TicketBase
GDPR & security

Your customer data stays in Germany.

At TicketBase, data protection isn't an enterprise add-on. It's the default: German hosting, DPA included, encryption of sensitive data and clean deletion concepts. No marketing fog, only verifiable facts.

Hosted exclusively in Germany

All data lives on servers operated by Hetzner Online GmbH in Germany. No third-country transfer, no Schrems II debate: your customer data never leaves the scope of the GDPR.

DPA under Art. 28 included

The data processing agreement is included with every plan, at no surcharge and with no extra negotiation. We also have an Art. 28 GDPR DPA in place with our hosting provider.

AES-256-GCM for sensitive fields

Mailbox credentials, API tokens and 2FA secrets are stored encrypted with AES-256-GCM, never in plain text. Passwords are hashed with Argon2id.

Encrypted backups

Daily backups with envelope encryption (AES-256-GCM) and separate key management, rolling 30 days. After cancellation, the backups are irrevocably deleted too.

A separate database per customer

Every business gets its own fully isolated database instance. Your data never sits in the same data store as other customers’ data.

GoBD archiving, optional

If you enable it, TicketBase archives email originals immutably as EML with SHA-256 checksums: 6-year retention with deletion locks and a deletion log, in line with GoBD (German bookkeeping rules). Off by default: without GoBD mode, data minimization applies and you can delete at any time.

GDPR export (Art. 20)

Data portability is built in: you can export your data at any time in machine-readable formats (CSV/PDF, JSON on request), during the trial, in production and on cancellation.

Automatic log deletion

Log data is deleted automatically after defined retention periods (data minimization, Art. 5 GDPR) and kept only as long as there is a factual reason.

2FA & passkeys

Two-factor authentication with backup codes and passwordless sign-in via passkey (Face ID, Touch ID, hardware key), plus session management and complete audit logs.

No lock-in

Your data is yours, even when you leave.

You can export all your data at any time (Art. 20 GDPR). After cancellation there is a 14-day grace period with a reactivation option. Then all your data is irrevocably deleted, backups included. No renegotiating, no fine print.

All details, sub-processors and data-subject rights are in our privacy policy (German).

GDPR questions? Ask us directly.

Start the trial, or write to us if your data protection officer needs details on the DPA, TOMs or deletion concept.

No credit card required · GDPR-compliant · hosted in Germany