Privacy Policy
Information on the processing of personal data pursuant to Art. 13 and 14 GDPR
1. Controller
The controller responsible for data processing in connection with the operation of this platform is:
- Company
- IDentity Center GmbH
- Address
- c/o BFD, Frankfurter Str. 151B, 63303 Dreieich, Deutschland
- contact@identitycenter.biz
- Phone
- +49 69 175369080
2. Scope
This privacy policy applies to the use of the easyROPA web application at ropa.aiti-one.de and to publicly accessible pages (e.g. login, legal notice, privacy policy). It describes how IDentity Center GmbH, as the platform operator, processes personal data.
3. Overview of Processing
We process personal data only to the extent necessary to operate the platform. This includes in particular:
- Authentication via email and one-time code (passwordless login)
- User master data (name, email, department, role)
- Session and cookie data to maintain login state
- Security and audit logs (IP address, timestamps, actions)
- Business content entered by tenants (processes, assignments, documents)
- Transactional emails (login codes, invitations, notifications)
- Uploaded files (e.g. process documents, branding assets)
4. Login and Authentication
Login is exclusively passwordless via email and one-time code. No passwords are stored.
- Data processed
- Email address, hashed one-time codes, IP address, timestamps, user agent, login status
- Purpose
- Identification and authentication of users, abuse prevention (rate limiting)
- Legal basis
- Art. 6(1)(b) GDPR (contract performance or pre-contractual measures); Art. 6(1)(f) GDPR (legitimate interest in system security)
- Retention period
- One-time codes are deleted after use or expiry (default 10 minutes). Failed attempts are logged and deleted after security retention periods expire.
5. User Accounts
Master data is stored for each user, created by the tenant administrator or supplemented by the user when accepting an invitation.
- Data processed
- First name, last name, display name, email address, phone number (optional), position, department, language, role and functional permissions, time of last login
- Purpose
- Provision and management of the user account, assignment of tasks and responsibilities, communication within the platform
- Legal basis
- Art. 6(1)(b) GDPR (usage contract with the tenant); Art. 6(1)(f) GDPR (legitimate interest in proper user management)
6. Cookies and Sessions
We use technically necessary cookies and session data. No tracking or marketing cookies are used.
- Data processed
- Session identifier (session token, stored hashed in the database only), CSRF token, language setting (locale), cookie settings (Secure, HttpOnly, SameSite=Lax)
- Purpose
- Maintaining login state, protection against cross-site request forgery, language selection
- Legal basis
- Art. 6(1)(b) GDPR (use of the platform); Art. 6(1)(f) GDPR (IT security)
7. Logging and Security
Security-relevant and business-relevant actions are logged in an audit log to ensure traceability and system security.
- Data processed
- User ID, tenant ID, event type, affected entity, timestamp, IP address, user agent, optional structured additional data (e.g. changed fields)
- Purpose
- Proof of access and changes, error analysis, abuse detection, fulfilment of data protection documentation obligations
- Legal basis
- Art. 6(1)(f) GDPR (legitimate interest in system security and traceability)
- Retention period
- Audit entries are stored for the duration of the contractual relationship with the tenant and beyond in accordance with statutory retention periods, unless earlier deletion is requested.
8. Tenant Data and Processing on Behalf
Business content captured in easyROPA by tenants (e.g. processing activities, processes, data flows, external parties, documents, tasks and findings) typically relates to personal data for which the respective tenant (customer company) acts as controller under the GDPR. IDentity Center GmbH processes this data as a processor on behalf of the tenant based on a data processing agreement (DPA). For inquiries regarding such data, please contact your company's data protection officer or administrator first.
9. Email Delivery
Transactional emails (login codes, invitations, assignment notifications, review reminders) are sent via a configured email service. The recipient's email address and the respective message content are processed. No newsletter or marketing emails are sent.
10. Hosting and Storage
The application and associated database are operated on servers in Germany or within the European Union. Access to production systems is restricted to authorized personnel.
11. External Services
The following external resources are loaded to render the user interface. Your IP address may be transmitted to the respective providers:
- Google Fonts (typefaces "Inter" and "Material Symbols") — fonts.googleapis.com / fonts.gstatic.com
- jsDelivr CDN (Tailwind CSS, SweetAlert2) — cdn.jsdelivr.net
12. Recipients and Disclosure
Personal data is disclosed only to the extent necessary to operate the platform: to IT service providers (hosting), email delivery service providers, and — within the multi-tenant architecture — exclusively within the respective tenant to authorized users of the same organization. No disclosure to third parties for advertising purposes takes place.
13. Third Country Transfers
When loading external fonts and CDN resources (see section 11), transfer to third countries (in particular the USA) cannot be ruled out. Providers rely on appropriate safeguards pursuant to Art. 46 GDPR (e.g. standard contractual clauses). Core application and tenant data are processed within the EU.
14. Your Rights
You have the following rights regarding your personal data vis-à-vis the controller:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, contact contact@identitycenter.biz. If your employer or tenant uses the platform, please contact your company's administrator first for tenant business data.
15. Automated Decision-Making
No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place.
16. Data Security
We implement appropriate technical and organizational measures to protect your data, including: encrypted transmission (HTTPS/TLS), hashed storage of login codes and session tokens, strict tenant data separation, role-based access control, CSRF protection, login rate limiting, and regular security reviews.
17. Changes to this Policy
We reserve the right to update this privacy policy when legal requirements or the technical implementation of the platform change. The current version is available at /datenschutz.
Last updated: 25.06.2026