Privacy Policy

Effective from November 21, 2025

Below you will find an overview of which data is collected during your visit to our website, how this data is used and shared, which security measures we take to protect your data, and how you can obtain information about the data you have provided to us. This privacy policy applies to the entire website, but not to pages operated by other providers to which the website links.

If you transmit personal or business data within our online services—such as email addresses, names, or postal addresses—your submission is preceded by your consent to the collection, use, and processing of your personal data. For this reason, the data you enter on our pages is encrypted using SSL (Secure Socket Layer) and stored on specially protected servers.

Cookie Settings

To open the menu where you can change your cookie settings and permissions, please click the button at the bottom left of your screen.

Look for this button at the bottom left of your screen.

Suchen Sie diese Schaltfläche unten links auf Ihrem Bildschirm

Privacy Policy

I. General information

For the domains www.certification-india.com, www.korea-certification.com, www.africa-certification.com, www.certification-japan.com, www.vietnam-certification.com as well as www.mpr-international.com is the responsible body in terms of data protection law:
MPR International GmbH
Kaiserstr. 65, 60329 Frankfurt am Main, Germany
Tel.: 069 2713769261
Entry in the commercial register
Registration number: HRB 117902
Register court: Frankfurt am Main
Responsible for data protection: Louis Gogger, 069 2713769261
The data protection guidelines of MPR International GmbH are congruent in the essential points with those of MPR China Certification GmbH.
The privacy policy of MPR International GmbH can be viewed here:
https://certification-india.com/en/privacy-policy/

Responsible for the data protection according to GDPR for the domain www.china-certification.com:
MPR China Certification GmbH
Kaiserstr. 65, 60329 Frankfurt am Main, Germany
Tel.: +49 69 2713769150
Registered under number: HRB 101427
At court: Frankfurt am Main
Responsible for the privacy policy and data protection: Julian Busch, Louis Gogger, +49 69 2713769150

We, MPR International GmbH, Kaiserstr. 65, 60329 Frankfurt am Main, Germany (further information are available in the imprint) are the local website operator (Art. 13 par. 1 GDPR). We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

If you use this website or our service, various personal data are collected. Personal information is information that personally identifies you. We collect, store and use personal information solely for the purpose and to the extent that you permit us to use our website.

Please note that data transmission over the Internet (for example, when communicating via e-mail) may have security vulnerabilities. With regard to the transfer process, we have no influence

II. Compulsory information and exact description:

A. Required information

Type of data and group of persons
a. Types of processed data:
– contact details (e.g. e-mail).
– content data (e.g. text input).
– usage data (e.g. access times, page navigation).
– Meta / communication data (e.g. IP addresses).

b. Categories of persons
Visitors and users of the website

Legal basis of the data collection (Art. 13 par. 1 c GDPR)
a. Visit the website without input
Various data are automatically collected when visiting the website. These are above all technical data (for example Internet browser, operating system or time of the page request). The collection of this data occurs automatically as soon as you enter our website and is necessary to establish the connection with you. The collection of these data is based on the legitimate interest within the meaning of Art. 6 par. 1 f GDPR data.
Use of the contact / order form/ Chat
Your data will continue to be collected by using our contact / order form/ Chat. This data collection then takes place on the basis of their consent (Art. 6 par. 1 a GDPR) or with regard to the mandatory fields for pre-contractual contacting or the provision of the desired information (Art. 6 par. 1 b GDPR). The data collection of the combination of first and last names is based on the fact that our offers are aimed exclusively at traders on the basis of legitimate interest (Art. 6 par. 1 f GDPR).

After using the contact / order form/ Chat, we collect, process and use your personal data entered into the forms only insofar as they are necessary for the establishment, content or modification of our contract with you (inventory data) or for further information about our current or future services on the basis of legitimate interest (Art. 6 par. 1 f GDPR).

We only collect, process and use personal data on the use of our website (usage data) to the extent necessary to enable you to make use of our offers. The use of the inventory and usage data is based on the fulfillment of our contract or pre-contractual measures (Art. 6 par. 1 b GDPR). Data which is voluntary in the contact form or elsewhere is marked as such. This data collection then takes place on the basis of their consent (Art. 6 par. 1 a GDPR).

Duration of storageThe storage of the data is based on Art. 6 par. 1 b GDPR (processing of data for the performance of a contract). We retain the data for the duration of the legal retention periods. (Art. 17 par. 3 B GDPR)

Right to information
At any time you have the right to obtain free information about the origin, recipient and purpose of the personal data stored about you (Art. 13 par. 2 b GDPR).

You also have the right to request the correction, blocking or deletion of these data (Art. 13 par. 2 b GDPR). Furthermore, you can revoke this consent at any time for information that is collected on the basis of their consent (Art. 13 par. 2 b GDPR).

You can always contact us for any questions about data protection. Furthermore, you have a right of appeal to the competent supervisory authority (Art. 13 par. 2 d GDPR).

Data portability
You have the right to receive the data that we process on the basis of your consent or in fulfillment of a contract, to yourself or to a third party in a standard, machine-readable format. If you require the direct transfer of the data to another person in charge, this will only be done if technically feasible (Art. 20 GDPR).

Cooperation with contract (data) processors and third parties
If we share or reveal information with other persons and / or businesses, e.g. Contractors or third parties, transmit data to them or otherwise give them access to the data, this is done exclusivelyon the basis of a legal permission (for example, if a transmission of the data in accordance with Art. 6 par. 1 b GDPR is required to fulfill the contract, you have agreed a legal obligation to do so orbased on our legitimate interests (such as the use of agents, web hosts, etc.).

Insofar as we entrust third parties with the processing of data on the basis of a so-called “contract processing contract”, the transfer is made on the basis of Art. 28 GDPR.

B. Detailed Description

Visit our site without your own input
Various data is collected automatically when visiting the website through our IT systems. These are above all technical data (for example Internet browser, operating system or time of the page request). The collection of this data is automatic as soon as you enter our website. Part of the data is collected to ensure a flawless provision of the website. Other data can be used to analyze your user behavior. We do not collect this data with personal data. The data remain for us technical data without personal reference.
Data using the contact and/or order formVisitors to our website, who want to contact our company or intent to order brochures or data sheets, we offer the possibility to use our contact and/or order form. This requires the input of personal data, such as First name and surname, e-mail. These entries are not published and are only for communication between us and you for the purpose of contacting us or for the purpose of sending the information requested and for the purpose of sending further information on current and future services.

“Strato” also stores all the technical data required for the correct display and loading of the website. There is an order processing agreement with “Strato” within the meaning of Art. 28 GDPR.

Website hoster: STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Register Court Berlin Charlottenburg, HRB 79450

MPR International GmbH uses services provided by the software company HubSpot.
HubSpot is a US company with a branch in Ireland.
HubSpot European Headquarters
Ground Floor, Two Dockland Central
Guild Street, Dublin 1,
Ireland
Phone: +353 1 5187500

We use HubSpot for our marketing activities. This is a software solution that covers various aspects of our online marketing.

These include:
E-mail marketing (newsletters and automated mailings, for example, to provide downloads)
Contact management (e.g. user segmentation & CRM)
Landing pages and contact forms

This information and the contents of our website are stored on servers of our software partner HubSpot in Ireland. They can be used by our company to connect with visitors of our website and to determine what services of our company visitors are interested in. This constitutes a legitimate interest within the meaning of Art. 6 (1)(f) GDPR.
All information we collect is subject to this Privacy Policy.
In accordance with Art. 28 GDPR, we have concluded a contract processing agreement with HubSpot Ireland and fully implement the resulting requirements.
HubSpot is certified under the terms of the EU-US Privacy Shield Framework and is governed by the TRUSTe’s Privacy Seal and the US-Swiss Safe Harbor Framework.

More information on HubSpot’s privacy policy can be found here:
https://legal.hubspot.com/privacy-policy?
More information on the use of cookies by HubSpot can be found here:
https://knowledge.hubspot.com/articles/kcs_article/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser
And here:
https://knowledge.hubspot.com/articles/kcs_article/account/hubspot-cookie-security-and-privacy?

III. Use of an Automated Chatbot

We use a custom-developed chatbot operated via the n8n platform to efficiently process customer inquiries. Use of the chat is only possible after providing consent to this privacy policy (requested when the chatbot is initiated). During use, the information entered by the user is processed in order to understand, categorize, and respond to the inquiry. The chatbot may also be used to enter customer contact details, which may be forwarded internally for the purpose of providing additional information regarding current and future services offered by us.

For further processing, the necessary data is transmitted exclusively for business and legitimate purposes to the following services, where it is subsequently processed: Google Workspace (Google Sheets), Atlassian (Jira, Confluence, Trello), Supabase, and Slack (Salesforce Inc.). All services mentioned are used as part of a professional and GDPR-compliant operational workflow.

For detailed information on the respective terms of use and data protection standards of these service providers, please refer to the dedicated sections below.

Protection of the data of visitors of the portal
We use security protection measures, such as HTTPS, to protect your personal information. We regularly check our systems for potential weaknesses. Despite our actions, we are unable to provide any guarantee that data will not be accessed or that they will not be disclosed, altered or destroyed as a result of a security breach.
Cookies
On our portal we use cookies. These are small text files that are stored on your computer and improve the functionality of our portal, for example, to automatically complete a repeated input in the text field. In addition, we can use cookies to evaluate the use of our website (see also section 4. a.)

In most cases, the cookies we use are so-called “session cookies” and these are automatically deleted after the end of your visit. However, we do not associate these cookies with your personal information. Other cookies remain stored on your device (whether mobile or not) until you delete the cookies. This allows us to recognize your browser on your next visit.

[dsgvo_consent_optout]

You can set your browser to be informed about the setting of cookies and allow cookies only in individual cases to exclude the acceptance of cookies for certain cases or in general as well as the automatic deletion of cookies when closing the browser.

You will find instructions here, among others:

https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

https://support.microsoft.com/en-us/help/260971/description-of-cookies

https://support.google.com/chrome/answer/95647?hl=en

By deactivating the cookies by you, the functionality of our portal may be limited.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you wish to use (eg. shopping cart function) are processed on the basis of Art. 6 par. 1 f GDPR. The website operator has a legitimate interest in the storage of cookies for the technically correct and optimized provision of its services. Insofar as other cookies (such as cookies for analyzing your surfing behavior) are stored, they will be treated separately in this privacy policy. “Third-party cookie” offers cookies from providers other than the person responsible for the online offer (see 4. a). Our own cookies are called “First-party cookies”.

You can set up your browser in such a manner that you will be notified anytime cookies are placed and you can permit cookies only in certain cases or exclude the acceptance of cookies in certain instances or in general and you can also activate the automatic deletion of cookies upon closing of the browser. If you deactivate cookies, the functions of this website may be limited.

Amendment of the privacy policy
Our services on the portal are dynamic and we often introduce new features. Therefore, new information may need to be collected. When we collect or substantially change any new personal information about how we use your information, we will notify you and, if necessary, also modify this Privacy Policy.

Cookiebot

We use the consent management service Cookiebot, provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (Cybot). This enables us to obtain and manage consent from website users for data processing. The processing is necessary for compliance with a legal obligation (Art. 7 para. 1DSGVO) to which we are subject (Art. 6 para. 1 p. 1 lit. c DSGVO).

For this purpose, the following data is processed with the help of cookies:
Your IP address (the last three digits are set to ‘0’). Date and time of consent. Browser information URL from which the consent was sent. An anonymous, random and encrypted key. Your consent status as an end user, to prove consent.

The key and consent status are stored in the browser for 12 months using the cookie “CookieConsent”. This preserves your cookie preference for subsequent page requests. With the help of the key, your consent can be proven and tracked.

If you enable the “Collective Consent” service feature to enable consent for multiple web pages through a single end-user consent, the service will also store a separate, random, unique ID with your consent.

If all of the following criteria are met, this key is stored in the third-party cookie “CookieConsentBulkTicket” in your browser in encrypted form:
You enable the collective consent feature in the service configuration. You allow third-party cookies via browser settings. You have disabled “Do not track” via browser settings. You accept all or at least certain types of cookies when you give consent.

The functionality of the website is not guaranteed without the processing. Cybot is a recipient of your personal data and acts as a processor for us.

The processing takes place in the European Union. You can find more information about objection and removal options vis-à-vis Cybot at: https://www.cookiebot.com/de/privacy-policy/.

Your personal data will be deleted consecutively after 12 months or immediately after the termination of the contract between us and Cybot. Please see our general comments about deleting and disabling cookies above.

YouTube videos

We have integrated YouTube videos into our website to offer you engaging videos with information on certification topics directly on our website. The use of cookies or scripts is necessary to view these videos.

YouTube is an online video platform and subsidiary of Google Inc. The platform is operated by YouTube, LLC, located at 901 Cheny Ave. in San Bluno, CA 94066, USA. If you accept cookies on our site and call up a page on our website that contains an embedded YouTube video, your browser automatically establishes a connection to the servers of YouTube or Google, whereby (depending on the setting) various data are transmitted. Google Ireland Limited (located at Gordon House, Barrow Street, Dublin 4, Ireland) is responsible for all data processing in the European region.

To display videos on our website, we have integrated a code provided by YouTube. When you accept cookies and access a web page that contains a YouTube video, YouTube creates at least one cookie that stores information about your IP address and our URL. This type of cookie may contain various data that YouTube claims is used to collect video statistics, improve the user experience, and prevent inappropriate behavior, among other things.

If you have consented to the processing and storage of your data by embedded YouTube elements by accepting our cookies, this consent is deemed to be the legal basis for data processing pursuant to Art. 6 (1) (a) DSGVO. In general, your data will also be processed and stored on the basis of our legitimate interest under Art. 6 (1) DSGVO to enable fast and effective communication with you, other customers and business partners. However, we only use the embedded YouTube elements if you have given us your consent. YouTube sets cookies in your browser to store data and processes data at various locations, including in the USA.

Since YouTube is a subsidiary of Google, there is a common privacy policy. To learn more about how your data is handled, we recommend that you read the privacy policy at https://policies.google.com/privacy?hl=de.

Web analysis by Matomo (formerly PIWIK)

the scope of processing of personal data

We use the open source software tool Matomo (formerly PIWIK) on our website for the anonymized analysis of the surfing behavior of our users.

A separate cookie (first-party cookies) is set. If individual pages of our website are visited, the following data is stored:

(1) Two bytes of the IP address of the calling system of the user

(2) The visited website called up

(3) The website from which the user accessed the visited website (referrer)

(4) The sub-pages that are visited starting from the visited website

(5) The time spent on the website

(6) The frequency with which the website is called up

The software runs exclusively on the servers of our website. A storage of the personal data of the users only takes place there. The data will not be passed on to third parties.

Legal basis for the processing of personal data

The users’ personal data is processed on the legal basis of Art. 6 para. 1 letter f GDPR.

purpose of data processing

The processing of the users’ personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. These purposes also include our legitimate interest in processing the data in accordance with Art. 6 Para. 1 lit. f GDPR. By anonymizing the IP address, the interest of the users in their protection of personal data is sufficiently taken into account.

duration of storage

The data is deleted as soon as it is no longer required for our recording purposes, usually after 12 months.

Integration of Google Workspace (including Google Sheets)

We use the services of Google Workspace, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), for the management, editing, and storage of data, including personal data. The applications used include, in particular, Google Sheets, Google Docs, Google Drive, and Gmail.

Purpose of processing

Google Workspace is used for internal organization, communication, and data management within our company. Personal data (e.g., contact details, contract information, or communication content) is processed to the extent necessary to fulfill our contractual and organizational obligations.

Legal basis

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract) as well as Art. 6(1)(f) GDPR (legitimate interest in efficient and secure corporate organization).

Data processing agreement and data security

A data processing agreement pursuant to Art. 28 GDPR has been concluded with Google. This ensures that Google processes personal data exclusively in accordance with our instructions and has implemented appropriate technical and organizational measures to protect the data.

Data processing generally takes place within the European Union. A transfer to third countries only takes place when it is technically necessary. If data is transferred to third countries (in particular the USA), this is carried out on the basis of the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, which ensure an adequate level of data protection.

Retention period

Personal data is stored only for as long as necessary to fulfill the respective processing purposes. Once the data is no longer required for these purposes, we delete it as part of our regular deletion routines unless statutory retention obligations prevent this.
Where statutory retention periods apply (e.g., commercial or tax-related obligations), the data will be restricted for further processing until these periods expire and will be deleted thereafter.

Further information

Further information on data processing by Google can be found at:
https://workspace.google.com/terms/dpa_terms.html
and in Google’s privacy policy:
https://policies.google.com/privacy

Use of Supabase

We use the services of Supabase Inc., headquartered at 970 Toa Payoh North #07-04, Singapore 318992, to provide and manage databases, user authentication, and backend functions for our web and mobile applications. Supabase enables us to securely store, manage, and analyze application data, which may include personal data in some cases.

Purpose of processing

Processing is carried out for the technical provision, management, and further development of our online services, particularly for storing, analyzing, transmitting, and aggregating data as part of the operation of our web-based systems. This may involve the processing of personal data such as names, email addresses, login credentials, usage data, and log data.

Legal basis

The processing of personal data is based on:
Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract) and
Art. 6(1)(f) GDPR (legitimate interest in secure and efficient data management).

Data processing agreement and data security

A data processing agreement (Data Processing Addendum) pursuant to Art. 28 GDPR has been concluded with Supabase. Supabase processes personal data solely based on our instructions (“processor”) and is committed to comprehensive technical and organizational security measures in accordance with Schedule 1 of the DPA, including:

Encryption of all stored data (AES-256) and all data transmissions (TLS 1.2+).
Access restrictions based on the “need-to-know” principle and the use of two-factor authentication.
Daily backups, physical and logical network segmentation, and audit logs.
Regular penetration tests as well as emergency and incident response plans.

Sub-processors and data transfers

Supabase may engage authorized sub-processors as part of service delivery, including Amazon Web Services Inc., Google LLC, Cloudflare Inc., Vercel Inc., OpenAI LLC, and other providers for hosting, communication, or monitoring. An up-to-date list of sub-processors is included in Schedule 3 of the DPA.

A transfer to third countries only takes place when it is technically necessary. If personal data is transferred to third countries (e.g., the USA or Singapore), this is carried out on the basis of the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by a UK and Swiss addendum to ensure an equivalent level of protection.

Retention period

Further information

Further details on data processing by Supabase can be found at:
https://supabase.com/privacy
and in the privacy and security provisions of the Data Processing Addendum:
https://supabase.com/legal/dpa

Use of Atlassian (including Jira, Confluence, Trello)

We use software solutions provided by Atlassian Pty Ltd. and its affiliated companies, headquartered at
Atlassian Pty Ltd, Level 6, 341 George Street, Sydney, NSW 2000, Australia
(“Atlassian”), for project organization, task management, and internal communication.
This includes in particular the tools Jira, Confluence, and Trello, which we use for planning, documenting, and tracking projects.

Purpose of processing

Personal data is processed for the management of internal and external projects, including task planning, documentation, team communication, and support requests.
Data processed includes names, email addresses, user accounts, communication content, usage data, and other information generated in the context of project documentation or internal collaboration.

Legal basis

Processing is carried out on the basis of:
Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract) and
Art. 6(1)(f) GDPR (legitimate interest in efficient and secure organization of business processes and projects).

Data processing agreement and data security

A data processing agreement (Data Processing Addendum, version October 2025) pursuant to Art. 28 GDPR has been concluded with Atlassian. Atlassian processes personal data exclusively on the basis of documented instructions and commits to implementing comprehensive technical and organizational security measures.

These include in particular:

Encryption, access controls, and continuous security reviews of cloud products
A 72-hour notification obligation in the event of security incidents
Regular audits by independent assessors with appropriate certifications
Role-based access rights and two-factor authentication

Atlassian ensures that all employees who process personal data are subject to statutory or contractual confidentiality obligations.
Customers can access, export, or delete their data at any time through the product features.

Sub-processors and data transfers

Atlassian may use sub-processors that support the provision of its cloud services (e.g., hosting, support, monitoring).
An up-to-date list of these sub-processors is provided by Atlassian at:
https://www.atlassian.com/trust/subprocessors

A transfer to third countries only takes place when it is technically necessary. If personal data is transferred to countries outside the European Economic Area (EEA), this is carried out on the basis of the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by the EU–US Data Privacy Framework.
Transfers to Switzerland or the United Kingdom are carried out using the applicable Swiss Addendum or UK Addendum.

Retention period

Further information

Further information on data processing by Atlassian can be found at:
https://www.atlassian.com/trust/privacy
and in the full Data Processing Addendum (DPA):
https://www.atlassian.com/legal/data-processing-addendum

Use of n8n (workflow automation)

We use the services of n8n GmbH,
Novalisstraße 10, 10115 Berlin, Germany,
(“n8n”) to automate internal business processes and data flows.
n8n provides a workflow automation platform that securely synchronizes, transforms, and processes data between different applications and systems.

Purpose of processing

The processing of personal data by n8n is carried out exclusively for the technical automation of internal operations, in particular:

Integrating different systems (e.g., CRM, email, project management tools)
Executing defined workflows and data transfers
Supporting notification, reporting, and analytics systems

This may involve the processing of personal data such as names, email addresses, IP addresses, API keys, log data, and authentication data.

Legal basis

Processing is carried out in accordance with:
Art. 6(1)(b) GDPR (performance of a contract or steps prior to entering into a contract) and
Art. 6(1)(f) GDPR (legitimate interest in the efficient automation and integration of business processes).

Data processing agreement and data security

A data processing agreement (Data Processing Agreement) pursuant to Art. 28 GDPR has been concluded with n8n GmbH.
n8n processes personal data solely based on our instructions and commits to extensive technical and organizational security measures, including:

Encryption and pseudonymization of personal data
Access restrictions based on the “need-to-know” principle
Protection against unauthorized access, loss, or alteration of data
Regular security audits and tests
Logging and monitoring of all access to personal data

In the event of a data protection incident, n8n is obligated to notify us without delay (within 72 hours) and actively support the investigation and remediation.

Sub-processors and data transfers

n8n may use sub-processors that support the provision of the platform (e.g., hosting, monitoring, cloud storage).
The current list of these sub-processors is publicly available at:
https://n8n.io/legal/subprocessors

A transfer to third countries only takes place when it is technically necessary. If personal data is transferred outside the European Economic Area (EEA), this is done exclusively on the basis of the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR or other transfer mechanisms recognized by the European Commission.

Retention period

Further information

Further information on data processing by n8n can be found at:
https://n8n.io/legal/privacy
and in the full Data Processing Agreement (DPA):
https://n8n.io/legal/data-processing-agreement

Use of Slack (Salesforce Inc.)

We use the communication service Slack, provided by
Slack Technologies, LLC, 500 Howard Street, San Francisco, CA 94105, USA,
and Slack Technologies Limited, One Park Place, Hatch Street Upper, Dublin 2, Ireland
(collectively “Slack” or “Salesforce”), for internal communication, team coordination, and project collaboration.

Slack is part of the Salesforce Inc. group, which provides communication and CRM solutions worldwide. The platform is used solely for internal organization and business collaboration between employees and partners.

Purpose of processing

Slack is used for internal and cross-department communication, file sharing, and task coordination.
The following types of personal data may be processed, in particular:

Names, email addresses, and user profile information
Communication content (messages, files, reactions)
Usage, device, and log data (e.g., IP address, browser or system information)

Processing serves to enable efficient collaboration and to optimize internal communication processes.

Legal basis

The processing of personal data in connection with the use of Slack is based on:
Art. 6(1)(b) GDPR (performance of a contract and communication within the employment relationship) and
Art. 6(1)(f) GDPR (legitimate interest in a modern, secure, and efficient communication infrastructure).

Data processing agreement and data security

A Data Processing Addendum (May 2025) has been concluded with Salesforce Inc. and Slack Technologies.
Salesforce processes personal data exclusively on the basis of documented instructions and commits to extensive technical and organizational security measures, including:

Encryption of data in transit and at rest
Access restrictions based on the need-to-know principle
Regular security and compliance audits (ISO 27001, SOC 2)
Logging and monitoring of all access
Confidentiality obligations for all employees

Slack additionally commits to the 72-hour breach notification procedure and to supporting access and deletion requests under Art. 15 et seq. GDPR.

Sub-processors and international data transfers

Salesforce may use sub-processors to deliver its services. The current list can be accessed at:
https://www.salesforce.com/company/legal/trust-and-compliance-documentation/

A transfer to third countries only takes place when it is technically necessary. Transfers of personal data outside the European Economic Area (EEA), particularly to the USA, are based on:

The EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
The EU–US Data Privacy Framework
The Binding Corporate Rules (BCR) of the Salesforce group

Slack is additionally certified under the APEC Privacy Recognition for Processors (PRP) program and complies with the corresponding international data protection standards.

Retention period

Further information

Additional details on data processing by Salesforce / Slack can be found at:
https://slack.com/trust/privacy
and in the full Salesforce Data Processing Addendum (May 2025):
https://www.salesforce.com/company/legal/dpa/