Risk Analysis on Customer Personal Data

This document provides a risk analysis on the personal data processed by Obscreen and complements the Privacy Policy, the Information Security Policy, the Systems Security and Integrity Policy, the Customer Data Encryption Policy, the DPO Designation, the CISO Designation, and the Subprocessors page.

1. Introduction

This risk analysis aims to identify, evaluate, and propose mitigation measures for the risks associated with the processing of personal data of Obscreen customers and users. Obscreen is a French sole proprietorship publishing the Obscreen digital signage software and operating the Obscreen Cloud platform. The personal data processed in this context falls under the protection of the GDPR and applicable French data protection law.

Scope note. The risks identified and the mitigation measures described in this document concern the personal data processed by Obscreen as part of the services it operates (Obscreen Cloud, license issuance, accounts, billing, support, public websites). For self-hosted deployments, the customer is the controller of the personal data they decide to process on their own installation, and the customer is responsible for the corresponding risk analysis and mitigation, in accordance with the Terms of Service.

2. Identification of Personal Data

2.a Data Collected

In accordance with the Privacy Policy, the following personal data may be collected and stored:

• Personal identifiers:
  • First name
  • Last name
• Contact information:
  • Email address
  • Phone number (when provided)
  • Postal address (when provided)
• Account information:
  • Username
  • Hashed password and authentication credentials
• Billing information:
  • Payment details (handled by our payment processor Stripe; Obscreen stores only metadata such as billing address, transaction references, and the last digits of the payment method)
  • VAT / company identifiers (for business customers)
• License information:
  • License keys associated with a customer
  • Hardware fingerprints used to bind a license to one instance, in accordance with the Obscreen Private License Agreement (OBPLv1)
• Usage and device data:
  • Information about how the Software is used (features, time of use, errors)
  • Device data (operating system, version, device identifiers)

2.b Processing Activities

• User account management for obscreen.io and Obscreen Cloud.
• License issuance, verification, and renewal via lic.obscreen.io.
• Payment processing for licenses and subscription plans (via Stripe).
• Communication and notifications related to the Software (updates, important messages, support).
• Customer support and processing of diagnostic reports (via support.obscreen.io).
• Anonymous error and crash reporting (via Sentry, when enabled by the user).
• Internal statistical analyses (anonymized data).

For self-hosted deployments, Customer Content (media, playlists, schedules) remains under the sole control of the customer and is not accessed by Obscreen, in accordance with the Terms of Service.

3. Identification of Risks

3.a Internal Risks

1. Unauthorized access by employees or contractors:
   • Improper management of access rights.
   • Misuse of data by a malicious or negligent employee.
2. Loss or theft of devices:
   • Laptops or mobile devices used to access Obscreen systems.
3. Lack of staff awareness:
   • Phishing, social engineering, supply-chain compromise.

3.b External Risks

1. Cyberattacks:
   • Database or storage compromise.
   • Denial-of-service attacks (DDoS) against obscreen.io, lic.obscreen.io, or other public endpoints.
   • Malware, ransomware, supply-chain attacks targeting our build pipeline or distribution channels.
2. Data interception during transfers:
   • Interception of communications if encryption is misconfigured or downgraded.
3. Unauthorized access via third parties:
   • Vulnerabilities or compromises at our subprocessors (Hetzner, Cloudflare, AWS, Stripe, Notion, Google Workspace, and others).
4. Abuse of Customer Content (Obscreen Cloud only):
   • Upload or distribution of illegal content, in violation of the Terms of Service.

3.c Legal and Compliance Risks

1. Non-compliance with the GDPR:
   • Failure to meet legal obligations regarding personal data protection.
2. License and software integrity risks:
   • Bypass or compromise of the license verification mechanisms (OBPLv1).
3. Reputational damage:
   • Loss of customer trust in case of a data breach or major incident.

4. Risk Evaluation

4.a Evaluation Criteria

• Likelihood:
  • Low, Medium, High
• Potential Impact:
  • Low, Medium, High

4.b Evaluation Table

Risk	Likelihood	Impact	Risk Level
Unauthorized access by employees or contractors	Low	High	Medium
Loss or theft of devices	Medium	Low	Medium
Lack of staff awareness (phishing, social engineering)	Medium	Medium	Medium
Cyberattacks (intrusion, DDoS, malware, ransomware)	Low	High	Medium
Supply-chain attacks on build / distribution	Low	High	Medium
Data interception during transfers	Low	Low	Low
Unauthorized access via third parties (subprocessors)	Low	High	Medium
Abuse of Customer Content (Obscreen Cloud)	Medium	Medium	Medium
License verification compromise	Low	Medium	Low
Non-compliance with the GDPR	Low	High	Medium
Reputational damage	Medium	High	Medium

5. Mitigation Measures

5.a Technical Measures

1. Access Control:
   • Strict access control policies based on the principle of least privilege.
   • Multi-factor authentication (MFA) and VPN for all sensitive access (production, license issuance, payment, DNS).
2. Data Encryption:
   • Use of TLS 1.2 / 1.3 for data in transit.
   • Encryption at rest of databases, object storage, and backups via the managed services of our cloud providers, as described in the Customer Data Encryption Policy.
3. Password Management:
   • Use of a centralized password vault with strong, unique passwords (minimum 26 characters, alphanumeric with special characters).
   • Periodic rotation of the most sensitive passwords.
4. Network Security:
   • Firewalls and security groups configured on each cloud provider used (Hetzner, Cloudflare, AWS, and others).
   • Active network and application monitoring, with intrusion detection and abuse signal analysis.
   • DDoS protection and CDN provided by Cloudflare for public endpoints.
5. Device Protection:
   • No customer or production data is stored locally on employee or contractor laptops.
   • Automatic screen locking and up-to-date operating systems.
   • Remote location and remote wipe capabilities are used where available.
   • In case of loss or theft, access credentials of the affected user are revoked immediately.
6. Software Integrity:
   • Code reviews, automated tests, and supply-chain checks (dependency scanning, signed releases where applicable).
   • Protection of license signing keys in dedicated, access-controlled environments.

5.b Organizational Measures

1. Awareness and Training:
   • Regular training programs on information security and data protection.
   • Phishing simulations to evaluate the vigilance of employees and contractors.
2. Policies and Procedures:
   • Clear policies on the use of data and IT resources (Information Security Policy, Systems Security and Integrity Policy, Encryption Policy).
   • Defined escalation procedures in case of a security incident.
3. Subprocessor Management:
   • Regular review of the security and compliance posture of our subprocessors.
   • Data Processing Agreements (DPA) signed with subprocessors that process personal data on our behalf.
4. Regulatory Compliance:
   • Designation of a Data Protection Officer (DPO).
   • Designation of an Information Security Officer (CISO).
   • Data Protection Impact Assessments (DPIA) carried out for new projects with high risk for data subjects.

5.c Monitoring and Audit Measures

1. Continuous Monitoring:
   • Use of monitoring tools to detect suspicious activity.
   • Real-time alerts for unauthorized access attempts and abnormal application behavior.
2. Regular Audits:
   • Internal security reviews on a quarterly basis.
   • External audits performed annually or as required by customers and regulators.
3. Penetration Testing:
   • Periodic penetration tests to identify vulnerabilities, scoped to the most exposed components (Studio control plane, license issuance, public APIs).

6. Incident Response Plan

• Detection: Continuous monitoring to identify incidents quickly.
• Response: A dedicated team analyzes and contains the incident according to the documented runbook.
• Notification: In accordance with the GDPR, the competent supervisory authority (CNIL) is notified within 72 hours when applicable, and affected customers are informed without undue delay.
• Recovery: Restoration of systems and data from secure, validated backups, in accordance with the Systems Security and Integrity Policy.
• Improvement: Post-incident review to improve processes, update the policies, and prevent recurrence.

7. Conclusion

This risk analysis highlights the potential threats to the personal data of Obscreen customers and users, and proposes concrete measures to mitigate them. Obscreen commits to implementing and maintaining these measures to ensure an appropriate level of security and to preserve the trust of its customers, in accordance with the GDPR and the broader information security framework described in the related policies.

This risk analysis is reviewed at least once a year, or whenever a significant change occurs in the technical, organizational, or regulatory environment.

8. Contact

For any question regarding this risk analysis, or to report a security incident or vulnerability, please contact us at [email protected].