Data processing according to GDPR

Here you will find all information on GDPR compliant processing of personal data.

Adrian Fuchsluger avatar
Written by Adrian Fuchsluger
Updated over a week ago

What personal data does ovos play store and process?

ovos play processes data related to the accounts of the users. Depending on the modules activated and used, more or less data is stored. The e-mail address may also be optional during use.

Cateogory of personal Data

Types of data

Information about the person concerned

  • Username

  • email address

  • Password

  • Time of registration

  • chosen avatar

Details of the system used by the person concerned

  • Operating system

  • Browser agent

Data of tools usage

Time of account activation

Time of last activity

Push notifications enabled

Card performance

Deck performance

Topic performance

Competence values

Score values

Exam results

Number of exam attempts

Products purchased

Articles read

Articles marked with "Like"

Forced account password changes

User roles


Voucher codes

Content groups


Firebase Push Notification Token

sent push notifications

Agreement pages approvals

Change history of authors and admins

Pinned learning content

Registrations for events

Participation status of events

Participation in Live Sessions

Answers in a live session

Start date

Data is processed when users use the app, when users register in the app themselves or by administrators, and when ovos or the client assesses or evaluates the data.

For what purpose is the personal data mentioned above stored and processed?

Data processing takes place for the following purposes:

  • Provision of the app

  • Use and administration of the app

  • Traceability of the learning success

How long is personal data stored?

Personal data is generally processed for as long as the purpose of the processing is given (e.g. the users participate in a training by ovos play). After the training has been carried out, the personal data will be stored for a period of three months for the purpose of tracking the learning success.

Optional: Automatic anonymization or deletion of accounts of inactive users

Users who are inactive for a certain period of time (i.e. no interaction with the system) are automatically anonymized (username, email address, password and avatar are deleted from the data set). It is not possible to reverse the anonymization or trace the data of an anonymized user back to an individual, as mandated by the GDPR. Traceability can only be achieved with the help of data access with extensive effort.

Anonymized accounts can no longer be used by users. Part of the account usage data is still processed, but only for statistical purposes. The period for automatic anonymization is 365 days in the default configuration and can be set individually per tenant.

21 and 3 days before the optional automatic anonymization, a notification is sent to the affected users via e-mail.

Manual deletion of an account

Users can be deleted manually at any time. This can be done either by the users themselves or by administrators. In case of deletion, all personal data will be deleted from the database immediately (within 5 minutes).

Deletion of the system

If an instance of ovos play is deleted, all users registered on this instance will also be deleted immediately (within 5 minutes).

Data backups

Personal data is still available in backups of the respective database after anonymization or deletion. After a certain period of time, these backups will also be permanently deleted. The deletion period of the backups is 3 months in the standard configuration and can be set individually per database (= tenant).

Log files

General log files do not contain any personal data. Resources that create logs:


Includes personal data?

Automatic deletion

Default deletion period (days)

Deletion period configurable?

ovos play services

No (there are exceptions if for example the debug mode for SAML authentication is activated)



















How long must the data be stored (retention obligation)?

The data processed by ovos play do not fall into any category for which there is a statutory retention obligation.

Who has access to personal data?

Developers, project managers and quality managers of ovos have access to personal data of registered users. Personal data is not transferred to any other responsible party.

Where is the data stored (provider)?

Unless otherwise agreed with the client, the data will be stored in the data processing facility of internex GmbH. The server structure and processing are located in Austria or the European Economic Area. For the ongoing ovos play instance, the operation can take place in Austria, Germany or Switzerland if desired.

Provider: internex GmbH

  • Company register number: 342171v

  • Value Added Tax ID (UID): ATU65604535

  • Managing Director Markus Böhm

  • Company address Lagerstraße 15, 3950 Gmünd, AT

  • Office address 1090 Vienna, Alserbachstraße 30

Processing location (address)

Server Location

Interxion Austria

Louis-Häfliger-Gasse 10

1210 Vienna, AUSTRIA

Services of the provider

  • Server hosting incl. guarantee of availability of services and databases

  • Traffic monitoring

  • Defense infrastructure

How is the data protected?

Access control

internex / server hosting

Measures that prevent unauthorized persons from gaining access (to be understood spatially) to data centers in which personal data is processed.

Building security

  • Building and infrastructure monitoring

  • Video surveillance

  • Automatic access control system

  • Securing of building shafts outside perimeter perimeter

  • Logging of visitors

  • Careful selection of cleaning staff and security guards

  • Written access regulations

Securing of rooms

  • Biometric access control to data center area

  • Access card for access to a data center room

ovos / Development

Building security

Lockable office door

  • Reception with access control to office premises

  • employee instruction when leaving the office

Securing of the rooms

  • Separately locked server room with key in keylock.

  • Access for

    • Hannes Amon

    • Milan Orszagh

    • Jochen Kranzer

    • Sigrid Cichocki

    • Jörg Hofstätter

Access control

Measures that prevent data processing equipment from being used by unauthorized persons:

Access to server systems

Server passwords and accesses are handed over to the client during the initial commissioning. The customer changes the passwords independently immediately after the takeover and chooses a complex password taking into account generally accepted standards.

The client manages the access data independently and is responsible for their security and periodic changes.

Access control

For the management of internal server systems by authorized administrators, the hosting partner internex uses ezeelogin ( The following measures are implemented:

  • Authorization concept incl. role definition

  • Password policy (minimum length, special characters, periodic change)

  • Social engineering prevention

  • Multi-way authentication

The client is responsible for access control of customer systems.

Access log

An access log can be exported from ezeelogin.

Transfer control (Art. 32 (1) (b) GDPR)

Measures to ensure that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission:

  • Options for encrypted data transmission are provided to the extent of the commissioned service of the main contract. The Customer shall evaluate the data processing applications it operates and shall order the necessary technical measures on the basis thereof.

  • All employees are instructed and obligated to ensure that personal data is handled in compliance with data protection regulations.

  • Critical interfaces are always IP restricted

Input control (Art. 32 para. 1 lit. b GDPR)

Measures for internal server systems to ensure that it is possible to check retrospectively whether and by whom personal data has been entered, modified or deleted:

  • Logging via log files (ezeelogin).

  • User identification

On customer systems or server systems of the client, the responsibility for input control lies with the client.

Order control (Art. 32 para. 1 lit. d GDPR)

Measures to ensure that personal data is processed in accordance with the client's instructions:

  • Definition of the authority to issue instructions according to customer requirements.

  • Acceptance of orders only in writing or by authorized persons

Availability control (Art. 32 para. 1 lit. b GDPR)

internex / server hosting

Measures in internal server systems for administration to ensure that personal data is protected against accidental destruction or loss:

  • Fire protection measures

  • Overvoltage protection

  • Uninterruptible power supply

  • Air conditioning (redundant system) (Harald gets a message)

  • Humidity between 40% and 60%

  • 24/7 monitoring of the server systems

  • Separate fire compartments

  • Backup concept for internal server systems for administration

On customer systems or server systems of the client, the responsibility of availability control, especially data backup, is the responsibility of the client, unless otherwise agreed in writing in the main contract.

How is the (personal) data encrypted?

Data is stored in the database without encryption. Data transfers/requests use the SSL/TLS protocol. Passwords are hashed in the database (bcrypt, 12 rounds).

"Although the GDPR obviously requires that organizations take the appropriate technical and organizational measures regarding the protection and security of personal data, whereby pseudonymization and encryption of personal data are recommended, the GDPR strictly speaking does not say you must use encryption as some claim since the GDPR says what it says and only jurisprudence and instances such as supervisory authorities and the proper EU authorities have the power of interpreting and/or amending it (and common sense dictates that in specific circumstances encryption is important when considering context and risks)."

What is the backup strategy?

How regularly are backups deleted?

Backups are only stored for a limited time and are automatically deleted after the time limit expires:

ovos play Kubernetes Production

Uploaded files as well as the MongoDB and MySQL database

  • 1x/week for last 14 weeks

  • 1x/day for last 30 days

internex Backupcluster

makes multiple daily backups of the server which are stored for 10 days

local mysql and mongodb databases

dumped daily (10d as well)

What is the information strategy?

  • The e-mail address of the requested user account is used to authenticate authorized persons for a request.

  • If authentication is not possible beyond doubt (e.g. no e-mail address available), then information is only provided after prior verification and approval by the client.

  • A data export can be performed at any time.

  • In this case, all data associated with the user is exported in a machine-readable format.

What is the deletion strategy?

  • The authentication of the requesting person is done in the same way as for the information strategy

  • If authentication is successful, the data is

    • Variant A: manual deletion by ovos staff (deletion takes place within 30 days - backups remain stored for a while and are then automatically deleted)

    • Variant B: manual deletion by the user himself/herself via a button in the app (secured by nickname entry) (deletion takes place immediately - backups are also retained for a period of time).

Process flow


Data is sent to the server via SSL/TLS encrypted connection.

In case of successful registration (email address, username, password valid) the password is hashed with bcrypt (12 rounds) and stored. Otherwise the data will be discarded.

*The actual registration process may differ depending on the authentication method used.


User logs in with email and password. Data is sent to the server via SSL/TLS encrypted connection.

In case of a successful login, the user receives a JWT token with which he can authenticate himself. The token payload contains only the user ID.

* The actual login process may differ depending on the authentication method used.

Password Reset

Users can request a link to reset their password. The link will be sent to the email address provided during registration (or otherwise). The link is valid indefinitely, until a new reset link is requested or until the password is reset via the link.

If no e-mail address is stored for the user, deletion of the user account can be requested by contacting ovos play support ( ). After the request has been checked and approved by the client, a consultation with the requesting person will take place regarding the further procedure.

Delete account

The user can delete the user account via his user profile. In case of deletion, all personal data of the user will be deleted from the database.

Does ovos play use subcontractors?

Yes, ovos play uses subcontractors to ensure the operation of the software:

  • Internex GmbH, 1090 Vienna, Alserbachstraße 30, Vienna; for the operation of the software.

  • Bugsnag for bug fixing, 110 Sutter St, San Francisco, CA 94104, United States

  • Messagebird for email delivery, Trompenburgstraat 2C, 1079 TX Amsterdam, The Netherlands

  • Firebase for push notification delivery, Google Ireland Limited, with registered office at Gordon House, Barrow Street, Dublin 4, Ireland.

Bugsnag only includes personal data in exceptional cases. Firebase is only used when the native app is used. As an alternative to sending emails with Sparkpost, you can also configure your own SMTP server.


Is there a data protection officer at ovos?

No, because the obligation to appoint a data protection officer only applies to companies (controllers and processors) if the core activity consists of carrying out processing operations which, due to their nature, scope and/or purposes, require extensive regular and systematic monitoring of data subjects (e.g. banks, insurance companies, credit agencies and professional investigators) or if "sensitive data" (GDPR Art 9 (1)) or "personal data relating to criminal convictions and offences" (GDPR Art 10) are processed. This does not apply to ovos.

Nevertheless, the topic of data protection is so important to us that we have two responsible (and trained) employees on this topic:

Is there a CISO (Chief Information Security Officer) at ovos?

Yes, the CISO at ovos is Milan Orszagh (

Contact person for data protection issues

For questions regarding personal data concerning you or to assert your rights, please contact

Did this answer your question?