentation:
Note: Additional logfiles might be generated by systems that are part of the used network infrastructure (e.g., load balancers, proxying servers, or other network components). These are out of scope for this documentation but they often contain additional information such as the IP address. On the other hand, since TLS is employed for all connections by default, those intermediary systems do not have access to the full request body so they are not able to see for example the request parameters.
Flows of personal data
A: System overview
The following diagram provides an overview of the flows of personal data in OpenProject. This applies to the different installation methods.
flowchart TD browser[Web browser] -->|"HTTP(s) requests"| loadbalancer(Load balancer / proxy) A1[Native client] -->|"HTTP(s) requests"| loadbalancer A2[SVN or Git client] -->|"HTTP(s) requests"| loadbalancer loadbalancer -->|Proxy| openproject subgraph openproject[OpenProject Core Application] openprojectrailsapp[Rails application] C[Puma app server] D[Background worker] end subgraph integrations[External Integrations] direction TB idp["Identity provider (idp)"] nex["Nextcloud (nex)"] osh["OneDrive/SharePoint (osh)"] gih["GitHub (gih)"] gil["GitLab (gil)"] cal["Calendar (cal)"] O["API integrations (api)"] end subgraph services[Internal Services] direction TB M[Memcached] P[PostgreSQL] S[Object storage or NFS] email["Email gateways (eml)"] end openproject <--> services openproject --> integrations loadbalancer <--> integrations subgraph localclients[Local Client / User device] direction TB browser A1 A2 end
As a web application, the primary data flow is between the user’s web browser (or attached API clients) through an external proxying web server (this might be a load balancer or proxying server). Depending on the individual setup the proxying server is responsible for terminating TLS connections for the course of this document - although encrypted connections between Load balancer and Puma server are possible. In case of packaged or Kubernetes installations, this proxying server might be part of the OpenProject stack (e.g., an Apache2 packaged installation server or nginx ingress).
The external web server acts as a proxy/reverse-proxy for the OpenProject Puma app server, relaying requests for it to handle and respond. In the course of the request, access to external services such as the PostgreSQL database, a caching server, or attached storages might be performed. In case of S3-compatible object storage set ups, OpenProject performs calls to the object storage to put or request files from it. Likewise, for network-attached storages linked into the application, underlying network requests are performed. These are out of scope for this evaluation, as they are provided and maintained by the operator of the system.
In the course of using the application, background tasks are enqueued in the database such as outgoing emails, cleanup tasks, or notification processing. These tasks are performed in a separate process, the background worker queue. This process accesses the same services as the application server process to access or modify data. It might connect to external integrations such as a Nextcloud or OneDrive/SharePoint instance to set up file sharings depending on actions performed by the users.
Exemplary request flow
-
User request: An end-user sends an HTTPS request to the load balancer or proxying server.
-
Load balancer: The external load balancer or proxying server receives the request, terminates TLS, and forwards the HTTP request to the Puma application server.
-
Puma app server: Processes the request and invokes the appropriate Rails middlewares and controller.
-
Rails application:
-
Authenticates the user according to the mechanisms outlined in the secure coding guidelines
- Validates session and input data
- Responsible for error handling, logging, and auditing aggregation
-
Retrieves or updates resources to the PostgreSQL database via models
- Calls or interacts with external services for requests, such as retrieving files or attachments from object storage
-
Renders the appropriate views
-
Response: Sends the HTTP response back through the Puma server and load balancer to the end-user.
-
-
Background worker: Operates on periodical background data, or performs actions requested by the web request of user (sending emails, exporting data, communicating with external services)
B: Identity provider (idp)
Overview
flowchart LR Browser <-->|idp-01| IDP IDP <-->|idp-02| openproject[OpenProject] Browser <-->|idp-03| openproject subgraph IDP[Identity Provider] direction LR ssoprovider[SSO provider] LDAP end subgraph openproject["Relying Party (OpenProject) "] direction LR ssoclient[SSO client] ldapauthentication[LDAP authentication] ldapgroupsync[LDAP group sync] end subgraph localclients[Local clients] direction LR Browser end
Purpose
- Centralized identity and access management
- Single sign on and single sign out (OIDC, SAML)
- Syncing LDAP groups with OpenProject groups
Processed data
bu-01
bu-02
bu-03
bu-05
(group memberships trough LDAP groups)
Security measures
idp-01
TLSidp-02
TLSidp-03
TLS
C: Email (eml)
Overview
flowchart LR A[User's email client] <-->|eml-01| B[User's email hoster] B <-->|eml-02| C[Email gateway] C <-->|eml-03| D[Email notification service] subgraph localclients[Local clients] direction TB A end subgraph internal[Internal services] direction TB C end subgraph external[External services] direction TB A B end subgraph OpenProject direction TB D end
Purpose
- Create a new work package by sending an email to a configured email address.
- Adding a comment to an existing work package by answering to an email notification.
- Sending email notifications about updates in OpenProject (e.g email reminder, meeting updates, project invitation, wiki notifications)
Processed data
bu-01
bu-04
bu-05
cc-01
cm-01
cp-01
cw-02
Security measures
-
eml-01
TLS (not controlled by the OpenProject system) -
eml-02
TLS (not controlled by the OpenProject system) -
eml-03
TLS (encryption can be activated in the email settings in the OpenProject Administration)Note: OpenProject does not support end-to-end encryption using GPG or S/MIME.
D: Calendar (cal)
Overview
flowchart LR opicalapi[OpenProject's iCal API] --> |cal-01|B B[Calendar web application] -->|cal-03| localcalendarapp[Local calendar application] opicalapi -->|cal-02| localcalendarapp subgraph localclient[Local clients] direction TB localcalendarapp end subgraph external[External services] direction TB B end subgraph OpenProject direction TB projectcalendar[Project calendar] --> opicalapi end
Purpose
- Users can import project calendars into their calendar application using the iCal format.
Processed data
bu-01
bu-03 (iCalendar access tokens)
cm-01
cp-02
ct-01
Security measures
cal-01
TLScal-02
TLS (not controlled by the OpenProject system)cal-03
TLS (not controlled by the OpenProject system)
E: Nextcloud (nex)
Overview
flowchart LR Browser <--> |nex-01| openproject Browser <-->|nex-02| nextcloud nextclouddesktopclient[Nextcloud desktop client] <-->|nex-03| nextcloudapi appopenprojectintegration <-->|nex-04| openprojectapi subgraph local[Local clients] Browser nextclouddesktopclient end subgraph openproject[OpenProject] opnextcloudintegrattion[Nextcloud integration] openprojectapi[API] end subgraph nextcloud[Nextcloud] groupfolder[Group folder app] appopenprojectintegration[OpenProject integration app] nextcloudapi[API] end
Purpose
- Users can link files stored in Nextcloud with work packages in OpenProject.
- Project folders in Nextcloud can be managed in OpenProject (create, delete, update, user permissions).
Processed data
bu-01
bu-03
cf-01
Security measures
nex-01
TLSnex-02
TLSnex-03
TLSnex-04
TLS
F: OneDrive/SharePoint (osh)
Overview
flowchart LR Browser <--> |osh-01| openproject Browser <-->|osh-02| onedrive onedrivedesktopclient[Nextcloud desktop client] <-->|osh-03| onedriveapi appopenprojectintegration <-->|osh-04| openprojectapi subgraph local[Local clients] Browser onedrivedesktopclient[OneDrive desktop client] end subgraph openproject[OpenProject] oponedrivetegration[OneDrive/SharePoint integration] openprojectapi[API] end subgraph onedrive[OneDrive/SharePoint] appopenprojectintegration[OpenProject integration app] onedriveapi[API] end
Purpose
- Users can link files stored in OneDrive/SharePoint with work packages in OpenProject.
Processed data
bu-01
bu-03
cf-01
Security measures
osh-01
TLSosh-02
TLSosh-03
TLSosh-04
TLS
G: GitHub (gih)
Overview
flowchart LR gitclient <-->|gih-01| githubapi githubapi <-->|gih-02| opgithubintegration githubwebhooks -->|gih-03| opgithubintegration subgraph GitHub direction TB githubapi[API] githubwebhooks[Webhooks] end subgraph localclients[Local clients] direction TB gitclient[Git client] end subgraph openproject[OpenProject] direction TB opgithubintegration[Github integration] --- workpackagesmodule[Work packages module] end
Purpose
- Connect pull requests in GitHub with work packages in OpenProject.
- Show the status of pull requests in related work packages.
Processed data
- cg-01
- cw-02
Security measure
gih-01
TLSgih-02
TLSgih-03
TLS
H: GitLab (gil)
Overview
flowchart LR gitclient <-->|gil-01| gitlabapi gitlabapi <-->|gil-02| opgitlabintegration gitlabwebhooks -->|gil-03| opgitlabintegration subgraph GitLab direction TB gitlabapi[API] gitlabwebhooks[Webhooks] end subgraph localclients[Local clients] direction TB gitclient[Git client] end subgraph openproject[OpenProject] direction TB opgitlabintegration[GitLab integration] --- workpackagesmodule[Work packages module] end
Purpose
- Connect merge requests in GitLab with work packages in OpenProject.
- Connect issues in GitLab with work packages in OpenProject.
- Show the status of merge requests in related work packages.
Processed data
- cg-02
- cw-02
Security measure
gil-01
TLSgil-02
TLSgil-03
TLS
I: API integrations (api)
Overview
flowchart LR api <-->|api-01| apiintegration[API integration] subgraph externalintegreations[External integrations] direction TB apiintegration end subgraph openproject[OpenProject] direction TB api[API] end
Purpose
- Create, read, update and delete data from OpenProject.
Processed data
- All data the user has permissions to.
Note: Please see the API documentation for further information about all API endpoints.
Security measure
api-01
TLS
Use of technical cookies
OpenProject makes use of technical cookies to identity the browser client and/or remember information such as 2FA login state. The core application makes use of these cookies:
Cookie name | Description | Expiry | Security flags | Implementation |
---|---|---|---|---|
_open_project_session (name is configurable) | contains the information about the logged in user as well as information stored between requests on the user’s choices (e.g. the filters for costs are in part stored there) | Session + configurable server-sideTTL | secure httponly Samesite=Lax encrypted | Code ref |
autologin (name is configurable) | (Optional feature, requires opt-in under Administration > Authentication settings) enables the user to automatically log in again after the session expired (e.g. because the browser was closed). It is set when the user checks the ‘Stay logged in’ box in the login form. | Cookie 1 year + server-side token N days (configurable) | secure httponly Samesite=Lax encrypted | Code ref |
op2fa_remember_token | the presence of that cookie suppresses the need for the user to provide a second factor upon login for N days (configurable by administration) if the user selects to do so when entering the 2fa information. | N days (configurable) | secure httponly Samesite=Lax encrypted | Code ref |
Deletion of personal data
Whenever a user in OpenProject is fully deleted, the system scrubs and removes all user master data, all functional assignments, and all references to a user in the change histories. All actions performed in the name of the user are being replaced with a singular “Deleted user” reference in order to maintain integrity of database references, such as being an author of a work package that remains. Finally, the user data itself will be deleted, removing all structural traces of PII in the system.
Note: Due to the user references changing, respective cache keys for information such as work packages or projects are invalidated automatically.
Note: Deleting a user account is a permanent action and cannot be reversed.
For more information on user account deletion, please see the user administration guide.
Note: Input created by a user such as text or comments cannot be deleted or scrubbed in an automated fashion. The content stays but will be referenced to the non-personal “Deleted User”.
Note: Persons mentioned in text or shown in uploaded pictures cannot be deleted or scrubbed in an automated fashion. All references to persons in text or pictures need to be deleted either one by one or by deleting the project in total. Memory references in memcached might still refer to (invalidated) user data until it is being reassigned.
Note: Logfiles might retain personal data for the configured retention period of the logfile. See “D: Logging” above.