⚠️ PLACEHOLDER — PENDING LEGAL REVIEW
This document is included as a draft for reference. It must not be executed or distributed until approved by legal counsel.

Effective Date: TBD
Document Version: 1.0
Applicability: EU/EEA-based Staff & Contractors (with Germany-specific provisions)
Regulatory Compliance: GDPR · BDSG · BetrVG · TTDSG

Purpose & Legal Framework #

This policy establishes the terms and conditions under which OASIS Open (“Organization” or “Controller”) deploys monitoring software, MDM solutions, and security tools on devices used to conduct organizational business by individuals based in the European Union, with specific provisions for individuals employed or engaged in the Federal Republic of Germany.

This policy is designed to comply with: Regulation (EU) 2016/679 (GDPR), in particular Articles 5, 6, 9, 12–22, 35, 44–49, and 88; Bundesdatenschutzgesetz (BDSG), in particular Sections 26 and 22; Betriebsverfassungsgesetz (BetrVG), in particular Section 87(1)(6) regarding co-determination on the introduction and use of technical monitoring devices; and Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) with respect to confidentiality of telecommunications.

Where any provision of this policy conflicts with mandatory provisions of GDPR, BDSG, BetrVG, or other applicable EU or German law, the mandatory legal provision shall prevail.

Scope & Applicability #

This policy applies to all EU-based individuals performing work for OASIS Open, including Staff and Contractors. It specifically addresses requirements applicable to individuals based in Germany but applies equally to individuals based in any EU/EEA member state, subject to local supplementary requirements.

Legal Basis for Processing #

Legitimate Interests — Art. 6(1)(f) GDPR. The primary legal basis is the Organization’s legitimate interest in maintaining the security, integrity, and availability of its IT systems, data, and infrastructure. A Legitimate Interest Assessment (LIA) has been conducted and is available upon request.

Consent — Art. 6(1)(a) GDPR. Where consent is relied upon as a supplementary legal basis, it is provided freely, on a specific and informed basis, and may be withdrawn at any time without adverse consequences. The Organization acknowledges the inherent power imbalance in the employment relationship (Recital 43 GDPR, Sec. 26(2) BDSG) and does not rely solely on consent for processing essential to the employment relationship.

Performance of Contract — Art. 6(1)(b) GDPR. Certain processing activities related to device provisioning and IT account management are necessary for contract performance.

Data Protection Impact Assessment #

In accordance with Art. 35 GDPR, the Organization has conducted a DPIA for the deployment of JumpCloud MDM and Obsidian Security monitoring. The DPIA is maintained by the Organization and available for review by the competent supervisory authority upon request.

Scope of Monitoring & Device Management #

Principle of Proportionality #

All monitoring is subject to the principle of proportionality (Verhältnismäßigkeitsgrundsatz) and is limited to what is strictly necessary for the legitimate purposes identified. The Organization does not conduct continuous, comprehensive surveillance. Monitoring is targeted, purpose-limited, and designed to minimize intrusion. Specifically: covert monitoring is not conducted; keystroke logging, screen recording, and webcam/microphone activation are not performed; content-level monitoring of communications is not performed routinely and may be accessed only during a specific, documented security investigation; and private communications are not intentionally targeted.

JumpCloud MDM #

Functions include enforcing device encryption, password complexity, screen lock, and OS update requirements; deploying and managing applications; monitoring device compliance status; restricting access from non-compliant devices; and remote lock or selective wipe in the event of loss, theft, or security incident.

Obsidian Security #

Functions include monitoring access patterns for anomaly detection; detecting unauthorized access attempts and privilege escalation; auditing authentication events and permission changes; and generating security alerts. Obsidian Security processes metadata and access patterns and does not perform content-level surveillance unless required for an active security investigation.

Communication Platform Monitoring #

The Organization does not routinely monitor communication content. Metadata may be processed for security purposes. In accordance with German law, personal use of corporate email for private telecommunications is prohibited, ensuring TTDSG secrecy of telecommunications provisions do not apply.

Device Classification & Enrollment #

Company Devices (Staff) #

JumpCloud MDM agent installed on all Company Devices. Full administrative control by IT. Personal use is permitted on a limited basis but not encouraged; security monitoring may incidentally capture personal activity. Remote wipe may include all data.

BYOD Devices (Contractors and Staff where applicable) #

JumpCloud MDM operates within a managed container logically separated from personal data. Remote wipe is limited to Organization data and managed profiles. The Organization will not intentionally access personal data outside the managed container.

Remote Wipe Disclosure #

Company Devices #

Full device wipe may be initiated for loss or theft, termination, confirmed or suspected breach, or device non-compliance.

BYOD Devices #

Selective wipe (Organization data and managed profiles only) under the same circumstances. The Organization will use commercially reasonable and technically appropriate measures to limit the wipe scope, but the User acknowledges personal data may be affected. In accordance with proportionality, remote wipe is conducted only when less intrusive measures (remote lock, credential revocation) are insufficient.

Data Subject Rights (Articles 15–22 GDPR) #

Data subjects have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), the right to object to processing based on legitimate interests (Art. 21), and the right to withdraw consent at any time without adverse consequences. Requests should be directed to the designated DPO/Privacy Contact and will be responded to within one month per Art. 12(3) GDPR.

Works Council Co-Determination (Germany) #

Where a Works Council (Betriebsrat) Exists #

The Organization acknowledges that under Section 87(1)(6) BetrVG, the introduction and use of JumpCloud and Obsidian Security is subject to co-determination. This policy shall not take effect until the Works Council has been consulted and has provided consent or a works agreement (Betriebsvereinbarung) has been concluded. The Organization will provide complete documentation regarding the technical capabilities and data processing to enable the Works Council to exercise its rights.

Where No Works Council Exists #

This policy takes effect upon execution by the individual. Should a Works Council be established subsequently, the Organization will promptly engage in consultation and negotiate a works agreement as required.

International Data Transfers #

Personal Data may be transferred to the United States. Transfers are safeguarded by EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplementary technical and organizational measures (encryption, access controls, pseudonymization), and any applicable adequacy decision under Art. 45 GDPR. A Transfer Impact Assessment has been conducted per the Schrems II judgment.

User Obligations #

Install and maintain JumpCloud MDM; comply with device security requirements; use Communication Platforms in accordance with the Acceptable Use Policy and Section 7.4 restrictions on private use; report loss, theft, or compromise of enrolled devices immediately; maintain independent backups of personal data on BYOD Devices; and return Company Devices and remove Organization data from BYOD Devices upon termination.

Non-Compliance #

Non-compliance may result in disciplinary measures in accordance with applicable employment law, collective agreements, and the BetrVG (where applicable). Disciplinary measures will comply with German or EU employment law requirements, including notice and hearing rights.

Amendments #

Material changes communicated in writing with reasonable advance notice. Where a Works Council exists, amendments are subject to co-determination. Where consent is relied upon, fresh consent will be requested for material changes.

Governing Law & Jurisdiction #

Governed by the GDPR and applicable national laws of the EU/EEA member state in which the User is based. For Germany: BDSG, BetrVG, and TTDSG. Disputes are subject to the jurisdiction of the competent courts at the User’s place of employment or habitual residence.

Acknowledgment and Consent #

By signing below, the User acknowledges that they have read and understand this policy, have been informed of the purposes, legal bases, and scope of Personal Data processing, and of their rights as a Data Subject under the GDPR, BDSG, and applicable law.

Confirmations:

• ☐ I acknowledge the information provided under Articles 13/14 GDPR (Section 6).
• ☐ I understand my rights under Articles 15–22 GDPR (Section 10).
• ☐ I understand the remote wipe provisions (Section 9) and accept responsibility for backing up personal data on BYOD Devices.
• ☐ Where consent is a legal basis: I freely consent and understand I may withdraw consent at any time without adverse consequences.

Classification:

• ☐ Staff (Company Device) / ☐ Contractor (BYOD Device)
• ☐ Germany-based / ☐ Other EU/EEA Member State: ________________

Works Council Addendum (complete only where a Betriebsrat exists):

• ☐ The Works Council consents to the deployment as described.
• ☐ A separate Betriebsvereinbarung has been executed. Reference: ________________
• ☐ The Works Council has requested modifications. Policy shall not take effect until agreed.