update pii table

2025-03-01 03:37:44 +00:00 · 2024-12-28 11:07:08 +02:00 · 2024-12-28 11:07:08 +02:00 · bae2b5708d
commit bae2b5708d
parent 468a9026fa
5 changed files with 117 additions and 264 deletions
--- a/docs/docs/legal/_piid-table.mdx
+++ b/docs/docs/legal/_piid-table.mdx
@ -1,93 +0,0 @@
 <table>
  <tr>
    <th>Type of personal data</th>
    <th>Examples</th>
    <th>Affected data subjects</th>
  </tr>
  <tr>
    <td><strong>Basic data</strong></td>
    <td>
      <ul>
        <li>Family and given name</li>
        <li>Email addresses</li>
        <li>User name</li>
      </ul>
    </td>
    <td>All users</td>
  </tr>
  <tr>
    <td><strong>Login data</strong></td>
    <td>
      <ul>
        <li>Randomly generated ID</li>
        <li>Password</li>
        <li>Public keys / certificates ("FIDO2", "U2F", "x509", ...)</li>
        <li>User names or identifiers of external login providers</li>
        <li>Phone number(s)</li>
      </ul>
    </td>
    <td>
      <p>All users</p>
      <p>Password: Users who use authentication methods with password.</p>
      <p>Public Keys: Users who use an authentication procedure with cryptographic keys.</p>
      <p>External login provider identifiers: Users who use an external login provider.</p>
      <p>Phone number: Users who use authentication methods with SMS</p>
    </td>
  </tr>
  <tr>
    <td><strong>Profile data</strong></td>
    <td>
      <ul>
        <li>Profile pictures</li>
        <li>Gender</li>
        <li>Language</li>
        <li>Nickname</li>
        <li>Display name</li>
        <li>Phone number(s)</li>
      </ul>
    </td>
    <td>Users who voluntarily add profile data</td>
  </tr>
  <tr>
    <td><strong>Communication data</strong></td>
    <td>
      <ul>
        <li>Emails</li>
        <li>Chats</li>
        <li>Call metadata</li>
      </ul>
    </td>
    <td>Customers and users who communicate with us directly (e.g. support)</td>
  </tr>
  <tr>
    <td><strong>Payment data</strong></td>
    <td>
      <ul>
        <li>Billing address</li>
        <li>Payment information</li>
        <li>Customer number</li>
        <li>Customer history</li>
        <li>Credit rating information</li>
      </ul>
    </td>
    <td>
      <p>Customers who use services that require payment</p>
      <p>Credit rating information: Only customers who pay by invoice</p>
    </td>
  </tr>
  <tr>
    <td><strong>Usage meta data</strong></td>
    <td>
      <ul>
        <li>User agent</li>
        <li>IP addresses</li>
        <li>Operating system</li>
        <li>Time and date</li>
        <li>URL</li>
        <li>Referrer URL</li>
        <li>Accept Language</li>
      </ul>
    </td>
    <td>All users</td>
  </tr>  
 </table>
--- a/docs/docs/legal/data-processing-agreement.mdx
+++ b/docs/docs/legal/data-processing-agreement.mdx
@ -5,7 +5,6 @@ custom:
    created_at: 2022-07-15
    updated_at: 2023-11-16
 --- 
 import PiidTable from './_piid-table.mdx';
 Last updated on December 31, 2023
@ -54,7 +53,10 @@ This DPA will become effective on the date the Agreement enters into effect and
 For the avoidance of doubt, the terms of the Framework Agreement will continue in full force and effect; however, to the extent any term in any Agreement regarding either Party’s obligations with respect to Customer Data is less restrictive than or is inconsistent with this DPA, the terms of this DPA shall supersede and control.
 The Parties acknowledge that the following Customer Data will be processed as part of the Services:
-<PiidTable />
+
 import { PiiTable } from "../../src/components/pii_table";
 <PiiTable />
 ## Scope
--- a/docs/docs/legal/policies/privacy-policy.mdx
+++ b/docs/docs/legal/policies/privacy-policy.mdx
@ -2,7 +2,6 @@
 title: Privacy Policy
 custom_edit_url: null
 --- 
 import PiidTable from '../_piid-table.mdx';
 Last updated on 31 December, 2024
@ -61,11 +60,11 @@ This website uses TLS encryption for security reasons and to protect the transmi
 We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
- Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
+* Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
- When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
+* When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
- To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
+* To the extent that processing of personal data is necessary to comply with a legal obligation to which we are subject under any applicable law of the EU or under any applicable law of a country in which the GDPR applies in whole or in part, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
- For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
+* For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
- If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
+* If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
 We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims. 
@ -92,7 +91,10 @@ Our Sites can generally be visited without registration. If you apply for a job
 The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.
 In particular, the following personal data are part of the processing:
-<PiidTable />
+
 import { PiiTable } from "../../../src/components/pii_table";
 <PiiTable />
 Unless otherwise mentioned, the nature and purpose of the processing is as follows:
--- a/docs/src/components/pii_table.jsx
+++ b/docs/src/components/pii_table.jsx
@ -0,0 +1,104 @@
 import React from "react";
 export function PiiTable() {
  const pii = [
    {
      type: "Basic data",
      examples: [
        'Names',
        'Email addresses',
        'User names'
      ],
      subjects: "All users as uploaded by Customer."
    },
    {
      type: "Login data",
      examples: [
        'Randomly generated ID',
        'Passwords',
        'Public keys / certificates ("FIDO2", "U2F", "x509", ...)',
        'User names or identifiers of external login providers',
        'Phone numbers',
      ],
      subjects: "All users as uploaded and feature use by Customer."
    },
    {
      type: "Profile data",
      examples: [
        'Profile pictures',
        'Gender',
        'Languages',
        'Nicknames or Display names',
        'Phone numbers',
        'Metadata'
      ],
      subjects: "All users as uploaded by Customer"
    },
    {
      type: "Communication data",
      examples: [
        'Emails',
        'Chats',
        'Call metadata',
        'Call recording and transcripts',
        'Form submissions',
      ],
      subjects: "Customers and users who communicate with us directly (e.g. support, chat)."
    },
    {
      type: "Payment data",
      examples: [
        'Billing address',
        'Payment information',
        'Customer number',
        'Support Customer history',
        'Credit rating information',
      ],
      subjects: "Customers who use services that require payment. Credit rating information: Only customers who pay by invoice."
    },
    {
      type: "Analytics data",
      examples: [
        'Usage metrics',
        'Milestones, Goals, Events',
        'Client-side anonymized session replay',
      ],
      subjects: "Customers who use our services."
    },
    {
      type: "Usage meta data",
      examples: [
        'User agent',
        'IP addresses',
        'Operating system',
        'Time and date',
        'URL',
        'Referrer URL',
        'Accepted Language',
      ],
      subjects: "All users"
    },
    ]
  return (
    <table className="text-xs">
      <tr>
        <th>Type of personal data</th>
        <th>Examples</th>
        <th>Affected data subjects</th>
      </tr>
      {
        pii.map((row, rowID) => {
          return (
            <tr>
              <td key={rowID}>{row.type}</td>
              <td><ul>{row.examples.map((example) => { return ( <li>{example}</li> )})}</ul></td>
              <td>{row.subjects}</td>
            </tr>
          )
        })
      }
    </table>
  );
 }
--- a/docs/src/components/subprocessors.jsx
+++ b/docs/src/components/subprocessors.jsx
@ -1,162 +0,0 @@
 import React from "react";
 export function SubProcessorTable() {
  const country_list = {
    us: "USA",
    eu: "EU",
    ch: "Switzerland",
    fr: "France",
    in: "India",
    de: "Germany",
    ee: "Estonia",
    nl: "Netherlands",
    ro: "Romania",
  }
  const processors = [
    {
      entity: "Google LLC",
      purpose: "Cloud infrastructure provider (Google Cloud), business applications and collaboration (Workspace), Data warehouse services, Content delivery network,  DDoS and bot prevention",
      hosting: "Region designated by Customer, United States",
      country: country_list.us,
      enduserdata: "Yes"
    },
    {
      entity: "Datadog, Inc.",
      purpose: "Infrastructure monitoring, log analytics, and alerting",
      hosting: country_list.eu,
      country: country_list.us,
      enduserdata: "Yes (logs)"
    },
    {
      entity: "Github, Inc.",
      purpose: "Source code management, code scanning, dependency management, security advisory, issue management, continuous integration",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: false
    },
    {
      entity: "Stripe Payments Europe, Ltd.",
      purpose: "Subscription management, payment process",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: false
    },
    {
      entity: "Bexio AG",
      purpose: "Customer management, payment process",
      hosting: country_list.ch,
      country: country_list.ch,
      enduserdata: false
    },
    {
      entity: "Mailjet SAS",
      purpose: "Marketing automation",
      hosting: country_list.eu,
      country: country_list.fr,
      enduserdata: false
    },
    {
      entity: "Postmark (AC PM LLC)",
      purpose: "Transactional mails, if no customer owned SMTP service is configured",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: "Yes (opt-out)"
    },
    {
      entity: "Vercel, Inc.",
      purpose: "Website hosting",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: false
    },
    {
      entity: "Agolia SAS",
      purpose: "Documentation search engine (zitadel.com/docs)",
      hosting: country_list.us,
      country: country_list.in,
      enduserdata: false
    },
    {
      entity: "Discord Netherlands BV",
      purpose: "Community chat (zitadel.com/chat)",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: false
    },
    {
      entity: "Statuspal",
      purpose: "ZITADEL Cloud service status announcements",
      hosting: country_list.us,
      country: country_list.de,
      enduserdata: false
    },
    {
      entity: "Plausible Insights OÜ",
      purpose: "Privacy-friendly web analytics",
      hosting: country_list.de,
      country: country_list.ee,
      enduserdata: false,
      dpa: 'https://plausible.io/dpa'
    },
    {
      entity: "Twillio Inc.",
      purpose: "Messaging platform for SMS",
      hosting: country_list.us,
      country: country_list.us,
      enduserdata: "Yes (opt-out)"
    },
    {
      entity: "Mohlmann Solutions SRL",
      purpose: "Global payroll",
      hosting: undefined,
      country: country_list.ro,
      enduserdata: false
    },
    {
      entity: "Remote Europe Holding, B.V.",
      purpose: "Global payroll",
      hosting: undefined,
      country: country_list.nl,
      enduserdata: false
    },
    {
      entity: "HubSpot Inc.",
      purpose: "Customer and sales management, Marketing automation, Support requests",
      hosting: country_list.eu,
      country: country_list.us,
      enduserdata: false
    },
  ]
  return (
    <table className="text-xs">
      <tr>
        <th>Entity name</th>
        <th>Purpose</th>
        <th>End-user data</th>
        <th>Hosting location</th>
        <th>Country of registration</th>
      </tr>
      {
        processors
          .sort((a, b) => {
            if (a.entity < b.entity) return -1
            if (a.entity > b.entity) return 1
            else return 0
          })
          .map((processor, rowID) => {
          return (
            <tr>
              <td key={rowID}>{processor.entity}</td>
              <td>{processor.purpose}</td>
              <td>{processor.enduserdata ? processor.enduserdata  : 'No'}</td>
              <td>{processor.hosting ? processor.hosting  : 'n/a'}</td>
              <td>{processor.country}</td>
            </tr>
          )
        })
      }
    </table>
  );
 }