Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now


Our IT guys asks me if Osticket is GDPR compliant ? Doesn anyone know anything about this ?



  • I would probably say no, based on the following statements.
    • osTicket does not delete old data by itself, that you would have to configure yourself.
    • osTicket does store personal data by default, but this can be altered to your business needs.
    • If a user requests that all data about them gets deleted, you can do so by simply deleting the user account, there is however no proof provided by osTicket that it was deleted except a success message and that you shouldn't be able to find them.
    • If a user requests all data about them, it would be a manual task, but the tool can print out a list of the tickets and then each ticket can be exported as a pdf manually. I don't think you can export the user profile data but you can probably just take a printscreen.
    Most of these problems can probably be solved by implementing some sql queries that you'd use if the need arise.

    That's what comes to mind for me but it's very vague to ask if osTicket is GDPR complaint, it's not like there's a certificate.
  • Considering I had never even heard of GDPR until this thread, I would say no.
  • Software itself is not regulated by GDPR, it's the actual data and you'll need to consult legal assistance to ensure compliance. 
  • This will be a big issue if osTicket is not GDPR compliant before May 25, 2018. Because it manages data about people.
    Some features would be useful to make it compliant:
    - ability to remove the attachments older than a a specific age
    - mark some data as sensitive and crypt them in the database
    - ability to anonymise the personal data (ip, email) after a certain period
  • edited March 15
    I don't feel like you are going to like my more verbose answer but here goes:

    My understanding is the the devs plan on being complaint, but feel that it mostly depends on the the hosting end of things, not the software per se.  That being said I'm sure that I will be getting more information regarding this in the future and it would probably slated for a 
    future v 2.1 or higher release.

    Since osTicket is open source, that means that you can modify the core files to suit your needs.  If you want a specific feature [like those you mentioned] you can develop it, or pay for someone else to develop it for you or the community.
  • Thank you for your answer.

    By the way, do you know why I don't receive any notification when you post an answer?
    For information, in my notifications settings, all the options are checked except "Notify me when a comment is flagged."
  • Hi, I feel like this topic was not taken seriously enough.

    Sure, I understand that osTicket is open source and developers will not drop their current responsibilities to make osTicket compliant without any bonification. Perhaps someone can take this challange and prepare the plugin that will help to comply (This can be released commercially).

    If it is known (and will be known) that osTicket does not have features to ease complaince (or namely manual actions and procedures need to be in place to comply), then anyone after 28.05.2018 who will want to mess up, will start making problems to companies that use osTicket. Needless to say how popular it is and how much issues it may cause.

    I need to either switch from osTicket by the deadline (last thing I want to do) or prepare manually scripts and instructions how to i.e delete user or replace his personal data with some auto-generated jibberish. Considering how many people are facing the same task, it seems dumb that we are left alone.

    I would really appreciate some official statement from developers what is the plan. There is only 2 months to wrap it up and I bet internally all companies have their own deadline to present compliance report. If that is a paid service, let it be.

  • You are welcome to your opinion.   

    "or prepare manually scripts and instructions how to i.e delete user or replace his personal data with some auto-generated jibberish."

    Here are the instructions on how to delete a user that you requested.

    Go to Users tab.
    Find user.
    Click check box to left of user.
    Click More
    Click Delete

    You have already received an official response from me, the forum moderator which was written after I spoke to the lead Dev.

Sign In or Register to comment.