Data protection & security (22 FAQs)

Yes, you can assign administration rights to any number of users at both team level and workspace level. Please note the following:

• Only workspace admins can take out and manage a Echometer subscription for a Echometer workspace.
• Only workspace admins can create additional teams and name or remove additional workspace admins.
• Team admins can appoint and remove additional team admins and team members for their team

No, Echometer does not have an on-premise version that customers can host themselves. Echometer is only available as a cloud solution.

Echometer uses the servers of the Open Telekom Cloud in Germany. The Open Telekom Cloud data centers are located in Magdeburg and Biere in Saxony-Anhalt.

These two locations form what is known as a twin-core data center, which is connected to each other by its own high-speed network that is separate from the Internet.

Yes, Echometer is GDPR-compliant and accordingly has a data processing agreement (also known as “DPA”), which automatically becomes part of the contractual cooperation when a subscription is concluded:

Echometer Contract for commissioned data processing in accordance with GDPR

Yes, Echometer has publicly available terms and conditions for the use of its software: Echometer GTC

In the standard T&Cs of Echometer, an SLA (Service Level Agreement) for the availability of the service of 98% applies. In practice, the availability is well above 99.9% anyway.

The availability of Echometer can be viewed transparently and publicly: https://echometer.instatus.com/

A frequent question in safety questionnaires is: Is there an emergency plan and a disaster prevention plan?

Yes, Echometer has documented emergency plans and recovery plans.

Every incident is handled and documented in accordance with internal guidelines. This includes assessing and containing the impact, restoring regular operations as quickly as possible, notifying customers if necessary and evaluating and implementing measures to prevent similar incidents in the future.

Echometer uses HTTPS, Websockets and gRPC as network protocols.

The roles and authorizations in Echometer are managed by the customer’s workspace admins by assigning roles to employees directly in Echometer:

• Normal employees only have access to teams, retrospectives and 1:1 series to which they have been invited.
• Team administrators can create and moderate retrospectives in their teams, control the team settings and add or remove team members.
• Workspace administrators can create and archive teams, assign team administrators, manage the workspace settings and add or remove members from the workspace.

Several authentication mechanisms are supported in Echometer:

• E-mail address + password
• OAuth via Google
• SAML-SSO with IDP provided by the customer (can be enforced)

Echometer uses the following methods to encrypt data:

• Encryption In transit: TLS
• Encryption At rest: LUKS

Yes, both the software tool for 1-on-1 meetings and the tool for team retrospectives from Echometer are secure and GDPR-compliant.

Data in Echometer is sent in encrypted form and also stored in encrypted form on servers in Germany.

Several European financial institutions have chosen to purchase Echometer over competitors due to Echometer’s stringent data security measures.

Yes, Echometer also allows SSO or single sign-on in its paid plans. This applies to both the retro tool and the tool for 1:1 meetings.

Yes, Echometer’s retro tool is technically secure and GDPR-compliant.

Several European financial institutions and insurance companies have chosen to purchase Echometer’s retrospective tools over other alternatives due to the strict regulatory requirements.

The data is stored in Germany and processed securely. The data processing agreement with details on the technical and organizational security measures for processing by Echometer can be viewed here: https://echometerapp.com/gdpr-and-security/

Yes! Echometer is a German software provider and is GDPR-compliant.

Echometer has been designed to ensure data security to the highest standards. All communication and data storage is encrypted accordingly.

Echometer’s data processing agreement and other documents can be viewed here: https://echometerapp.com/de/gdpr-and-security/#dpa

If you have any questions about data protection, please contact support[at]echometer.de.

Echometer customer data is encrypted and stored on servers within the EU in compliance with the GDPR.

The transcription can only be started by the person whose share of the conversation is to be recorded. For example, if the manager starts recording their part in a 1:1 conversation, the other person will only be notified that their counterpart is currently transcribing.

In this message, there is also the option to start a transcription of your own speech. Starting the transcription itself is therefore the documented consent. If this consent is missing, no recording will start - and consequently no transcription will take place.

Individual adjustments to the Data Processing Agreement (DPA) – for example, regarding subcontractors or response times – are not part of our standard prices.

In principle, such adjustments can be implemented after a review of the content and legal aspects. The expenses incurred for this will be invoiced separately.

We only store audio data for the duration of processing. It is deleted immediately after the transcription process is complete; only the generated transcript remains.

Transcripts, as well as AI-generated summaries and moderation tips, are stored identically to manually created meeting notes. They are available until the associated 1:1 series is deleted.

We delete all other workspace data no later than two months after the workspace is terminated – or earlier upon request.

For each AI function, Echometer exclusively sends the data required for the respective purpose. Users can see transparently in the application which processing takes place for what purpose. Currently, the following scenarios apply in particular:

• Action recommendations in retrospectives: Only the linked feedback plus the current draft of the action is transmitted.
• Transcription of 1:1 conversations: The audio and the names of the participants are shared.
• Summaries and moderation tips: Only the generated transcript is processed here.

OpenAI Ireland Ltd. is our data processor. Processing may also take place in the USA – in accordance with OpenAI’s Data Processing Addendum (DPA). OpenAI does not use our customers’ data for training purposes.

There is no additional external documentation because we are constantly developing the functions. Instead, we describe all concrete processing directly in the software as soon as users activate a function.

If the OpenAI integration is deactivated for a workspace, all AI functions of Echometer are completely deactivated for this workspace.

Even if the integration is active, data is only processed when users consciously trigger certain AI functions. There is no automatic background processing without clear, proactive user interaction.

Echometer’s AI functions currently work entirely with OpenAI’s models. We do not currently offer a selection of different models within the application.

For enterprise customers, connecting their own models or infrastructure can be reviewed as part of an individual contract and – if technically possible – also implemented.