GDPR / DSGVO Data Protection
CANNEVO is designed for GDPR compliance from the ground up, with data protection as an architectural principle rather than a feature.
Data Minimisation
CANNEVO collects only what is strictly necessary for club operations and statutory compliance:
- Member identity data is retained only for the duration of active membership
- Dispensing records are pseudonymised for §26 annual reports
- The annual report export enforces automatic PII redaction — personally identifiable information cannot survive in the exported file
Record of Processing Activities (VVT)
CANNEVO maintains a complete Verzeichnis von Verarbeitungstätigkeiten (VVT / Art. 30 GDPR) documenting:
- All processing activities and their legal basis
- Data categories processed per activity
- Retention periods
- Technical and Organisational Measures (TOMs)
Data Subject Rights
CANNEVO provides built-in tooling for all statutory data subject rights:
| Right | GDPR Article | CANNEVO Feature |
|---|---|---|
| Access | Art. 15 | DSAR module — access package export |
| Erasure | Art. 17 | DSAR module — erasure check workflow |
| Portability | Art. 20 | DSAR module — portability export |
| Restriction | Art. 18 | DSAR module — restriction flag |
All DSAR requests are tracked with a 30-day response deadline. Automatic escalation alerts fire when deadlines approach.
Breach Notification
CANNEVO implements a dual-clock breach notification system:
- T+8h — Internal alert to club management
- T+72h — Regulatory notification deadline (Art. 33 GDPR / §26 BDSG)
Both deadlines are tracked automatically, with escalation alerts and a structured breach incident workflow.
Data Retention
Retention periods are enforced by an automated retention archival engine:
- Active member data: retained for duration of membership + statutory period
- Dispensing records: retained per §26 KCanG requirements
- Members with open DSAR requests are excluded from archival until the request is resolved
- All archival operations are logged in the immutable audit trail
Technical and Organisational Measures (TOMs)
CANNEVO implements the following TOMs:
- Encryption at rest — all data encrypted in Supabase Postgres (AES-256)
- Encryption in transit — TLS 1.3 on all connections
- Access control — role-based access with RLS enforced at the database level
- Audit trails — immutable audit log on every data-changing table
- 2-Factor Authentication — mandatory for all platform operators
- Break-glass access — support access requires explicit approval, max 2-hour duration, fully audited
- Tenant isolation — each club's data is isolated at the database level via row-level security
Data Processing Agreement
A Data Processing Agreement (DPA) is required before any club goes live on CANNEVO. The DPA acceptance is recorded in the system and immutable once accepted.
To request a copy of CANNEVO's DPA, sub-processor list, or DPIA, contact your CANNEVO representative.