Skip to main content

Data Protection Impact Assessment (Art. 35 GDPR)

Last updated: March 1, 2026

This Data Protection Impact Assessment evaluates the risks associated with personal data processing on the OpenHospi platform, in accordance with Art. 35(7) GDPR.

On this page

  1. 1. Description of processing
  2. 2. Necessity and proportionality
  3. 3. Risk: Profile data processing
  4. 4. Risk: Location data (room coordinates)
  5. 5. Risk: Chat message content
  6. 6. Risk: Photo storage
  7. 8. Risk: Moderation, temporarily decrypted messages
  8. 9. Risk: Calendar feed URL leakage
  9. 10. Risk: Crash reporting data
  10. 11. Children (Art. 8 GDPR)
  11. 12. Conclusion

1. Description of processing

OpenHospi is a free, open-source platform where students in the Netherlands can find and list rooms. Users authenticate via institutional SSO, create profiles, list rooms, browse listings, apply for rooms, and communicate through end-to-end encrypted chat. All users are verified students at Dutch educational institutions. The processing comprises profile data, housing data, communication data, application data, session data, push notification tokens, and consent records.

2. Necessity and proportionality

Data collection is limited to what is strictly necessary for the platform to function, in accordance with the data minimisation principle (Art. 5(1)(c) GDPR).

  • Profile data enables matching (legal basis: performance of a contract, Art. 6(1)(b) GDPR)
  • Location data enables geographic search
  • E2E encrypted chat ensures communication privacy (Art. 25 and Art. 32 GDPR)
  • No data is sold or shared with third parties for marketing
  • No automated individual decision-making or profiling is used (Art. 22 GDPR)

3. Risk: Profile data processing

RiskUnauthorised access to personal profiles
LikelihoodLow
ImpactMedium
MitigationsRow-Level Security (RLS) on all database tables. Authentication required via institutional SSO. Profile visibility limited to authenticated users
Residual riskLow

4. Risk: Location data (room coordinates)

RiskPrecise location tracking via room coordinates
LikelihoodLow
ImpactMedium
MitigationsCoordinates used only for map display. No location tracking of users. Only visible to authenticated users
Residual riskLow

5. Risk: Chat message content

RiskInterception or unauthorised reading of messages
LikelihoodVery low
ImpactHigh
MitigationsEnd-to-end encryption with AES-256-GCM. Per-message keys wrapped for each recipient. Private keys stored in IndexedDB (client-side). Server never has access to plaintext
Residual riskVery low

6. Risk: Photo storage

RiskUnauthorised access to profile or room photos
LikelihoodLow
ImpactMedium
MitigationsSupabase Storage with access policies. Photos only accessible to authenticated users. Deletion cascades on account removal
Residual riskLow

8. Risk: Moderation, temporarily decrypted messages

RiskExposure of private message content during moderation
LikelihoodLowonly on user report
ImpactMedium
MitigationsOnly the reporting user provides the decrypted text. Stored temporarily with 90-day auto-deletion. Admin-only access with full audit logging
Residual riskLow

9. Risk: Calendar feed URL leakage

RiskSomeone obtains the calendar subscription URL and can see hospi event details
LikelihoodLow
ImpactMediumevent titles, dates, locations exposed, no messages or personal data
MitigationsCalendar token is a 128-bit unguessable UUID. HTTPS only. Token is revocable by the user at any time via Settings. User is warned about sharing the URL
Residual riskAcceptable

10. Risk: Crash reporting data

RiskCollection of personal data through error reports
LikelihoodVery low
ImpactLow
MitigationssendDefaultPii disabled, IP addresses stripped before storage, no user identifiers in error context, no session replay. EU data storage (Frankfurt). 90-day retention
Residual riskVery low

11. Children (Art. 8 GDPR)

All users authenticate via institutional SSO, which requires enrollment at an accredited Dutch educational institution. This effectively ensures all users are 16 or older, in accordance with Art. 5 UAVG (implementing Art. 8(1) GDPR). No separate age verification is needed.

12. Conclusion

The processing activities of OpenHospi present acceptable residual risks after implementation of mitigations. The platform implements data protection by design and by default (Art. 25 GDPR) through end-to-end encryption, Row-Level Security, data minimisation, automated retention rules, and transparent processing. No high residual risks remain that would require prior consultation with the Autoriteit Persoonsgegevens under Art. 36 GDPR.