← All articles

GDPR-Compliant Documentation: What Software Vendors Need to Know

Anyone providing product documentation online processes personal data. This article explains which GDPR requirements apply to documentation portals — from audit logs to data processing agreements.

Anyone providing product documentation through an online portal inevitably processes personal data: email addresses, names, access timestamps, IP addresses. The GDPR sets clear requirements for handling this data.

What Data Is Collected?

A typical documentation portal processes the following personal data:

  • Account data — Name, email address, possibly company
  • Authentication data — Password hashes, 2FA secrets
  • Usage data — Which documents were viewed/downloaded, when, from which IP
  • Technical data — IP addresses, user agent, session data

Key GDPR Requirements

1. Legal Basis

For providing documentation to customers, Article 6(1)(b) GDPR (performance of a contract) is typically the appropriate legal basis. The customer has purchased a product and receives the associated documentation — this is part of the contractual service.

2. Audit Logs and Data Minimization

An audit log makes sense from a compliance perspective, but the GDPR requires data minimization. Only log what is actually necessary: who accessed which document and when. No movement profiles, no unnecessary metadata.

Define retention periods. An audit log stored indefinitely is hard to justify.

3. Server Location and Data Processing Agreements

If you use a SaaS service, the provider is your data processor. You need a data processing agreement (DPA) under Article 28 GDPR. Pay attention to:

  • Server location in the EU (ideally Germany)
  • No transfer to sub-processors in unsafe third countries
  • Technical and organizational measures (TOMs)

4. Data Subject Rights

Your customers (the end users of the portal) have the right to access, rectification, and deletion of their data. Ensure that:

  • Users can view their own data
  • Accounts can be fully deleted
  • A data export is available

5. Encryption and Security

The GDPR requires "appropriate technical and organizational measures." For a documentation portal, this means at minimum:

  • TLS encryption for all connections
  • Secure password hashing (bcrypt/argon2)
  • Two-factor authentication as an option
  • Rate limiting against brute-force attacks

Watermarks and GDPR

Personalized watermarks (name + email on the PDF) are an intervention in informational self-determination. They are permissible if the user is informed in advance and the vendor has a legitimate interest (protection of intellectual property). Important: The user must know that a download will be watermarked before initiating it.

Checklist for Your Documentation Portal

  • Privacy policy that explicitly covers the portal
  • Data processing agreement with the platform provider
  • Servers in the EU, ideally Germany
  • Audit log with defined retention periods
  • Ability to delete user accounts
  • TLS + secure authentication
  • Transparent notice about watermarks before download

ManualHQ is designed to meet these requirements by default: servers in Germany, GDPR-compliant audit log, transparent watermark notices, and support for two-factor authentication.