Processed data for on prem variant

Hello PB Community,

I, as an administrator acting on behalf of our data protection officers, would like to find out what personal data of our users are processed in the on prem variant.

Unfortunately i couldn’t found any specific info on the web. Passbolt recommended to ask the forum, as we use the community version of pb.

So do you guys may know which personald data is processed on the self hosted varaint?
And if yes, is this data shared with any third-partys?

I hope i did not miss any existing post on this forum which already answered this question.

Thank you for great work!

Hello @BobshortForBobertson,

what personal data of our users are processed in the on prem variant.

The following personal data: First and last name, user agent, IP address, email, user id, avatar and public key materials (fingerprint, user uid, signatures if any) are stored in the on-prem server.

is this data shared with any third-partys?

By default no personal data is shared with passbolt team. Passbolt do not collect data from the extension or the app, nor do Passbolt have access to 3rd party platforms data.

Depending on which browser extension / mobile app is used by your users different information may be shared to the platform (Microsoft, Google, etc.). You will need to check the webstore privacy policies for this. If you do not want this you can distribute the extension yourself to your users (see Chrome Enterprise deployment).

If you use Duo as MFA provider additional information will be shared with that vendor, such as IP address and email. Passbolt also don’t have access to this. https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/security/cisco-duo-privacy-data-sheet.pdf

When checking if passwords are part of a dictionary a 3rd party HIBP service is called: Have I Been Pwned: Privacy

I hope that helps! We’ll add this to the privacy section of the website.

Hey @remy

thank you for your very quick response!

That’s a good idea to add this info on your privacy section, cause i can imagine that other privacy officers are interested in this info too, especially in the process of checking passbolt (on-prem) from a data privacy view.

Thank you!