Dossira
Create
Menu
← Back to Security Center

Privacy Policy

Privacy Policy for Dossira

This policy explains what personal data we process, why we process it, where it is processed, and what rights people have.

1. Controller, contact, scope, roles

Controller: NOVA TERRA AS (address: see Imprint). For privacy requests: pri​vacydos​siracom

Scope and roles

  • For workspace content (files and workspace entries) processed on behalf of a customer organization, the customer is the controller and we act as a processor.
  • For our website and business operations (account administration, billing, sales, and marketing), we act as a controller.

We process personal data for the following purposes and legal bases:

  • Provide and secure the Service (contract / steps to enter a contract)
  • Account security, fraud/abuse prevention, reliability (legitimate interests)
  • Support (contract and/or legitimate interests)
  • Billing and accounting (legal obligation and contract, where applicable)
  • Marketing communications (consent where required; otherwise legitimate interests for B2B outreach where permitted)

Providing an email address is required to create and secure an account. If it is not provided, we cannot provide account access.

2. What we process (data categories)

Account and service administration

  • email address (required)
  • account identifiers and internal user IDs
  • workspace membership and role information (if created by the customer)
  • billing contact details (if subscriptions are enabled)

Security and technical metadata

  • IP address at sign-in and security events
  • user-agent/device info
  • timestamps and audit/security events We keep security logs for a limited period based on operational need and risk.

Workspace content (customer-controlled)

Workspace content may include files and entries (comments, decisions) and related metadata. The customer decides what personal data is stored in the workspace.

3. Service providers (sub-processors / processors)

We use a small set of providers to operate the service. Depending on context:

  • for customer workspace content, these providers act as our sub-processors (we remain responsible as processor to the extent required by law);
  • for our website and business operations, these providers act as our processors.

We do not sell personal data and we do not use third-party advertising trackers.

  • Hetzner Online GmbH – core hosting (compute + storage) (EU)
  • Scaleway S.A.S. – transactional email delivery (EU)
  • Cloudflare – delivery of the public site and static assets (CDN)
  • Buypass AS – TLS certificates (Norway)
  • Mollie B.V. – payments for the billing contact (Netherlands) (only if subscriptions are enabled)

We share only the data necessary for each provider’s role.

Public website and static assets (CDN)

We use Cloudflare to deliver the public website and static assets. We do not route customer workspace content through the CDN. As with global network services, limited technical request data (such as IP address and request metadata) may be processed outside the EEA depending on routing and service configuration.

4. International transfers

We design the service around a European operating boundary. If personal data is transferred outside the EEA/UK/Switzerland, we rely on appropriate safeguards such as EU Standard Contractual Clauses, and we provide further details on request.

We do not intentionally transfer customer workspace content outside the EEA/UK/Switzerland as part of normal service operation. If this changes, we will update our documentation and safeguards accordingly.

5. Retention

We keep personal data only as long as needed for the purposes above:

  • Account/service data: for as long as the account/workspace is active, then deleted or anonymized according to our deletion process and backup rotation.
  • Security logs: retained for a limited period suitable for security operations.
  • Billing records: retained for statutory accounting/audit periods where required by law (generally 5 years).

Security and session metadata is typically retained for up to 14 days, unless we need longer to investigate abuse or security incidents. Session tokens are typically invalidated when the user logs out.

For individual team members, their personal email is deleted if the member leaves the subscription. It may take a few days until all logs are rotated out.

6. Rights and requests

Individuals have rights to access, rectify, erase, restrict processing, object, and (where applicable) data portability.

  • For workspace content, requests should be directed to the customer organization (the controller). We assist where required and feasible.

  • For our website and business operations, contact: pri​vacyxraydos​siracom

Individuals also have the right to lodge a complaint with a supervisory authority, in particular in the country of habitual residence, place of work, or place of the alleged infringement. Where processing is based on consent, consent can be withdrawn at any time (without affecting prior processing). We do not use automated decision-making or profiling that produces legal or similarly significant effects.

7. Cookies and similar technologies

We use only strictly necessary cookies for authentication and security. We do not use advertising cookies.

  • __Host-auth (example name: dos_a): session authentication (session)
  • __Host-csrf (example name: dos_c): request integrity / CSRF protection (session)

If we introduce non-essential cookies (e.g., analytics), we will request consent where required and update this policy.

8. Changes

If we make material changes, we will update the “lastUpdated” date and, where appropriate, notify account administrators.