How do software companies become GDPR compliant


On May 25, the EU General Data Protection Regulation (GDPR) came into force to protect EU citizens from data-hungry software companies. It ensures the proper handling of personal data of a person from other persons, organizations or companies within the EU. Our messaging service is 100% compliant and therefore "GDPR-perfected". On this page we try to give you a comprehensive overview of all our measures.

We support your compliance

Regardless of whether you are a cloud or server customer, we are always available to support you in the compliant use of our service. Be it the configuration of your Grape installation, the setup of data exports, the correct administration of the chat organization and the users or the deletion of former users.

GDPR & Grape Cloud Service

When you use Grape Cloud, your data is stored in our server data centers. We are the data processor and you are the data controller within the meaning of the EU data protection directive.

GDPR & Grape On-Premise

When you use Grape On-Premises, it means that our messaging service runs on our customers' servers. In this case we are a data processor and not a data controller. Customers receive a license for the software and are therefore responsible to the GDPR.

Fulfillment of the contract

Our customers can use a data processing
Request an agreement to contractually ensure proper processing.

Request data processing agreement

If you use Grape, you can read the privacy policy here that you approved when you created the organization.

To our privacy terms

Delete organizations

Organizations, the instance of your company in Grape, including all users and data, can be completely deleted. This function is available to the organization creator. To delete them you will need to enter your password. If two-factor authentication is activated, you will receive an email with a confirmation link. After completion, the organization will be completely deleted from our database.

If your company is on a backup copy (which was made before deletion), the corresponding organization ID is stored in a separate log. If the backup is restored, Grape will manually destroy your organization's backup.

Data export

The organization creator has the authorization to export all data for the entire organization. To protect private conversations, the creator can only export chat content to which he has access. Private messages or chat content from other users' private groups are not exported. When exporting, a private ZIP file is generated that can be downloaded.

Delete user

Manual deactivation of individual users is possible at any time. If you manage users through systems such as Active Directory or provide a login through SSO, deleted users can be automatically deactivated through Grape.

Additional functions of the on-premises solution

Information to be provided if personal data are collected from the data subject (Art. 13) and records of processing activities (Art. 30)

  • Corporate customers receive a detailed table that shows which data is stored in which locations, including the storage time
  • Another table indicates when information must be passed on to third parties
  • Technical information such as ports and host names are documented here.

Right to rectification (Art 16)

  • Information such as names or e-mail addresses can be received directly from identity providers such as Active Directory and are synchronized regularly. If something is changed through an identity provider, no further changes are required.
  • Users can change the Grape-specific data themselves at any time if necessary.
  • If it is not possible to change data in Grape, the server versions of Grape allow changes in a separate administration area.
  • A database administrator can modify or delete messages from Grape as needed

Right to deletion ('right to be forgotten') (ART 17)

  • Entry level:Grape Enterprise Admins can delete groups, integrations and memberships via a separate administration area.
  • Message level:A database administrator can overwrite or delete messages if necessary.

Records of processing activities (Art. 30 GDPR and Chapter 5)

  • 2-factor SMS authentication: SMS gateway can be changed as required (standard SMS gateway provider: IXOLIT GmbH, Mariahilfer Straße 77-79, 1060 Vienna / Austria)
  • Processing security (Art. 32 GDPR):More info
  • Encryption of internal transactions:We can help you set up reverse proxies and edge servers
  • Proxy:All HTTP requests from the
  • Limitation of the link preview: You can set up blacklists and whitelists for link previews
  • Storage and virus scanners: Uploaded files can be stored on your compatible and virus-scanned media infrastructure
  • Backups: Ready-to-use cold and hot backup scripts - Learn more
  • VM backup: Alternatively, if Grape is running in a VM, you can store the entire VM through hypervisor
  • Monitoring: We offer ready-made monitoring scripts for corporate customers
  • Logging: Log all administrative actions for better compliance

Grape Server Administration (Art. 25 GDPR)

  • Custom session cookie age: The time in seconds after which a cookie will automatically expire. Standard: 86400 (1 day)
  • Time between full AD resynchronizations in minutes: The time to wait between full user / group synchronizations when using Active Directory. Setting this value low will affect performance. It is recommended that you keep the default setting and manually resume synchronization if necessary. Standard: 1440 (1 day)
  • Apollogasse 4/7
    1070 Vienna, AT
  • +43 680 2205255Mon - Fri 9am - 5pm (CEST)
Subscribe to

The latest Grape News - in your inbox every month.

© 2020 All rights reserved. Grape® is a registered trademark of UberGrape GmbH.