Datenschutz-Folgenabschätzung

Die englische Version der gesetzlichen Vereinbarungen und Richtlinien gilt als die einzige aktuelle und gültige Version dieses Dokuments.

A Privacy Impact Assessment (PIA) is required under GDPR for data-intensive projects, and is a living document which must be made accessible to all involved with a project.

This document was last updated August 2024.

1. Data collection and retention

What personal data is processed? We collect the following data during signup: Name (first and last), Address, City and Zipcode, Country of residence, Email, Phone and VAT ID if applicable. In addition we log the IP address of the user.

How is that data collected and retained? Data is collected using HTML forms or written digital documents and transmitted via an encrypted (SSL) HTTPS connection to the Epsilon PS e.K. data lake. The user password is encrypted and not known by us.

For how long is data stored? Data is stored for as long as customers have an active account. If a customer deletes their account, all personally identifiable information is deleted with the exception of certain network and traffic logs which may persist for up to a year. Please see our Third Party Information Sharing page for details.

Is the data collection specified, explicit, and legitimate? Yes.

Is the data minimized to what is explicitly required? We do not gather any more data than required in order to comply with EU law and for the purposes of billing.

How are users informed about the data processing? Users are informed through our data protection and privacy policies and notices available on our website.

2. Technical and security measures

Is the data encrypted? All data is encrypted during transit, but only passwords are encrypted at rest.

Is the data anonymized or pseudonymized? No.

Is the data backed up? Yes. Daily.

What are the technical and security measures? Stringent security protocols protect the server and running services. Server is continuously kept up to date. Firewall is stringent and tools such as Fail2Ban are implemented. We continuously monitor all activity on the central server.

3. Personnel

Who has access to the data? All Epsilon PS e.K. support staff and engineers.

What data protection training have those individuals received? Basic GDPR training. Most employees are highly technically proficient and have deep insight into IT security.

What data breach notification procedures are in place? Automated alerts are set up for unusual activity as seen in system logs.

What procedures are in place for government requests? Standard procedures are in place. We have a published Transparenzbericht.

4. Subject access rights

Data subjects may exercise their rights (access, portability, erasure, restriction, objection) by contacting Epsilon PS e.K. support.

5. Legal

Are the obligations of all data processors covered by a contract? Yes.

If data is transferred outside the EU, what safeguards exist? Epsilon PS e.K. utilises Stripe as its payment processor. Please see our page on Third Party Information Sharing.

6. Risks

What are the risks if data is misused or breached? As we only gather otherwise publicly accessible information, our assessment of the privacy impact is moderate.

What are the risks if data is lost? Users may lose access to their account. Unless all backups are lost, we can reconstruct a user account. If a user actively deletes their account, user data would be lost in the course of 3 weeks unless we are made aware.

What are the main sources of risk? Zero-day exploits of our CMS and/or toolchain including Linux kernel, Apache/Nginx, PHP, MySQL, SSH and related services.

What steps have been taken to mitigate those risks? We pro-actively and defensively keep our systems up to date, monitor intensively and review security frequently.