Skip to main content

DSMS Submission Package

Last updated: 2026-04-20.

This directory is the complete record-of-processing (Art. 30 GDPR / "Verzeichnis von Verarbeitungstätigkeiten", VVT) package for the TUM-operated Hephaestus deployment at https://hephaestus.aet.cit.tum.de. Submit it through the TUM DSMS at https://dsms.datenschutz.tum.de/ (reachable from MWN / eduVPN with TUM login).

Scope

Hephaestus is a practice-aware guidance platform for software projects, operated by the Research Group for Applied Education Technologies (AET, Prof. Krusche). The platform federates identities through Keycloak (GitHub OAuth + gitlab.lrz.de OIDC), synchronises repository activity from GitHub and gitlab.lrz.de, and engages the following external processors: an LLM provider selected at the deployment level and bound per workspace (Azure OpenAI by default on the TUM-operated deployment, or OpenAI) and Slack (when enabled per workspace). IP-bearing web access logs are generated by the Spring Boot application server itself, limited to the minimum fields needed for security operations, and deleted automatically after 14 days.

Contents

FilePurpose
README.mdThis file
SUBMISSION-GUIDE.mdOrdered submission procedure
02-dsfa-prescreen.mdDPIA pre-check (Art. 35 GDPR) — records the DPIA-light posture and the conditions that would require a full DPIA
03-vt-dsms.mdCopy-paste VVT answers for the DSMS form
04-toms.mdTechnical and Organizational Measures (Art. 32 GDPR)
05-avv-checklist.mdArt. 28 processor checklist — every external and internal recipient and its AVV status

The live imprint and privacy pages are served at:

Markdown source lives under webapp/public/legal/profiles/tumaet/.

Summary of the processing surface

  • Federated identities via Keycloak (GitHub OAuth + gitlab.lrz.de OIDC).
  • Repository synchronisation from GitHub and gitlab.lrz.de into workspace-scoped datasets.
  • AI-assisted guidance and automated practice review calling a workspace-configured LLM provider under enterprise no-training terms.
  • Engagement and recognition features (leaderboards, leagues, achievements) gated per workspace.
  • No special-category data (Art. 9 GDPR). No Art. 22 automated decision-making.
  • Residual elevated risk on the AI-assisted feature surface is covered by the BayLfD innovative-technology criterion and the mitigations documented in 02-dsfa-prescreen.md §5.

Annual refresh

Re-review the VVT once per year:

  • Has the deployed stack changed? (new processor, new data category, new retention window?)
  • Has the platform added a new LLM provider or a new source system? Any of these requires an amended VVT, an amended privacy page, and a new row in the AVV checklist.
  • Are the retention figures in 03-vt-dsms.md still matching the deployed config (14-day application-server access-log retention, whether off-host backups have been introduced, LLM provider retention windows)?
  • Has the deployment activated any of the optional integrations that are currently disabled (e.g. the built-in Sentry client, the built-in PostHog client)? If yes, amend the VVT, the AVV checklist, and the privacy statement before the activation goes live.
  • Has the scope of AI-assisted features grown to the point that the DPIA pre-screen in 02-dsfa-prescreen.md must be upgraded to a full DPIA under the BayLfD template?

Emergency — DSB rejection

The DSB may comment in DSMS. Typical follow-ups and responses:

  • "Rechtsgrundlage zu konkretisieren" → §7 of the VVT cites Art. 6(1)(e) GDPR + Art. 4 Satz 1 BayHIG + Art. 25 Abs. 1 BayDSG for TUM Contributors, and Art. 6(1)(b) GDPR for non-TUM Contributors. Point them there.
  • "Löschkonzept fehlt" → §13 of the VVT lists retention per category, including the account-deletion flow and the 14-day application-server access-log retention enforced by the application server itself.
  • "AVV fehlt für X" → see 05-avv-checklist.md for the per-processor DPA status.
  • "DSFA erforderlich" → upgrade 02-dsfa-prescreen.md to the BayLfD DPIA template; the pre-screen already captures the residual-risk structure a full DPIA would elaborate.

Export DSB comments, update the relevant file, and re-submit.

Contacts