Skip to main content

Data Security & General Data Protection Regulation (GDPR)

  • Updated


Security & Integrity 


All servers are located in Germany. This means we have to adhere to the data privacy regulations of the European Union (EU), namely and lately the General Data Protection Regulation ie. GDPR or "DSGVO".

Data privacy regulations in the European Union are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz). This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies are not allowed to collect any personal information (e.g. name, date of birth, IP address) without express permission from an individual.

There is no law in Germany that could force us to submit to a gag order or to implement a backdoor.

Important Customer Documents 

For customers, the most relevant documents to consider when starting to work with can be found here:

The data protection officer of the controller is:
DataCo GmbH
Nymphenburger Str. 86
80636 München
+49 (0)89 7400 4584



Our Security Explained by example 


We strongly believe that data security & integrity should be a given in any software. Frankly, we do not need regulations like GDPR, Privacy Shield and others to remind us. has always maintained a Information & Security Management System (in Short "ISMS) which describes controls that ensure we are sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

At we working hard to ensure our app and processes are GDPR compliant. We fully believe that just because the GDPR is serious business, doesn’t mean that we can’t make it a little fun and exciting—after all data security is in the best interest of everyone.

So, what’s the GDPR all about? Firstly, GDPR stands for General Data Protection Regulation and will replace and build on the Data Protection Directive (DPD) of 1995. Previously, DPD depended on regulation changes on state level; however, with GDPR, the laws will go in effect EU-wide without the need for state members to introduce laws themselves.

Secondly, the GDPR doesn’t only apply to EU-based businesses, but also to businesses that monitor and process the data of EU citizens. This means that whether you’re in the North Pole or down under, as long as you handle the data of EU citizens, you too will have to be GDPR compliant.

With the introduction of the GDPR on 25 May 2018, as a ‘data processor’, will have to ensure that not only do we take certain security measures to protect the personal data of EU citizens, but that we also set up transparent and secure ways of handling personal data.

Therefore, our team is fully dedicated to meeting all the GDPR mandates to ensure that is not only compliant, but that we also provide more quality experiences for those who trust us with their personal data.

Example Case

Meet Alan, the CEO of Deer Ltd., a company in Spain, an EU member state. Deer Ltd. and its employees are all users of

Therefore, we at are ‘data processors’ since we handle the personal data of data subjects (e.g. employees at Deer Ltd.) on behalf of the customer, also referred to as the "data controller" (e.g. Deer Ltd.).

In this instance, Deer Ltd., is responsible for the personal data of their data subjects (i.e. their employees). However, as the data processor, has to make sure to only process the subjects data necessary to fulfil our contract with the data controller. This is all a complicated way to make sure that:

  1. is only processing data needed to deliver our services (absence management, time tracking & personell management) to Deer Ltd.
  2. evaluates regularly why, by whom and where Deer Ltd. Employee data is being processed.
  3. Deer Ltd. is aware of the data being processed & by whom. We inform Deer Ltd. about any data processing changes.
  4. always has a reason to process data, rooted in the service contract with each customer.
  5. Deer Ltd. may contact Data Privacy Officers at any time to inquire GDPR rights or other legal information on personal data & security.
  6. Since we use third-party services to handle some user data, we’ll also have to consider the procedures related to ‘data (sub)processors’ if they process data from Deer Ltd. employees. If we use any third party software to fulfil the service contract with the customer, Deer Ltd. has to know which data is being processed & why (see 3. above).

Below you’ll find a detailed list of what we’ve changed or added to be GDPR compliant.

GDPR Rights - Empowering the Customer


What does it mean?

What we've done

Lawful basis of processing

For us to use the data of the employees at Deer Ltd., we need their expressed consent and their knowledge of what they are consenting to; contract related matters (sending invoices, negotiation); or the presence of ‘legitimate interest’.

At all personal data collected are used only in relation to the users’ account. Phone calls, emails and other forms of communication that may use personal data are directly related to our software and/or activities performed within our software (notification emails).


For Alan and his employees at Deer Ltd. to give consent, we need to ensure that they:

a) know what they are opting into;

b) they need to positively opt-in, and just because they opt in once, doesn’t mean we can assume they consent to everything;

c) the consent agreement needs to be detailed and informative, meaning that they need to know the exact ways we process their data and what we use it for.

We are implementing an additional step during registration that will ask all users to consent to the processing and usage of their data for marketing, support and contractual purposes. In addition, users will be able to re-confirm their consent. Once given, our systems will keep note of this so that in the future our users will not receive any emails from us if they have not explicitly given their consent.

Withdrawal of consent (or opt out)

Just as easily as Alan and his employees can opt-in, they also need the ability to opt-out at any time.

Users receiving emails from will have the ability to opt-out of emails within the email itself. Otherwise, users can also opt-out in their account settings at any time.


Alan and his employees need to be made aware. will not only inform you that we are using cookies, but which types of cookies we are using and whether you consent to these terms.

More on cookies here.

Deletion (or ‘the right to be forgotten’)

Alan and his employees have the right to request that permanently delete all personal data pertaining to them. This includes any email and phone call exchanges and other submissions.

At we’re making it easier for you to delete your data on request. Currently we are working on a deletion workflow based on data categories that will make sure that we only keep the data that we need to deliver as a service to you. We will make sure that we perform an automatic and permanent deletion of data sets not needed anymore according to legal requirements.

Since we use sub-processors, we’ll also make sure that your data is deleted from their servers.

Access / Portability

Not only can Alan and his employees request to delete their data, they can also request that we grant them access to the personal data we have on them. Once requested, we must provide the personal data we have in an accessible format. will readily give you your data upon request in an easily readable manner. On top of that, if needed, we will also provide you with an export of your data from our sub-processors.


If any personal data pertaining to Alan or his employees changes at any time, they can edit any incorrect or incomplete information at any time. allows you to edit personal data at your own discretion. We delimit this with roles and rights to ensure that not everyone with access to a company’s account can edit information.

Admins, HR and owners have the rights to change user and account information.

Users will have to contact their company’s HR or admin who will be able to access their profile to make any changes.

Security Measures

Under the GDPR, data processors (e.g. and data sub-processors (i.e. third-party organizations that handle personal data on behalf of data processors) must ensure various safeguards and protocols for data protection. This includes encryption, pseudonymization and anonymization of personal data to limit and control access.

At, we are committed to strengthening our security to keep your data safe. On top of industry practices like end-to-end encryption, penetration testing and encryption at rest, we are adding tighter security protocols that are compliant with the GDPR.


Was this article helpful?



Please sign in to leave a comment.