Data processing according to GDPR

Which personal data does ovos play store and process?

ovos play processes data that is related to the users' accounts. Depending on which modules are activated and used, more or fewer data are stored. The email address can also be optional when using the service.

The processing of the data takes place when the app is used by the users, when users or administrators register in the app, and when the data is evaluated or analyzed by ovos or the client.

For what purpose are the above-mentioned personal data stored and processed?

Data is processed for the following purposes:

• Provision of the app

• Use and administration of the app

• Traceability of learning success

How long are personal data stored?

Personal data is generally processed as long as the purpose of the processing exists (e.g. the users are taking part in a training through ovos play). After the training has been carried out, the personal data is stored for three months for the purpose of making the learning success traceable.

Optional: Automatic anonymization or deletion of accounts of inactive users

Users who are inactive for a certain period of time (i.e. no interaction with the system at all) are automatically anonymized (username, email address, password and avatar are deleted from the data set). It is not possible to reverse the anonymization or trace the data of an anonymized user back to a person, as required by the GDPR. A re-identification is only possible with extensive effort and data access.

Anonymized accounts can no longer be used by users. Some of the usage data of the account will continue to be processed, but only for statistical purposes. The period for automatic anonymization is 365 days in the default configuration and can be set individually per tenant.

21 and 3 days before the optional automatic anonymization, a notification is sent via email to the affected users each time.

Manual deletion of an account

Users can be manually deleted at any time. This can be done either by the users themselves or by admins. When an account is deleted, all personal data is immediately deleted from the database (within 5 minutes).

Deletion of the system

If an instance of ovos play is deleted, all users registered on this instance are also deleted immediately (within 5 minutes).

Data backups

After anonymization or deletion, personal data is still present in backups of the respective database. After a certain period, these backups are also permanently deleted. The deletion period for backups is 3 months in the default configuration and can be set individually for each database (= tenant).

Logfiles

General logfiles do not contain any personal data. Resources that create logs:

How long do the data have to be stored (retention period)?

The data processed by ovos play do not fall into any category for which there is a statutory retention obligation.

https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html

Who has access to personal data?

Developers, project managers and quality managers at ovos have access to the personal data of registered users. Personal data are not transmitted to any other controller.

Where are the data stored (provider)?

Unless otherwise agreed with the client, the data are stored in the data processing system of internex GmbH. The server infrastructure and processing are located in Austria or in the European Economic Area. For the current ovos play instance, operation can take place in Austria, Germany or Switzerland, if desired.

Provider: internex GmbH

• Company register number: 342171v

• Value added tax ID (VAT): ATU65604535

• Managing director Markus Böhm

• Registered office Lagerstraße 15, 3950 Gmünd, AT

• Office address 1090 Vienna, Alserbachstraße 30

Processing location (address)

Server location

• Interxion Austria

• Louis-Häfliger-Gasse 10

• 1210 Vienna, AUSTRIA

Services of the provider

• Server hosting incl. ensuring the availability of services and databases

• Traffic monitoring

• Defense infrastructure

How is the data protected?

Access control

internex / server hosting

Measures that prevent unauthorized persons from gaining access (understood spatially) to data centers where personal data is processed.

Building security

• Building and infrastructure monitoring

• Video surveillance

• Automatic access control system

• Securing building shafts outside the perimeter boundary

• Logging visitors

• Careful selection of cleaning staff and security staff

• Written access regulations

Securing rooms

• Biometric access control to the data center area

• Access card for entering a data center room

ovos / development

Building security

• lockable office door

• Reception with access control to the office premises

• Employee instructions when leaving the office

Securing the rooms

• Separately locked server room with key in keylock.

• Access for

  • Hannes Amon

  • Milan Orszagh

  • Jochen Kranzer

  • Sigrid Cichocki

  • Jörg Hofstätter

Access control

Measures that prevent data processing systems from being used by unauthorized persons:

Access to the server systems

• Server passwords and access details are handed over to the client when the system is first put into operation. The client changes the passwords independently immediately after takeover and chooses a complex password in line with generally accepted standards.

• The client manages the access data independently and is responsible for its security and periodic changes.

Access control

For managing internal server systems by authorized administrators, the hosting partner internex uses ezeelogin (https://www.ezeelogin.com/). The following measures are implemented:

• Authorization concept including role definition

• Password policy (minimum length, special characters, periodic change)

• Social engineering prevention

• Multi-factor authentication

The responsibility for access control to customer systems lies with the client.

Access logging

An access log can be exported from ezeelogin.

Transfer control (Art. 32 para. 1 lit. b GDPR)

Measures to ensure that personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission:

• Options for encrypted data transmission are provided within the scope of the commissioned services of the main contract. The client evaluates the data processing applications they operate and, based on that, commissions the necessary technical measures.

• All employees are trained and obligated to ensure data protection-compliant handling of personal data.

• critical interfaces are always IP restricted

Input control (Art. 32 para. 1 lit. b GDPR)

Measures for internal server systems to ensure that it can subsequently be checked whether and by whom personal data has been entered, modified, or deleted:

• Logging via log files (ezeelogin)

• User identification

On customer systems or server systems of the client, responsibility for input control lies with the client.

Order control (Art. 32 para. 1 lit. d GDPR)

Measures to ensure that personal data is processed in accordance with the client’s instructions:

• Definition of authority to issue instructions according to customer requirements

• Order acceptance only in written form or by authorized persons

Availability control (Art. 32 para. 1 lit. b GDPR)

internex / server hosting

Measures for internal server systems used for administration to make sure that personal data is protected against accidental destruction or loss:

• Fire protection measures

• Surge protection

• Uninterruptible power supply

• Air conditioning (redundant system) (Harald receives a notification)

• Humidity between 40% and 60%

• 24/7 monitoring of server systems

• Separate fire sections

• Backup concept for internal server systems used for administration

For customer systems or server systems of the client, responsibility for availability control, especially data backup, lies with the client, unless otherwise agreed in writing in the main contract.

How is the (personal) data encrypted?

Data is stored unencrypted in the database. Data transfers/requests use the SSL/TLS protocol. Passwords are hashed in the database (bcrypt, 12 rounds)

"Although the GDPR obviously requires that organizations take the appropriate technical and organizational measures regarding the protection and security of personal data, whereby pseudonymization and encryption of personal data are recommended, the GDPR strictly speaking does not say you must use encryption as some claim since the GDPR says what it says and only jurisprudence and instances such as supervisory authorities and the proper EU authorities have the power of interpreting and/or amending it (and common sense dictates that in specific circumstances encryption is important when considering context and risks)."

https://www.i-scoop.eu/gdpr-encryption/

What is the backup strategy?

How regularly are the backups deleted?

Backups are only stored for a limited period of time and are automatically deleted after the period expires:

ovos play Kubernetes Production

Uploaded files as well as the MongoDB and MySQL database

• 1x/week for the last 14 weeks

• 1x/day for the last 30 days

internex backup cluster

• makes multiple daily backups of the server which are stored for 10 days

local MySQL and MongoDB databases

• dumped daily (10d as well)

What is the information strategy?

• To authenticate authorized people for a request, the email address of the requested user account is used

• If authentication isn’t clearly possible (e.g. no email address available) then information is only provided after prior review and approval by the client.

• A data export can be done at any time.

• All data belonging to the user is exported in a machine-readable format.

What is the deletion strategy?

• Authentication of the requesting person is done as with the information strategy

• If authentication is successful, the data will be

  • Option A: manually deleted by ovos employees (deletion takes place within 30 days – backups remain stored for a while and are then deleted automatically)

  • Option B: manually deleted by the users themselves via a button in the app (secured by entering the nickname) (deletion takes place immediately – backups also remain here for a while)

Process flows

Registration

Data is sent to the server via an SSL/TLS encrypted connection.

In the case of a successful registration (email address, username, password valid), the password is hashed with bcrypt (12 rounds) and stored. Otherwise, the data is discarded.

The actual registration process may vary depending on the authentication method used.

Login

User logs in with email and password. Data is sent to the server via an SSL/TLS encrypted connection.

In the case of a successful login, the user receives a JWT token that can be used for authentication. The token payload only contains the user ID.

The actual login process may vary depending on the authentication method used.

Reset password

Users can request a password reset link. The link is sent to the email address provided during registration (or stored otherwise). The link is valid for an unlimited time until a new reset link is requested or until the password is reset via the link.

If no email address is stored for the user, the user account can be deleted by contacting ovos play support (support@ovos.at). After the request has been reviewed and approved by the client, the requesting person will be contacted to clarify the next steps.

Delete account

The user can delete their account via their user profile. When the account is deleted, all personal data of the user is deleted from the database.

Does ovos play use subcontractors?

Yes, ovos play uses subcontractors to ensure the operation of the software.

1. for the operation of the software application:

• Internex GmbH, Lagerstraße 15, 3950 Gmünd, Austria, dataprotection@internex.at

• SmartBear Software, Mayoralty House, Flood Street, Galway H91 P8PR, Ireland, info@smartbear.ie, https://smartbear.com/legal/data-processing-addendum/

2. for sending emails unless another SMTP service has been agreed:

• Bird B.V., Keizersgracht 268, 1016 EV, Amsterdam, Netherlands, privacy@bird.com, https://bird.com/legal/dpa 

3. for sending push notifications if the use of the iOS or Android app has been agreed:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, https://support.google.com, https://firebase.google.com/terms/data-processing-terms

4. for the use of AI functionalities (cloud infrastructure, platform services and LLM functions in the EEA), if the “Upgrade AI” module has been agreed:

• Amazon Web Services EMEA S.à r.l., 38 Avenue John F. Kennedy, L‑1855 Luxembourg, Luxemburg.  aws-EU-privacy@amazon.com,
  https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf 

• Anthropic Ireland, Limited, 6th Floor, South Bank House, Barrow Street. Dublin 4, D04 TR29 (Ireland). privacy@anthropic.com, dpo@anthropic.com, https://www.anthropic.com/legal/data-processing-addendum

• OpenAI Ireland Limited, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, company number 737350, privacy@openai.com, https://openai.com/policies/data-processing-addendum/ 

• Eleven Labs Poland sp. z o.o., Lipska 27/22 Street, 03-908, Warsaw, Poland, legal@elevenlabs.io,
  https://elevenlabs.io/docs/conversational-ai/legal/gdpr, https://elevenlabs.io/dpa 

Google Firebase for sending push notifications is only used when the native app is used. As an alternative to sending emails with Sparkpost, you can also configure your own SMTP server.

Miscellaneous

Is there a data protection officer at ovos?

No, because the obligation to appoint a data protection officer only applies to companies (controllers and processors) if their core activity is the performance of processing operations which, by virtue of their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects (e.g. banks, insurance companies, credit agencies and private investigators) or if “sensitive data” (GDPR Art 9 para 1) or “personal data relating to criminal convictions and offences” (GDPR Art 10) are processed. This does not apply to ovos.

Source: https://www.wko.at/service/wirtschaftsrecht-gewerberecht/EU-Datenschutz-Grundverordnung:-Der-Datenschutzbeauftragt.html

Nevertheless, data protection is so important to us that we have two responsible (and trained for this) employees for this topic:

• Andreas Friedl (af@ovos.at)

• Dominik Leitner (dol@ovos.at)

Is there a CISO (Chief Information Security Officer) at ovos?

Yes, the CISO at ovos is Milan Orszagh (mo@ovos.at)

Contact person for data protection questions

If you have any questions about your personal data or want to exercise your rights, please contact datenschutz@ovos.at.

Data processing when using the AI module

When you optionally use the AI module of ovos play, data is processed by additional subcontractors. In this section you’ll find all the necessary information about this.

Where is the data processed?

For the AI module in ovos play, LLMs (Large Language Models) from Anthropic (Claude) are used for content creation, app search, and chat. The models from Anthropic (Claude) are hosted via AWS Cloud Services in the EU. Third parties for processing the AI workflows are hosted by ovos itself in the same environment as the learning platform.

For image generation, OpenAI is used via the available API interface; for text-to-speech generation, OpenAI or ElevenLabs can be used via the available API interface.

Data processing by OpenAI

The AI module uses OpenAI's LLMs for image and, if applicable, text generation. When using the provided API, according to OpenAI, no data sent is used for training the LLMs.

Data sent to OpenAI is stored for 30 days. You can find detailed and up-to-date information here: https://platform.openai.com/docs/models/how-we-use-your-data