Privacy

TÜV certification and audits

Since 2017, the app has been audited annually by TÜV Süd. The audits and software tests conducted annually cover the areas of functionality according to ISO/IEC 25051:2014, data security according to PPP13011B:2018, quality assurance according to ISO 9001, and data protection according to the legal requirements of the EU General Data Protection Regulation - DSGVO as well as the IT-Grundschutz Compendium of the BSI. In addition to the certificate for quality and functionality, TÜV also produces an expert opinion for data protection and data security. The last audit by TÜV Süd took place in March 2023.

Data processing

Basically, the areas of application for how the app processes information can be divided into three categories. These are briefly described here based on the various modules:

Category 1: Web Scraping (grades, library, cafeteria)This data is retrieved, without providing an interface, directly from the university's web pages using web scraping. For this purpose, the UniNow GmbH server specifies the steps necessary for automation and the app executes these steps (simplified: go to the web page, fill out the form, click the button, etc.). All requests to the campus management system are made directly from the app, i.e. from the user's terminal device. This ensures that the access data is sent exclusively to the university's site and is not sent to UniNow GmbH's servers at any time. The pure HTML code is then sent for processing from the mobile device to the servers of UniNow GmbH, where it is processed so that the app can display it in a standardized format. During this processing, no personal data is persistently stored, but is located exclusively in the working memory at the time of processing. The processing of the pure HTML code on the servers of UniNow GmbH ensures, among other things, fast updates should the web pages change. Otherwise, an app update would be necessary every time, which would lead to long downtimes by checking the store operators. Since the processing of the HTML code requires consent in accordance with DSGVO Art. 7, this consent is obtained by opt-in before the module is used in the app.

Since the Mensa data is public data and does not require any access data, web scraping is performed here directly on the servers of UniNow GmbH to prevent unnecessary data load on the mobile devices.

Category 2: API (Mail)

The Mail module can retrieve data directly via standardized interfaces (API). For this, the app directly retrieves the mails via IMAP, SMTP or Microsoft Exchange API. There is no communication with the servers of UniNow GmbH.

In principle, it would be conceivable to convert category 1 to category 2 in the future as part of the cooperation, provided that the university/university can provide interfaces for this.

Category 3: Services offered by UniNow (extensions, e.g. To-Dos, Calendar, News Feed)This category contains the modules that are provided directly by UniNow GmbH. In this case there is a direct exchange between the end device and the servers of UniNow GmbH. Accordingly, an additional declaration of consent is not necessary, since the use is already covered by the terms of use.

Since UniNow GmbH is the developer, operator and provider of the app, the user:In of the app also concludes a usage agreement with UniNow GmbH. The required declarations of consent in accordance with the GDPR are also provided by the User:In to UniNow GmbH. In addition, UniNow GmbH is the responsible entity according to the GDPR and must therefore ensure and implement all requirements resulting from it (e.g., the user's right to information and deletion rights). So far, none of our cooperation partners has seen a joint responsibility according to DSGVO in the cooperation, since the app only displays the data of the websites differently or content of UniNow GmbH is displayed.

Confidentiality

All UniNow GmbH servers are operated by OVH GmbH, based in Cologne, Germany. In principle, no frameworks of U.S. companies, such as Google Analytics or Facebook SDK are used in the app. Furthermore, UniNow GmbH does not process sensitive data such as cell phone numbers for an account creation. The processing procedures described in this section have been certified by TÜV Süd since 2017. A re-audit is conducted annually which reviews the processes and the app with regard to data protection, data security, functionality and quality.

The personal data displayed in the app is stored exclusively locally on the end device and thus the personal data remains with the individual. The data is protected on the device by the standards provided by the operating system manufacturer (device encryption, PIN, etc.). The transmission of data to our servers is protected by a high TLS certificate (A+ TLS 1.2). The servers are protected by firewalls, access restrictions, etc. and are operated and protected in an external data center by the provider OVH (ISO 27001 certified).

Integrity

The data is retrieved directly from the universities' websites. Only content that is not relevant for the mobile display (e.g. images, colors, etc.) is removed. The data is then displayed on the mobile device. The guarantee takes place through two main processes. First, every week the app is tested at the cooperating universities by testers trained by us with regard to integrity, among other things. To do this, they compare the data displayed in the app with the data on the university websites. In addition, an extensive re-audit of the app is carried out annually by TÜV Süd, which also checks the integrity.

Verifiability

As part of the 2017 TÜV certification, we created a comprehensive manual that provides information about security measures and server architecture in addition to all relevant processes, test protocols, and legal documents. This manual is reviewed by us on a monthly basis with regard to its up-to-dateness. The manual part and thus the security measures are also part of the annual re-audit by TÜV Süd. In addition, all our server configurations and thus also security settings are documented and implemented in an audit-proof manner via a versioning procedure. If required, you can view the manual with us.

Responsibility

We act as developer, operator and responsible party according to DSGVO of the app. In this respect, we also guarantee for the security measures within the framework of the legal provisions. Even in connection with a cooperation, the responsibility remains with UniNow GmbH, as the corresponding contractual relationship is concluded between the app user:In and UniNow GmbH.

Privacy

Safety first!

Data protection & data security

Any questions?