Your security is our top priority. That's why we at OTRS take the requirements for data protection, data security and compliance very seriously. On this page you will find all the important information that will help you as an OTRS customer and prospective customer to better understand our products. In addition, you will learn how your data is/will be protected and what precautions and measures are taken to ensure this.

Information Security

The data centers are protected in accordance with current requirements, e.g. ISO27001, BSI basic protection and BSI C5 catalog. This includes physical and organizational measures.

Further information can be found here:

  • Encryption:
    All data transmissions are encrypted via SSL, both during transmission between the user and the SaaS service and at technical interfaces.
  • Access control:
    The implementation of strict access controls and methods, such as key only ssh, ensure that only authorized users can access the systems and data. A “need to know” principle has been established.
  • Regular security updates:
    All systems, frameworks and software components are updated as part of maintenance and as required in order to close security gaps and minimize potential points of attack.
  • Firewalls:
    Firewall rules do not allow unintended data traffic.
  • Monitoring and documentation:
    Network traffic is continuously monitored and activities are logged in order to detect and react to suspicious or unusual activities.
  • Data separation and isolation:
    Data between different clients is separated to ensure that other data cannot be accessed by compromising one system.

SSL-based protocols are used to protect data connections, such as https or TLS-secured SMTP or IMAP connections. System access is granted via ssh. E-mails can be encrypted end-to-end via PGP or S/Mime. Encryption of the hard disk can be set up easily if required.

Core components are designed redundantly or set up as a cluster. A daily backup is created for all SaaS instances and stored geo-redundantly on secure servers that are not accessible from the Internet. Instances can be restored within the contractually defined period. Disaster recovery is regularly tested automatically.

  • Consideration of potential security risks and threats starting in the planning and design phase throughout the entire development process.

  • Security awareness is kept up to date in the development team through training courses and regular training sessions.

  • Secure code guidelines such as the OWASP Secure Coding Practices are used.

  • Regular checks, e.g. of the libraries used and code reviews, help to identify and eliminate potential security gaps at an early stage.

  • A strict separation of development, staging, test and production systems prevents the accidental disclosure of sensitive data.

  • To check for dynamic vulnerabilities, OTRS uses external tools for continuous and dynamic monitoring of core applications with regard to common security risks for web applications.
  • Here are the details of our “Vulnerability Disclosure Policy”, in short: VDP.

OTRS offers among other things:

  • Password policies

  • SSO via SAML

  • Configurable two-factor authentication

  • Secure storage of passwords with secure algorithms, such as SHA2 or Blowfish

  • Control of access rights via a role-based authorization concept

  • Certificate management for https and email

  • IP filtering


  • PGP and S/Mime for email

Some options are only available for OTRS SaaS.

OTRS Group employees are made aware of security issues and the compliance regulations for processing personal data. This is done through training on the aforementioned topics and technical services. All employees are obliged to maintain confidentiality and secrecy in accordance with the applicable guidelines and laws and are trained in the areas of data protection and data security through internal tests.

Data Security

Lei Geral de Proteção de Dados Pessoais („LGPD“) – Brasil

The Brazilian Data Protection Act, also known as the Lei Geral de Proteção de Dados Pessoais (“LGPD”), came into force on September 18, 2020. The LGPD is a comprehensive data protection law that regulates the activities of controllers and processors as well as the rights of data subjects.
OTRS customers who collect and store personal data in OTRS may be classified as “controllers” under the Brazilian Data Protection Law (LGPD). Controllers have primary responsibility for ensuring that their processing of personal data complies with relevant data protection laws, including the LGPD. OTRS acts as a “processor” in relation to the processing of personal data through the Services provided, as that term is defined in the LGPD.


California Consumer Privacy Act (CCPA)  and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), is a US law passed by the state of California that has been in effect since January 1, 2020. It governs the privacy rights available to certain California consumers and requires certain businesses to comply with various privacy requirements. Please also read the  CCPA Regulations  and the California Privacy Rights Act (CPRA). Certain CPRA provisions became effective on December 16, 2020, and the remaining provisions of the CPRA  became effective on January 1, 2023.

OTRS does not “sell” any personally identifiable information of its own customers or agents as defined under the CCPA. We may share aggregated and/or anonymized information about the use of the Services, which is not considered Personal Information under the CCPA, with third parties to help us develop and improve the Services and to provide more relevant content and service offerings to our customers, as set forth in our contracts.


EU General Data Protection Regulation (GDPR)

This approach includes supporting our customers with regard to compliance with EU data protection requirements, such as those set out in the GDPR (“DSGVO”).
If a subscriber collects, transfers, hosts or analyzes personal data of EU citizens, the GDPR requires that the subscriber uses external processors who can guarantee their ability to implement the technical and organizational requirements provided by the GDPR. As a further confidence-building measure in relation to the GDPR, our Data Processing Agreement (“DPA”) has been updated to provide our customers with contractual assurances regarding the applicable EU data protection law and the implementation of additional contractual provisions required by the GDPR.


Requests from affected persons:

An individual who wishes to exercise their data protection rights in relation to personal data stored or processed by us on behalf of one of our subscribers as part of the subscriber’s service data (including requesting access, correction, amendment, deletion, transfer or restriction of processing of such personal data) should direct such request to our customers (the data controllers). Upon receipt of a request from one of our customers to delete personal data from OTRS, we will respond to such a request within thirty (30) days. We retain personal data that we process and store on behalf of our customers for as long as necessary to provide the services to our customers.


Data Protection Officer:

The Data Protection Officer (DPO) of OTRS can be contacted at or


Personal Data Protection Act of Singapore (PDPA)

The Singapore Personal Data Protection Act sets out statutory provisions governing the collection, use and disclosure of personal data as of July 2, 2014. OTRS is a data intermediary recognized by the Infocomm Development Authority of Singapore (IDA) in its capacity as a “Software-as-a-Service” (“SaaS”) provider.


GDPR and Brexit

The United Kingdom left the European Union on January 31, 2021. On June 28, 2021, the European Commission adopted adequacy decisions for the transfer of personal data to the United Kingdom under the GDPR.

You can conclude and/or view the OTRS DPA contract at The OTRS DPA covers the specific data processing procedures and security measures that apply to our services and includes the new EU Standard Contractual Clauses (“EU SCCs”).

If you need to update your existing OTRS DPA to include the new EU SCCs and the UK Annex, but do not wish to enter into a new DPA, you can view and/or sign the OTRS Data Transfer Annex at

Here you find our detailed Privacy Policy.

Our customers can view all details and documents containing information on the processing of their data within the OTRS customer portal.

All external service providers are regularly audited by OTRS in accordance with applicable legal standards. All providers working with us, especially those who can access our data or systems, comply with the prevailing guidelines.

If you have any questions or comments, please contact us at or