Matrix Requirements Privacy Policy

Last updated: Thursday 18th January 2024

We are strongly committed to protecting your personal data, which means any information related to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier (referred to as “personal data”, “data”, or “personal information”). 

This privacy policy (“Privacy Policy”) describes why and how we collect, process, and secure your personal data and provide information about your rights concerning your personal data. It provides information about our company and marketing efforts for our products (MatrixQMS and MatrixALM) and services (collectively referred to as “Services”) to our customers and visitors (“Customers”, “you” or “your”). It applies to our website www.matrixreq.com (the “Website”), and other interactions (e.g. customer support) that you may have with Matrix Requirements.

When you read “Matrix Requirements”, “us”, “our”, or “we” below, it refers to Matrix Requirements GmbH, its affiliates and agents as the controller for processing.

All individuals whose responsibilities include access to or processing of your personal data are required to adhere to our Privacy Policy.

If you have any questions, please do not hesitate to call us at +49 7802 931 4892 or send us an e-mail at privacy@matrixreq.com

Please make sure to read this Privacy Policy when accessing or using Matrix Requirements Services in any way, whether you have created your own Matrix Requirements products site (by subscribing to our Services), are invited to someone else’s site as a project member, or are just browsing around.

Table of Contents

What personal data do we collect and why?

How do we use your data information?

Legal basis for processing personal data under GDPR

Data security and integrity

Age Limitations

Data retention     

Data transfer

How do we share and disclose your information?

Your rights concerning personal data

Links to the third-party websites

Questions you might have regarding your personal data

Who can see my password?

Who can see my credit card number? 

Who can see my data? 

How is my data protected from another customer’s data?

Have Matrix Requirements Services ever been compromised so far? 

Other terms and conditions

Changes to this Privacy Policy

Data Protection Officer

How to contact us

What personal data do we collect and why?

We may process personal data provided to us for any purposes described in this Privacy Policy. We intend to collect only the personal data that is provided:

- to enter and operate the system (i.e. MatrixQMS and MatrixALM) or 

- voluntarily by online visitors so that we can offer information and/or Services to those individuals or 

- to offer information about employment opportunities. 

Matrix Requirements will collect and process personal data through operating Services and the Website, and other interactions with us. Such personal data may include:

Customer Data. We collect the name and email address for authentication in our Services. Contact details may also include telephone, state, province, ZIP/postal code, other contact details, and associated local time zone information.

Data for billing purposes. Customers’ payment details may include invoicing and credit-related data such as name, e-mail address, billing address, optional phone number and Skype ID, and optional geographical location.

We do not collect credit card data directly. See “Who can see my credit card number?” below.

Cookie Data. Please be aware that your browser must be configured cookies from matrixreq.com for you to use Matrix Requirements Services. For more information on how we use cookies and other technologies and how you can control them, please read our Cookie Policy.

Other Data. E-mails and chat protocols may include data about prospects visiting the Website initiated by customers or Matrix Requirements.

Why do we process your personal data?

We may process your personal data for the following purposes:

To provide and maintain our Services, including monitoring the usage of our Service.

To manage your instance. To manage your registration as a Services user. Your personal data can give you access to different functionalities of Services that are available to you as a registered user.

To investigate and help prevent security issues and abuse. It is in our interest to keep Services secure to detect, prevent and address abuse (such as spam) and investigate and take action regarding suspicious activity on Services. Therefore, we may process personal data to better understand how Matrix Requirements is used or to prevent spam or abuse.

For the performance of a contract, billing, account management and other administrative matters: the contract development, compliance and undertaking of the contract for the products, items or services you have purchased or of any other contract with us through Services. We may need to contact you for invoicing, account management and similar reasons, and we use account data to administer accounts and keep track of billing and payments.

To get in touch with you. To contact you by e-mail, telephone calls, or other equivalent forms of communication regarding updates or informative communications related to the functionalities, including Services updates, when necessary or reasonable for their implementation.

To provide you with news, special offers and general information about other events we offer that are similar to those you have already purchased or enquired about unless you have opted not to receive such information.

To manage your requests. We may use your personal information to respond if you contact us with inquiries, comments or questions.

For other purposes. We may use your information for other purposes, such as data analysis, identifying usage trends, determining our promotional campaigns’ effectiveness, and evaluating and improving our Services, marketing and your experience.

Legal basis for processing personal data under GDPR

We closely monitor privacy regulators’ guidance on GDPR compliance and adjust our product features and contractual obligations accordingly. You can expect regular updates to stay up to date.

Matrix Requirements may process personal data under the following conditions:

Consent. You have consented to processing personal data for one or more specific purposes.

Performance of a contract. Provision of personal data is necessary for the performance of a contract with you and/or for any pre-contractual obligations thereof.

Legal obligations. Processing personal data is necessary for compliance with a legal obligation to which Matrix Requirements is subject.

Vital interests. Processing personal data is necessary to protect your vital interests or those of another person.

Legitimate interests. Processing personal data is necessary for the legitimate interests we pursue. We have a legitimate interest in being able to contact you, communicate with you and cooperate with you on the conclusion and performance of contracts, as well as for direct marketing purposes, for ensuring the network and information security of our ISMS and fulfilling your requests, namely:

- storage of documentation of our cooperation for invoicing, resolving any disputes and other administrative issues;

- providing, updating, maintaining and protecting our product, Website and business;

- development and provision of productivity tools and additional features of our product;

- prevention and investigation of security issues;

- sending marketing emails and other communications about new product features, promotional messages or other news about us;

- communication with you by responding to your requests, comments and questions.

In any case, we will gladly help clarify the specific legal basis that applies to the processing, particularly whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract.

Data security and integrity

The security of your personal data is important to us. Therefore, we have been certified under ISO 27001 standards of information security management system to protect personal information from loss, misuse, alteration or destruction. Additionally, we follow the industry’s best practices and continuously improve our processes.

We only give access to our servers to senior Matrix Requirements security experts; such persons have agreed to keep this information confidential. 

We keep our servers always up to date with security fixes, have one-click ways to take down servers should they become infected/compromised, and create and deploy new clean ones. We always code-review security-related code internally before checking in and have an automated suite of tests against XSS attacks and more.

The entire matrixreq.com domain uses HSTS to ensure browsers interact with us only over HTTPS. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the cyphers we support. You can check for yourself these details on the Qualys SSL Labs service.

Although we take appropriate security measures once we receive your personal data, data transfers over the Internet (including by e-mail) are never completely secure. Therefore, you should take particular care when deciding what data you provide to us. We strive to protect personal data but cannot guarantee the security of information transmitted to or by us.

Age limitations

Matrix Requirements understands the importance of protecting children’s privacy, especially online. Our policy is to never knowingly collect or store information from anyone under 16 years of age. In case you learn that anyone younger than 16 has illegally provided us with personal data, you may notify us at privacy@matrixreq.com. We will promptly take steps to delete such data and terminate the child’s account.

Data retention        

We will retain your personal data only for as long as it is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Data transfer

We do not share personal data with third parties except as necessary for our legitimate business needs, to carry out your requests, and as required or permitted by law or professional standards and requirements. 

Matrix Requirements uses third parties in other countries to help us run our business. As a result, personal data processed through Matrix Requirements may be stored anywhere in the world, including the European Economic Area (EEA), the United States, Canada, the United Kingdom, and Ireland.

Our third parties consist of:

Hosting providers: customer data in the Matrix instances is regionalized and does not leave the assigned region, not even for backups. 

For our US-based customers, we host our data on OVHCloud US. Here is OVH’s Privacy Policy.

For our other customers, we host our data on OVHCloud France (with servers in Germany, France, Canada, UK). Here is OVH’s Security and confidentiality information.

Optionally, we can also use Google Cloud (Ireland) for any customer. Here is Google’s Security and confidentiality information.

Solution providers: customer data related to pre-sales communication, sales, security communication, and support is stored in third-party systems, and they store them anywhere in the world (Confluence, HubSpot, Mailgun).

Other service providers: we use Chargebee, Gmail, Atlassian Service Desk, and Slaask for billing and communication with prospects and clients.

Some of the third parties mentioned above are based in other countries that may have different privacy and data protection laws equivalent to those of the country in which you reside. 

Where we transfer personal data outside of the EEA to non-EU countries, we rely on adequacy decisions by the European Commission

Suppose we transfer personal data outside of the EEA to a country or framework not determined by the European Commission as providing adequate protection for personal information. In that case, the transfers will be under an agreement that covers European Union requirements for such transfers, such as standard contractual clauses. You can find information about standard contractual clauses for data transfers between EU and non-EU countries here.

You can contact us at privacy@matrixreq.com if you need more information about the legal mechanisms we rely on to transfer personal data outside the EEA.

By providing data to us, you consent to transferring and storing your personal data in these countries 

How do we share and disclose your information?

We restrict who at Matrix Requirements can access customer data to only senior team members and never to outside parties. 

We only do it in response to a customer support question.

We only do it to debug and fix the issue.

We never make changes to anything unless explicitly requested by a subscription owner.

If the subscription owner or a workgroup member asks us to look into a project to debug a software issue, we will go in and look at that project and possibly make minor edits to fix the issue.

We never share what we see with other customers or the general public.

We do not share personal data with third parties except as necessary for our legitimate professional and business needs, to fulfill your requests, and/or as required or permitted by law or regulatory standards.

We will not share the personal data you provide with third parties for use in direct marketing.

Under certain circumstances, we may be required to disclose your personal data if required by law or in response to valid requests by public authorities. We’ll try not to, but we don’t have the resources to fight the government. We’ll also inform your subscription owner as much as possible if this happens. 

Your rights concerning personal data

You may have certain rights under your local law regarding your personal data in addition to the following rights. 

The right to confirm whether we process personal data about you, receive a copy of your personal data and obtain certain other information about how and why we process your data.

The right to rectification of your personal data. You have the right to have any incomplete or inaccurate personal data (for example, if you change your address) we hold about you corrected.

The right to erasure of your personal data when there is no good reason for us to continue processing it:

- the personal data is no longer necessary concerning the purposes for which they were collected and processed;

- our legal basis for processing is consent; you withdraw your consent, and we have no other legal basis for the processing;

- our legal basis for processing is that the processing is necessary for legitimate interests pursued by us or a third party, you object to the processing, and we do not have overriding legitimate grounds;

- you object to the processing for direct marketing purposes or

- your personal data must be erased to comply with a legal obligation to which we are subject.

The right to restriction of processing of your personal data in the following cases:

- for a period enabling us to verify the accuracy of personal data where you contested the accuracy of the personal data;

- your personal data have been unlawfully processed, and you request the restriction of processing instead of deletion;

- your personal data are no longer necessary in relation to the purposes for which they were collected and processed, but you require the personal data to establish, exercise or defend legal claims; or

- for a period enabling us to verify whether the legitimate grounds we relied on overriding your interests where you have objected to processing based on it being necessary to pursue a legitimate interest identified by us.

The right to object to the processing of your personal data in the following cases:

- our legal ground for processing is that the processing is necessary for a legitimate interest pursued by us or a third party or

- our processing is for direct marketing purposes.

The right to transfer your personal data. We will provide you, or to a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Please note that this right only applies to processing by automated means you initially provided consent for us to process or where we processed your personal data to perform a contract concluded with you.

The right to withdraw consent. Where we process personal data based on consent, you can withdraw consent at any time. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Website and/or our products.

You can exercise your rights of access, rectification, erasure and objection by contacting us by phone +49 7802 931 4892 or send us an e-mail at privacy@matrixreq.com.

Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

If you consider that processing your personal data infringes the law, you may have the right to lodge a complaint with a data protection supervisory authority. For more information, if you are located in the European Economic Area (EEA), please contact your local data protection supervisory authority in the EEA.

Links to third-party websites

Our Website may contain links to other websites that we do not operate. We encourage visitors to read the Privacy Policy of each website visited before disclosing any personal information. We have no control over and assume no responsibility for any third-party sites or Services’ content, privacy policies or practices. Visiting other websites or applications is at your own risk.

Questions you might have regarding your personal data

Who can see my password? No one. We store your password hashed so no one, not even us, can read it. For encrypting the passwords, we use bcrypt hashing and a unique random salt for each user.

You are responsible for keeping your username, password and other sensitive information confidential. If you become aware of any unauthorized use of your account or any other security breach, you shall notify Matrix Requirements immediately.

If you forget your password, we can generate a new temporary password and send it to you by e-mail. You will then be able to specify a new password.

User management is done inside Matrix Requirements products; additionally we support OAuth and SAML integration of external authentication systems. Subscription owners can assign passwords to staff and project members.

Matrix Requirements staff will never change a password for you nor change the subscription owner unless requested.

Who can see my credit card number? No one at Matrix Requirements, we use the Stripe payment service. Read about their security measures at the http://mrq.ovh/stripe/security  (in short, they encrypt your credit card info).

Once you sign up, Stripe will charge your card each month. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.

Who can see my data? The subscription owner can give access to registered users; nobody besides users who explicitly got the right and the authorized employees of Matrix Requirements can see the data. To see data, the users must authenticate themselves.

It is possible to store attachments in Matrix Requirements. These files have permalinks, which can be used to share attachments without authentication. These links are intentionally very long and hard to guess.

We use HTTPS to transfer all data. Besides passwords, data is not encrypted when stored in our database (to allow full-text search).

Only subscription owners can request the creation of new users.

As we are proud of having you as a Customer, we will post your company name and logo on our Website along with a pin on Google Maps with your approximate office location. If you prefer to stay incognito, please let us know.

How is my data protected from another customer’s data? Each customer instance contains its database. Each customer application can only access the data on the customer’s database, and no other databases are accessible.

The only exception to the above principle is the list of links you may have with your JIRA Clouds instance. For this, we use a single database with all the links of all our clients. However, another customer cannot access your data through that means since that database only contains links.

Have Matrix Requirements Services ever been compromised so far? No. Should our systems get compromised, we will replace the server(s) that have been hacked with new ones (we can do this with very few clicks). If this doesn’t stop the attack, we’ll shut down Services until we can fix the vulnerability. We will also hire experts to help us and verify that we’re safe to resume Services.

Other terms and conditions

Your access to and use of the Matrix Requirements’ software products and any necessary customization is subject to the General Terms and Conditions at matrixreq.com/terms-and-conditions.

Changes to this Privacy Policy

We may update this Privacy Policy by publishing here to reflect our current privacy practices. When we make changes, we will revise the “Last updated” date at the top of this page. The newly modified Privacy Policy will apply from that revision date. Therefore, we encourage you to review this Privacy Policy periodically to be informed about how we protect your information.

Data Protection Officer

To communicate with our Data Protection Officer, please e-mail privacy@matrixreq.com.

How to contact us

If you have any questions or comments about our privacy practices or complaints about handling your personal data, please contact us at privacy@matrixreq.com. You may also use this e-mail to communicate any concerns regarding compliance with our Privacy Policy.

To treat your request as quickly as possible, provide the information of 

  • name; 

  • e-mail address; 

  • what is your relationship with Matrix Requirements (a customer, an employee, a contractor, or another); 

  • what do you want to do (obtain a copy of your personal data, update your personal data, restrict processing of your personal data, delete your personal data, other requests or comments);

  • other details if needed.

We may accept your concern (and, in that case, implement one of the measures set out in the “Your rights concerning personal data” section above) or reject your concern on legitimate grounds.

In any event, you always have the right to complain to the relevant regulator for the protection of personal data.