Technical and organizational measures for data security and privacy

As of: 2025-07-06

Annex III – Technical and organizational measures to ensure an adequate level of protection for data processing on behalf of others (https://www.openproject.org/legal/data-processing-agreement/) pursuant to Articles 28 and 32 of the GDPR

This document addresses the use of OpenProject on the SaaS platform provided by OpenProject GmbH (OpenProject Enterprise Cloud). For customers of the OpenProject Enterprise Cloud, OpenProject GmbH acts as a data processor in accordance with Article 28 of the GDPR and must ensure the security of processing under Article 32 of the GDPR.

Additional service providers are involved in the operation of the SaaS platform, listed in the overview of sub-processors.

A particularly important service provider for data security is the one providing the technical infrastructure for the SaaS platform (Infrastructure-as-a-Service (IaaS) provider). Data processing by the processor takes place in secure data centers. OpenProject exclusively uses IaaS providers certified according to ISO 27001. Below, we highlight which technical and organizational measures are primarily the responsibility of the IaaS provider and which lie with OpenProject.

1.1 Physical access control

Physical access control measures to data centers are the responsibility of the IaaS provider. They ensure secure physical access to buildings, server rooms, etc. These include the following security measures and infrastructures:

Physical access protection for data centers
Surveillance of data centers and their access points by personnel
Identification and authentication of all employees and visitors using appropriate procedures

See also the appendix sub-processors of the data processing agreement, which details the IaaS provider used in each hosted variant of the OpenProject Enterprise Cloud.

1.2 System access control

Unauthorized access to the IaaS platform and the SaaS application operated on it must be prevented. The IaaS provider is responsible for the underlying platform; OpenProject is responsible for the SaaS application.

OpenProject uses web applications and interfaces of the IaaS provider to provide the OpenProject Enterprise Cloud SaaS application. OpenProject utilizes security features provided by the IaaS provider (e.g., Virtual Private Clouds). OpenProject implements the following security mechanisms:

Implementation of firewalls and other security mechanisms to protect systems within the IaaS network
Access to computer systems only via encrypted connections and for authorized and trained administrators
Additional security for administrative access, e.g., via authenticated networks (VPN connections)
Securing authentication on web interfaces and APIs with multi-factor authentication
Isolation of the application through hardware-based firewalls and virtual private clouds
Monitoring and logging of administrative access and regular audits of access logs
Regular automated and manual system audits to identify and fix vulnerabilities (see Security tests documentation and Secure coding guidelines, section virus and malware protection)
Documented process for secure software development (see Secure coding guidelines) and prompt handling of security vulnerabilities (see Statement on security)
Regular employee training on data protection and data security

1.3 Data access control

The processor must prevent unauthorized activities in systems processing personal data. As the OpenProject Enterprise Cloud runs on hardware provided by the IaaS provider, the following measures are relevant for both parties:

Use of strong authentication methods and multi-factor authentication
Use of TLS for encrypted data transmission with up-to-date and secure cipher suites
Logical or physical separation of data from different tenants (customers/controllers)
Customer service access limited to master data and billing data
Only select administrators at OpenProject and its sub-processors are authorized to access customer data, and only under contractual circumstances such as issues not resolvable by the customer or support team
Business administrators are created and managed by the controller in their OpenProject instance. Access control within the SaaS application is managed by the controller
Access to data in an OpenProject Enterprise Cloud instance is granted based on the roles and permissions defined in that instance

1.4 Data separation control

OpenProject ensures the separation of customer data and information in the OpenProject Enterprise Cloud. Measures include:

Data from different controllers is separated via tenant-aware logical database schemas
Test or integration data is processed in environments separate from production. Access to production data is excluded by access separation

Pseudonymization is intended to protect data subjects from being identified.

OpenProject Enterprise Cloud assigns each user a user ID linked to their account. This user ID serves as pseudonymization. When a user account is deleted in an OpenProject instance, the user ID is replaced with a non-user (“unknown user”), which effectively anonymizes the dataset.

2.1 Data transfer control

Control of data transfer by OpenProject and the IaaS provider is ensured by the following measures:

TLS encryption for all web-based data transmission
Data processing agreements with sub-processors to ensure data security and control measures
Storage of all data in an OpenProject Enterprise Cloud instance only in data centers of the IaaS provider, with the exception of specific additional processing (e.g., email notifications via external mail service)
Encryption of all backups containing OpenProject Enterprise Cloud data at rest

2.2 Input control

The processor must ensure traceability and documentation of data processing activities. OpenProject applies the following measures:

Monitoring and auditing changes in the application (e.g., activity tracking in OpenProject)
Logging of user input activities (see Secure coding guidelines, logging and error handling)
Validation of all user inputs to prevent manipulated data (see Secure coding guidelines, user input validation)
Structured data input through dedicated user interfaces and APIs respecting permission structures

The processor must protect personal data against accidental destruction or loss (availability control). Rapid recoverability must be ensured after a data loss event.

Since OpenProject Enterprise Cloud is operated on IaaS infrastructure, the following measures apply to both parties:

Continuous backups and redundant systems to protect data (see Service description – backup section)
Redundant system architecture, network infrastructure, power supply, and internet connectivity
Written disaster recovery and business continuity plans

Resilience refers to the ability to resist attacks and recover quickly from disruptions.

Given the shared responsibilities of OpenProject and the IaaS provider, relevant measures include:

Architectural capability to handle incidents like power outages without significant service degradation
Continuous system hardening against known attacks, including denial-of-service attacks
Deployment across multiple availability zones to ensure failover
Flexible scalability for short-term capacity increases
Network separation between production and test environments
Written disaster recovery plans documenting recovery steps
Regular employee training on current security concepts and industry best practices
Regular testing and review of protection and recovery plans

5. Data protection management

5.1 Responsible contact person of the processor

Attorney David Heimburger (Data Protection Officer)
Friedensallee 114
22763 Hamburg
Email: dh@davidheimburger.de
GPG key: BC5D D292 8DD3 3B95 B6F7 0272 FE3F 95A3 135C 46A1

Data processing is strictly purpose-bound. Data and retention periods are listed in the OpenProject Enterprise Cloud section of the privacy policy and in the document Processing of personal data.

To ensure secure processing, a procedure for regular review and assessment of technical and organizational measures must be implemented.

This is done via a data protection management system. As part of a continuous improvement process, measures are evaluated and optimized. Regular audits by external accredited experts are part of this process.

5.3 Incident response management and reporting

It must be ensured that in the event of a data protection breach or suspected breach, the processor informs the controller immediately.

All contractual partners are required to report incidents within legal deadlines. Internal processes ensure the data protection officer is involved in such events.

Privacy-friendly default settings must ensure that only personal data necessary for the specified processing purpose is processed.

After the trial period and upon contract termination, all customer data is automatically deleted within three months. Customers can also delete individual users within their installation. The following data is deleted:

Name
Email address
Phone number
Username
User profile picture (avatar)

Created content such as comments on work packages is reassigned to an anonymized user.

Privacy by design and by default is considered during development and operation of the software.

5.5 Order control

The processor processes data strictly according to the signed contract and ensures compliance with legal and contractual requirements as per the controller’s instructions. The OpenProject platform includes an admin interface allowing the controller to manage their account. Credentials are created by the controller during account setup. Only those with credentials can enter, modify, or delete data. For other actions outside of the admin interface, written form is required.