General Data Protection Regulation (GDPR)
As a service provider to European companies and individuals, we comply with the principles of the GDPR and apply them to all customers, no matter where they are located. The provisions set out in the GDPR are sensible practice and should be followed like any other good development- or business practice. The list below describes how we comply with each individual or principle:
Data Protection Goals
- Process data in a transparent manner: You can find a list of the data we collect and process in the Privacy Policy. Before signing up you are asked to actively agree to the Privacy Policy.
- Only collect data for specific and legitimate purposes: On signup you only need to provide a name, email and password. For paid packages, we will also ask for a billing address to calculate applicable taxes.
- Limit the amount of collected data: We don't collect additional data, like usage analytics or visitor logs.
- Avoid outdated data: You can edit most of your account data after logging in. This includes deleting your backup data, access keys, personal details and billing details.
- Ensure adequate protection: We keep our systems updated, secured and follow accepted security standards. See section Implement Technical Security for more.
Point of Contact for Data Protection
Send any privacy- and security-related concerns to privacy@borgbase.com.
Privacy Policy
You can find our latest Privacy Policy here . It includes the data we collect, how we process it, how you can access and delete it and how to reach the data protection officer.
Cookie Policy
We don't use external tracking scripts or third party content delivery networks (CDN), like Google Analytics or Google Fonts. After you log in, a http-only cookie will be set to validate your session. This session times out after 30 minutes of inactivity.
Documentation of Processing Activities
The data processing we do is described in the Privacy Policy document.
List of Data Processors
We currently use the following main sub-processors to provide our service:
- Hetzner Online GmbH (data storage and compute, EU region)
- EndOffice, LLC (data storage and compute, US region)
- netcup GmbH (data storage and compute)
In addition, we use the following sub-processors for specific tasks that don't involve backup data and only minimal personal data:
- Wildbit LLC (outgoing email processing)
- MXroute LLC (incoming email processing)
- Help Scout PBC (support request processing)
- BunnyWay d.o.o. (CDN)
- DNSimple Corporation (DNS services)
- Amazon Web Services, Inc. (DNS services)
- Stripe, Inc. (payments processing)
- PayPal Holdings, Inc. (payments processing)
- Coinbase Europe Limited (payments processing)
Storage Location and Data Transfer
Your account data is always stored within the EU.
Your backup data will be stored in the region you choose when first creating the repository. If you chose your repo to be EU-based, it will always stay within the EU (a country of the European Union). Same for US-based repositories, which will stay within the US region (United States and Canada).
Technical Security
We follow established security guidelines. If you should notice any security vulnerability, please report it to privacy@borgbase.com. Overview of security measures:
Authentication
- You are required to set a strong password of 8+ characters.
- Access to private endpoints of the API backend needs authentication.
- Your login session will expire after 30 minutes.
- You can enable two-factor authentication to protect your account with more than just a password.
Access control
- Logged-in users can only access their own data.
- Backup repositories within an account are isolated from each other.
- Sessions for logged-in users are validated during every API-request.
Command Injection
- No user-provided data is displayed publicly or to other users.
- Your session cookie is http-only and not accessible by Java Script.
- It's not possible to upload files, except your backups.
- User input is validated on submission. E.g. your public SSH key.
- No parameterized SQL queries are used.
Session Management
- Using safe cookie elements (Secure flags and HttpOnly).
- Automatic session expiration after 30 min of inactivity.
- The session is revoked on user logout.
Data protection and Transmission
- Modern SSL settings are used to protect your data during transmission to and from the web interface.
- Your password is stored as strong Argon2 hash.
- Automatic session expiration after 30 min of inactivity.
- Your backup repository can only be access using an encrypted SSH connection.
Access to Account Data
To request access or deletion of the personal data stored in your account, please contact privacy@borgbase.com. You will receive a copy of the data stored with us. You can access and delete your backup data independently in the web interface.
Supervisory Authority
We will notify the Information and Data Protection Commissioner in Malta of any data breaches that may get discovered in the future.
Data Processing Agreement
If you would like to sign a full data processing agreement to demonstrate your own compliance, please get in touch and provide your organisational details.