🚀 Brand new features for Atlassian Learn more

GDPR

100% Compliant with the General Data Protection Regulation

On the 25th of may the EU general data protection regulation (GDPR) was put into action. The aim was to protect EU citizens from data-hungry software companies. It ensures the proper handling of personal information of a person by other people, organisations or companies inside the EU. Our messaging service is 100% compliant with the regulation and therefore"GDPR-ready". On this page we try to give you an extensive overview of all our measures.

Support with your compliance

No matter if you are a cloud or server customer, we are always available to help you with the usage of our service. Be it the configuration of your Grape installation or the setup of data exports. We help with managing the chat-organisation and users, or deleting former users via identity providers.

GDPR & Grape Cloud-Service

If you are using Grape Cloud your data is stored on our server data centers. This makes us the data processor and you the data controller in the sense of the EU General Data Protection Directive.

GDPR & Grape On-Premise

Grape on-premises means, that our messaging service runs on the servers of our customers. in that case we are data processor and not data controller. Grape Server Customers get a license for the software and are therefore responsible in front of GDPR.

Contractual Compliance

Our customers can request a Data Processing Agreement to contractually ensure the proper processing of their users.

Request Data Processing Agreement

If you use Grape, you can read up here on the privacy agreement you confirm on organisation creation.

Read up on our Privacy

Relevant features

Deleting Organisations

Organisations, your company's instance within Grape, can be completely deleted. The erasing includes all users and data. This feature is available only to the organisation creator. To delete it, you need to enter your password. If two-factor-authentication is activated, you'll receive an E-Mail with a confirmation link. On completion the organisation will be deleted completely from our database.  

Data export

The organisation creator has the permission to export all data of the whole organisation. To protect private conversations the creator can only export chat content that he has access to. Private messages or chat content of private groups of other users will not be exported. While exporting, a private ZIP-File is generated, that can be downloaded.

Deletion of Users

A manual deactivation of individual users is always possible. Users deleted via systems like Active Directoy are automatically deactivated via Grape. The same is true, if you provide login via SSO.

Extra Features in the On-Premises Version

Information to be provided where personal data are collected from the data subject (Art 13) and Records of processing activities (Art 30)

  • Enterprise customers receive a thorough table of which data is saved in which places including its save time
  • Another table informs when informations have to be forwarded to third parties
  • Technical infos like ports and hostnames are documented here.

Right to rectification (Art 16)

  • Infos like names or email addresses can be received directly from identity providers like Active Directory and are synchronised periodically. If something is changed via an identity provider, there are no further changes needed.
  • Users can change grape specific data at any given time on their own, if needed
  • If it's not possible to change data within Grape, the server versions of Grape allow for changes in a separate admin area.
  • A database administrator can, if needed, change or delete Grape messages


Right to erasure (‘right to be forgotten’) (ART 17)

  • Entry-level: Grape Enterprise Admins can delete groups, integrations and memberships via a separate administration area.
  • Message-level: A database administrator can overwrite or delete messages, if needed. 


Records of processing activities (Art. 30 GDPR and Chapter 5)

  • Two-Factor-SMS-Authentication: SMS Gateway can be changed if needed (Standard SMS-Gateway-Provider: IXOLIT GmbH, Mariahilfer Straße 77-79, 1060 Vienna/Austria) 
  • Security of processing (Art. 32 GDPR): More infos
  • Encryption of internal transactions: We can help with this during setup of reverse proxies and edge servers
  • Proxy: All HTTP Requests of the Grape Server can be rooted via Web Proxy
  • Link Preview Limitation: You can set up blacklists and whitelists for link previews
  • Storage and Virus Scanners: Uploaded files can be stored on your compliant and virus scanned media infrastructures
  • Backups: Out-of-the-box cold and hot backup scripts - More infos
  • VM Backup: If Grape runs inside a VM, you can alternatively save the whole VM via Hypervisor
  • Monitoring: For enterprise customers we are offering finished monitoring scripts
  • Logging: Logging of all administrative actions for better compliance


Grape Server Administration (Art. 25 GDPR)

  • Custom Session Cookie Age: The time in seconds after which a cookie will automatically become invalid. Default: 86400 (1 day)
  • Time between full AD resyncs in minutes: The time to wait between full user/group syncs when using Active Directory. Setting this to low will impact performance, it is recommended to keep the default and manually resync when needed. Default: 1440 (1 day)


Icon For Arrow-up