ovos play processes data that is related to the users' accounts. Depending on which modules are activated and used, more or fewer data are stored. The email address can also be optional when using the service.
Category of personal data | Data types |
Information about the data subject |
|
Information about the system the data subject uses |
|
Information about tool usage |
|
The data is processed when the app is used by the users, when users or administrators register in the app, as well as when the data is evaluated or analyzed by ovos or the client.
Data is processed for the following purposes:
Provision of the app
Use and administration of the app
Traceability of learning progress
Personal data is generally processed as long as the purpose of the processing exists (e.g. the users are taking part in a training via ovos play). After the training has been completed, the personal data is kept for three months for the purpose of making the learning progress traceable.
Optional: Automatic anonymization or deletion of accounts of inactive users
Users who are inactive for a certain period of time (i.e. have no interaction with the system at all) are automatically anonymized (username, email address, password and avatar are deleted from the dataset). It is not possible to reverse the anonymization or to link the data of an anonymized user back to a person, as required by the GDPR. Re-identification would only be possible with data access combined with extensive effort.
Anonymized accounts can no longer be used by users. Some of the account’s usage data will continue to be processed, but only for statistical purposes. The period for automatic anonymization is 365 days in the default configuration and can be set individually for each tenant.
21 and 3 days before the optional automatic anonymization, a notification is sent via email to the affected users in each case.
Manual deletion of an account
Users can be manually deleted at any time. This can be done either by the users themselves or by administrators. When an account is deleted, all personal data is immediately deleted from the database (within 5 minutes).
Deletion of the system
If an instance of ovos play is deleted, all users registered on this instance are also deleted immediately (within 5 minutes).
Data backups (backups)
After anonymization or deletion, personal data is still present in backups of the respective database. After a certain period, these backups are also permanently deleted. In the default configuration, the deletion period for backups is 3 months and can be set individually for each database (= tenant).
Logfiles
General logfiles do not contain any personal data. Resources that create logs:
Trigger | May contain personal data | Automatic deletion | Default deletion period (days) | Deletion period configurable per tenant |
ovos play services | No (there may be exceptions if e.g. debug mode for SAML auth is enabled) | yes | 90 | no |
Bugsnag | yes | yes | 60 | no |
Sparkpost | yes | yes | 10 | no |
pm2 | no | yes | 14 | no |
The data processed by ovos play do not fall into any category for which there is a legal retention obligation.
Developers, project managers and quality managers at ovos have access to personal data of registered users. Personal data are not transferred to any other controller.
Unless otherwise agreed with the client, the data are stored in the data processing facility of internex GmbH. The server infrastructure and processing are located in Austria or in the European Economic Area. For the ongoing ovos play instance, operations can, if desired, take place in Austria, Germany or Switzerland.
Company register number: 342171v
VAT ID (UID): ATU65604535
Managing director Markus Böhm
Registered office Lagerstraße 15, 3950 Gmünd, AT
Office address 1090 Vienna, Alserbachstraße 30
Server location
Interxion Austria
Louis-Häfliger-Gasse 10
1210 Vienna, AUSTRIA
Server hosting incl. ensuring the availability of services and databases
Traffic monitoring
Defense infrastructure
Measures that prevent unauthorized persons from gaining access (understood spatially) to data centers where personal data is processed.
Building security
Building and infrastructure monitoring
Video surveillance
Automatic access control system
Securing building shafts outside the perimeter boundary
Logging visitors
Careful selection of cleaning staff and security staff
Written access regulations
Securing the rooms
Biometric access control to the data center area
Access card for entering a data center room
Building security
Lockable office door
Reception with access control to the office premises
Employee instructions when leaving the office
Securing the rooms
Separate locked server room with key in keylock.
Access for
Hannes Amon
Milan Orszagh
Jochen Kranzer
Sigrid Cichocki
Jörg Hofstätter
Measures that prevent data processing systems from being used by unauthorized persons:
Access to the server systems
Server passwords and access data are handed over to the client when the system is first put into operation. The client changes the passwords independently right after taking them over and chooses a complex password in line with generally accepted standards.
The client manages the access data independently and is responsible for its security and periodic changes.
For managing internal server systems by authorized administrators, the hosting partner internex uses ezeelogin (https://www.ezeelogin.com/) internally. The following measures are implemented:
Authorization concept incl. role definition
Password policy (minimum length, special characters, periodic change)
Social engineering prevention
Multi-factor authentication
Responsibility for access control to customer systems lies with the client.
An access log can be exported from ezeelogin.
Measures to ensure that personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission:
Options for encrypted data transmission are provided as part of the commissioned services of the main contract. The client evaluates the data processing applications they operate and, based on that, commissions the necessary technical measures.
All employees are instructed and obligated to ensure a data protection compliant handling of personal data.
critical interfaces are always IP restricted
Measures on internal server systems to make sure it can later be verified whether and by whom personal data has been entered, changed, or deleted:
Logging via log files (ezeelogin)
User identification
On customer systems or server systems of the client, responsibility for input control lies with the client.
Measures to ensure that personal data is processed according to the client’s instructions:
Definition of authority to issue instructions according to customer requirements
Order acceptance only in written form or by authorized persons
Measures for internal server systems for administration to make sure that personal data is protected against accidental destruction or loss:
Fire protection measures
Surge protection
Uninterruptible power supply
Air conditioning (redundant system) (Harald gets a notification)
Humidity between 40% and 60%
24/7 monitoring of server systems
Separate fire protection sections
Backup concept for internal server systems for administration
For customer systems or server systems of the client, responsibility for availability control, especially data backup, lies with the client, unless otherwise agreed in writing in the main contract.
Data is stored unencrypted in the database. Data transfers/requests use the SSL/TLS protocol. Passwords are hashed in the database (bcrypt, 12 rounds)
"Although the GDPR obviously requires that organizations take the appropriate technical and organizational measures regarding the protection and security of personal data, whereby pseudonymization and encryption of personal data are recommended, the GDPR strictly speaking does not say you must use encryption as some claim since the GDPR says what it says and only jurisprudence and instances such as supervisory authorities and the proper EU authorities have the power of interpreting and/or amending it (and common sense dictates that in specific circumstances encryption is important when considering context and risks)."
https://www.i-scoop.eu/gdpr-encryption/
Backups are only stored for a limited time and are automatically deleted after the period has expired:
Uploaded files as well as the MongoDB and MySQL database
1x/week for the last 14 weeks
1x/day for the last 30 days
internex backup cluster
makes multiple daily backups of the server which are stored for 10 days
local MySQL and MongoDB databases
dumped daily (10 days as well)
To authenticate authorized people for a request, the email address of the requested user account is used
If authentication isn’t clearly possible (e.g. no email address available), information is only provided after prior review and approval by the client.
A data export can be carried out at any time.
All data belonging to the user is exported in a machine-readable format.
Authentication of the requesting person takes place as in the information strategy
If authentication is successful, the data will be
Option A: manually deleted by ovos employees (deletion takes place within 30 days - backups remain stored for a while and are then deleted automatically)
Option B: manually deleted by the users themselves via a button in the app (secured by entering the nickname) (deletion happens immediately - backups also remain here for a while)
Data is sent to the server via an SSL/TLS encrypted connection.
If registration is successful (email address, username, password valid), the password is hashed with bcrypt (12 rounds) and stored. Otherwise, the data is discarded.
User logs in with email and password. Data is sent to the server via an SSL/TLS encrypted connection.
If the login is successful, the user receives a JWT token that can be used for authentication. The token payload only contains the user ID.
Users can request a link to reset their password. The link is sent to the email address provided during registration (or stored otherwise). The link is valid indefinitely until a new reset link is requested or until the password is reset via the link.
If no email address is stored for the user, the deletion of the user account can be requested by contacting ovos play support ( support@ovos.at). After the request has been reviewed and approved by the client, the requesting person will be contacted to discuss the next steps.
The user can delete their account via their user profile. When deleting the account, all personal data of the user is deleted from the database.
Yes, ovos play commissions subcontractors to ensure the operation of the software.
for operating the software application:
Internex GmbH, Lagerstraße 15, 3950 Gmünd, Austria, dataprotection@internex.at
SmartBear Software, Mayoralty House, Flood Street, Galway H91 P8PR, Ireland, info@smartbear.ie, https://smartbear.com/legal/data-processing-addendum/
for sending emails if no other SMTP service has been agreed:
Bird B.V., Keizersgracht 268, 1016 EV, Amsterdam, Netherlands, privacy@bird.com, https://bird.com/legal/dpa
for sending push notifications if the use of the iOS or Android app has been agreed:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, https://support.google.com, https://firebase.google.com/terms/data-processing-terms
for the use of AI functionalities (cloud infrastructure, platform services and LLM functions in the EEA), if the “Upgrade AI” module has been agreed:
Amazon Web Services EMEA S.à r.l., 38 Avenue John F. Kennedy, L‑1855 Luxembourg, Luxemburg. aws-EU-privacy@amazon.com,
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
Anthropic Ireland, Limited, 6th Floor, South Bank House, Barrow Street. Dublin 4, D04 TR29 (Ireland). privacy@anthropic.com, dpo@anthropic.com, https://www.anthropic.com/legal/data-processing-addendum
OpenAI Ireland Limited, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, company number 737350, privacy@openai.com, https://openai.com/policies/data-processing-addendum/
Eleven Labs Poland sp. z o.o., Lipska 27/22 Street, 03-908, Warsaw, Poland, legal@elevenlabs.io,
https://elevenlabs.io/docs/conversational-ai/legal/gdpr, https://elevenlabs.io/dpa
Google Firebase for sending push notifications is only used when the native app is used. As an alternative to sending emails with Sparkpost, you can also configure your own SMTP server.
No, because the obligation to appoint a data protection officer only exists for companies (controllers and processors) if their core activity consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects (e.g. banks, insurance companies, credit agencies and private investigators) or if “sensitive data” (GDPR Art 9 para 1) or “personal data relating to criminal convictions and offences” (GDPR Art 10) are processed. This does not apply to ovos.
Still, data protection is so important to us that we have two responsible (and trained for this) employees for this topic:
Andreas Friedl (af@ovos.at)
Dominik Leitner (dol@ovos.at)
Yes, the CISO at ovos is Milan Orszagh (mo@ovos.at)
If you have any questions about the personal data concerning you or about exercising your rights, please contact datenschutz@ovos.at.
When the optional AI module of ovos play is used, data is processed by additional sub-processors. In this section you’ll find all the necessary information about this.
For the AI module in ovos play, LLMs (Large Language Models) from Anthropic (Claude) are used for content creation, app search, and chat. Anthropic's (Claude) models are hosted via AWS Cloud Services in the EU region. Third parties for processing the AI workflows are hosted by ovos itself in the same environment as the learning platform.
For image generation, OpenAI is used via the available API interface; for text-to-speech generation, OpenAI or ElevenLabs can be used via the available API interface.
The AI module uses OpenAI's LLMs for image and, if applicable, text generation. When using the provided API, according to OpenAI, no data sent is used for training the LLMs.
Data sent to OpenAI is stored for 30 days. You can find detailed and up-to-date information here: https://platform.openai.com/docs/models/how-we-use-your-data
