Data Protection & Security at delta
Protecting your personal data is at the core of our philosophy. delta was developed according to the 'Privacy by Design' principle to ensure maximum security with minimal data retention.
1. Hosting & Infrastructure (Sovereignty)
All data is stored in a highly secure database infrastructure provided by Supabase.
- Server location: European Union (EU).
- Security: All data connections are SSL/TLS encrypted. The database itself is protected by state-of-the-art firewalls and access controls.
2. Types of data processed
We only collect data that is strictly necessary to fulfill legal time tracking requirements and operational processes (vacation/sick leave):
- Identity data: Name, internal HR ID, weekly working hours, and device-based public keys for digital signature verification.
- Time tracking data: Start and end times, break periods, calculated working hours, and entry type (manual, vacation, sick leave).
- Digital records: Every entry includes a cryptographic signature (RS256) in the form of a JWT (JSON Web Token) and the corresponding hash value (bytea signature) to guarantee immutability.
- Absence management: Start and end dates of vacation requests and sick notes, including status (e.g., 'certificate of incapacity provided') and approval history.
3. Special protection of biometric data
delta takes a model approach to data privacy for biometrics:
- No central storage: Your biometric data (FaceID/fingerprint) is never transmitted to our servers or stored in the Supabase database.
- Local authentication: Authentication occurs exclusively on the secure element of your device. delta only receives confirmation that identity was verified by the system in order to release the signing operation using your local private key.
4. Data integrity & audit security
By linking timestamps with cryptographic signatures directly in the time tracking table, we ensure that:
- Data cannot be subsequently altered without detection (
invalidated_atfield for documenting corrections). - All records are transparent and verifiable for audits by customs or internal auditors.
5. Your rights
You have the right at any time to access, correct, or delete your data, unless legal retention obligations (e.g., according to Arbeitszeitgesetz or GoBD) apply.
Technical note for HR departments (DPA)
We provide our customers with a ready-made Data Processing Agreement (DPA) detailing the use of Supabase within the EU and all technical and organizational measures (TOMs).
Checklist for Works Council
Introducing delta time tracking — Objective: Transparent, legally compliant tracking with maximum protection of personal rights.
1. Data Protection & Biometrics
No central biometrics: Are fingerprints or facial scans stored on the server?
delta's answer: No. Biometrics remain in the 'Secure Element' of the private or business smartphone. delta only accesses the result of local verification.
Data minimization: Is only required data collected?
delta's answer: Only legally required working times and absence types relevant to payroll (vacation/sick leave) are recorded.
2. Protection from manipulation & surveillance
Audit security: Can the employer covertly alter recorded times?
delta's answer: No. Any subsequent change would destroy the digital signature (RS256) due to cryptographic sealing. This protects employees from unauthorized changes.
Transparency: Do employees have access?
delta's answer: Every employee can view their own signed records in the app at any time.
3. Labor law compliance
Protection against self-exploitation: Does the system help ensure rest periods?
delta's answer: The system accurately documents breaks and rest periods according to Arbeitszeitgesetz and provides warnings if maximum working times are exceeded.
Evidential value: Are the records reliable in case of disputes?
delta's answer: Yes. Thanks to the signature chain, delta provides objective evidence that protects employees from arbitrary claims.
4. Voluntariness & alternatives
Use of private devices: Is the use of personal phones (BYOD) compulsory?
Recommendation: We recommend providing company devices or agreeing on voluntary use with appropriate compensation.
Controller: CYTE Technologies AG, Spinnereistr. 7 Halle 14, 04179 Leipzig, Germany.
For any data protection inquiries: contact@delta-app.de