What personal data does ovos play store and process?
ovos play processes data related to the accounts of the users. Depending on the modules activated and used, more or less data is stored. The e-mail address may also be optional during use.
Cateogory of personal Data | Types of data |
Information about the person concerned |
|
Details of the system used by the person concerned |
|
Data of tools usage |
|
Data is processed when users use the app, when users register in the app themselves or by administrators, and when ovos or the client assesses or evaluates the data.
For what purpose is the personal data mentioned above stored and processed?
Data processing takes place for the following purposes:
Provision of the app
Use and administration of the app
Traceability of the learning success
How long is personal data stored?
Personal data is generally processed for as long as the purpose of the processing is given (e.g. the users participate in a training by ovos play). After the training has been carried out, the personal data will be stored for a period of three months for the purpose of tracking the learning success.
Optional: Automatic anonymization or deletion of accounts of inactive users
Users who are inactive for a certain period of time (i.e. no interaction with the system) are automatically anonymized (username, email address, password and avatar are deleted from the data set). It is not possible to reverse the anonymization or trace the data of an anonymized user back to an individual, as mandated by the GDPR. Traceability can only be achieved with the help of data access with extensive effort.
Anonymized accounts can no longer be used by users. Part of the account usage data is still processed, but only for statistical purposes. The period for automatic anonymization is 365 days in the default configuration and can be set individually per tenant.
21 and 3 days before the optional automatic anonymization, a notification is sent to the affected users via e-mail.
Manual deletion of an account
Users can be deleted manually at any time. This can be done either by the users themselves or by administrators. In case of deletion, all personal data will be deleted from the database immediately (within 5 minutes).
Deletion of the system
If an instance of ovos play is deleted, all users registered on this instance will also be deleted immediately (within 5 minutes).
Data backups
Personal data is still available in backups of the respective database after anonymization or deletion. After a certain period of time, these backups will also be permanently deleted. The deletion period of the backups is 3 months in the standard configuration and can be set individually per database (= tenant).
Log files
General log files do not contain any personal data. Resources that create logs:
Issuer | Includes personal data? | Automatic deletion | Default deletion period (days) | Deletion period configurable? |
ovos play services | No (there are exceptions if for example the debug mode for SAML authentication is activated) | yes | 90 | no |
Bugsnag | yes | yes | 60 | no |
Sparkpost | yes | yes | 10 | no |
pm2 | yes | yes | 14 | no |
How long must the data be stored (retention obligation)?
The data processed by ovos play do not fall into any category for which there is a statutory retention obligation.
Who has access to personal data?
Developers, project managers and quality managers of ovos have access to personal data of registered users. Personal data is not transferred to any other responsible party.
Where is the data stored (provider)?
Unless otherwise agreed with the client, the data will be stored in the data processing facility of internex GmbH. The server structure and processing are located in Austria or the European Economic Area. For the ongoing ovos play instance, the operation can take place in Austria, Germany or Switzerland if desired.
Provider: internex GmbH
Company register number: 342171v
Value Added Tax ID (UID): ATU65604535
Managing Director Markus Böhm
Company address Lagerstraße 15, 3950 Gmünd, AT
Office address 1090 Vienna, Alserbachstraße 30
Processing location (address)
Server Location
Interxion Austria
Louis-Häfliger-Gasse 10
1210 Vienna, AUSTRIA
Services of the provider
Server hosting incl. guarantee of availability of services and databases
Traffic monitoring
Defense infrastructure
How is the data protected?
Access control
internex / server hosting
Measures that prevent unauthorized persons from gaining access (to be understood spatially) to data centers in which personal data is processed.
Building security
Building and infrastructure monitoring
Video surveillance
Automatic access control system
Securing of building shafts outside perimeter perimeter
Logging of visitors
Careful selection of cleaning staff and security guards
Written access regulations
Securing of rooms
Biometric access control to data center area
Access card for access to a data center room
ovos / Development
Building security
Lockable office door
Reception with access control to office premises
employee instruction when leaving the office
Securing of the rooms
Separately locked server room with key in keylock.
Access for
Hannes Amon
Milan Orszagh
Jochen Kranzer
Sigrid Cichocki
Jörg Hofstätter
Access control
Measures that prevent data processing equipment from being used by unauthorized persons:
Access to server systems
Server passwords and accesses are handed over to the client during the initial commissioning. The customer changes the passwords independently immediately after the takeover and chooses a complex password taking into account generally accepted standards.
The client manages the access data independently and is responsible for their security and periodic changes.
Access control
For the management of internal server systems by authorized administrators, the hosting partner internex uses ezeelogin (https://www.ezeelogin.com/). The following measures are implemented:
Authorization concept incl. role definition
Password policy (minimum length, special characters, periodic change)
Social engineering prevention
Multi-way authentication
The client is responsible for access control of customer systems.
Access log
An access log can be exported from ezeelogin.
Transfer control (Art. 32 (1) (b) GDPR)
Measures to ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission:
Options for encrypted data transmission are provided to the extent of the commissioned service of the main contract. The Customer shall evaluate the data processing applications it operates and shall order the necessary technical measures on the basis thereof.
All employees are instructed and obligated to ensure that personal data is handled in compliance with data protection regulations.
Critical interfaces are always IP restricted
Input control (Art. 32 para. 1 lit. b GDPR)
Measures for internal server systems to ensure that it is possible to check retrospectively whether and by whom personal data has been entered, modified or deleted:
Logging via log files (ezeelogin).
User identification
On customer systems or server systems of the client, the responsibility for input control lies with the client.
Order control (Art. 32 para. 1 lit. d GDPR)
Measures to ensure that personal data is processed in accordance with the client's instructions:
Definition of the authority to issue instructions according to customer requirements.
Acceptance of orders only in writing or by authorized persons
Availability control (Art. 32 para. 1 lit. b GDPR)
internex / server hosting
Measures in internal server systems for administration to ensure that personal data is protected against accidental destruction or loss:
Fire protection measures
Overvoltage protection
Uninterruptible power supply
Air conditioning (redundant system) (Harald gets a message)
Humidity between 40% and 60%
24/7 monitoring of the server systems
Separate fire compartments
Backup concept for internal server systems for administration
On customer systems or server systems of the client, the responsibility of availability control, especially data backup, is the responsibility of the client, unless otherwise agreed in writing in the main contract.
How is the (personal) data encrypted?
Data is stored in the database without encryption. Data transfers/requests use the SSL/TLS protocol. Passwords are hashed in the database (bcrypt, 12 rounds).
"Although the GDPR obviously requires that organizations take the appropriate technical and organizational measures regarding the protection and security of personal data, whereby pseudonymization and encryption of personal data are recommended, the GDPR strictly speaking does not say you must use encryption as some claim since the GDPR says what it says and only jurisprudence and instances such as supervisory authorities and the proper EU authorities have the power of interpreting and/or amending it (and common sense dictates that in specific circumstances encryption is important when considering context and risks)."
https://www.i-scoop.eu/gdpr-encryption/
What is the backup strategy?
How regularly are backups deleted?
Backups are only stored for a limited time and are automatically deleted after the time limit expires:
ovos play Kubernetes Production
Uploaded files as well as the MongoDB and MySQL database
1x/week for last 14 weeks
1x/day for last 30 days
internex Backupcluster
makes multiple daily backups of the server which are stored for 10 days
local mysql and mongodb databases
dumped daily (10d as well)
What is the information strategy?
The e-mail address of the requested user account is used to authenticate authorized persons for a request.
If authentication is not possible beyond doubt (e.g. no e-mail address available), then information is only provided after prior verification and approval by the client.
A data export can be performed at any time.
In this case, all data associated with the user is exported in a machine-readable format.
What is the deletion strategy?
The authentication of the requesting person is done in the same way as for the information strategy
If authentication is successful, the data is
Variant A: manual deletion by ovos staff (deletion takes place within 30 days - backups remain stored for a while and are then automatically deleted)
Variant B: manual deletion by the user himself/herself via a button in the app (secured by nickname entry) (deletion takes place immediately - backups are also retained for a period of time).
Process flow
Registration
Data is sent to the server via SSL/TLS encrypted connection.
In case of successful registration (email address, username, password valid) the password is hashed with bcrypt (12 rounds) and stored. Otherwise the data will be discarded.
Login
User logs in with email and password. Data is sent to the server via SSL/TLS encrypted connection.
In case of a successful login, the user receives a JWT token with which he can authenticate himself. The token payload contains only the user ID.
Password Reset
Users can request a link to reset their password. The link will be sent to the email address provided during registration (or otherwise). The link is valid indefinitely, until a new reset link is requested or until the password is reset via the link.
If no e-mail address is stored for the user, deletion of the user account can be requested by contacting ovos play support ( support@ovos.at ). After the request has been checked and approved by the client, a consultation with the requesting person will take place regarding the further procedure.
Delete account
The user can delete the user account via his user profile. In case of deletion, all personal data of the user will be deleted from the database.
Does ovos play use subcontractors?
Yes, ovos play uses subcontractors to ensure the operation of the software:
Internex GmbH, 1090 Vienna, Alserbachstraße 30, Vienna; for the operation of the software.
Bugsnag for bug fixing, 110 Sutter St, San Francisco, CA 94104, United States
Messagebird for email delivery, Trompenburgstraat 2C, 1079 TX Amsterdam, The Netherlands
Firebase for push notification delivery, Google Ireland Limited, with registered office at Gordon House, Barrow Street, Dublin 4, Ireland.
Bugsnag only includes personal data in exceptional cases. Firebase is only used when the native app is used. As an alternative to sending emails with Sparkpost, you can also configure your own SMTP server.
Other
Is there a data protection officer at ovos?
No, because the obligation to appoint a data protection officer only applies to companies (controllers and processors) if the core activity consists of carrying out processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects (e.g. banks, insurance companies, credit agencies and professional investigators) or if "sensitive data" (GDPR Art 9 (1)) or "personal data relating to criminal convictions and offences" (GDPR Art 10) are processed. This does not apply to ovos.
Nevertheless, the topic of data protection is so important to us that we have two responsible (and trained) employees on this topic:
Andreas Friedl (af@ovos.at)
Dominik Leitner (dol@ovos.at)
Is there a CISO (Chief Information Security Officer) at ovos?
Yes, the CISO at ovos is Milan Orszagh (mo@ovos.at).
Contact person for data protection issues
For questions regarding personal data concerning you or to assert your rights, please contact datenschutz@ovos.at.