@@ -491,6 +491,8 @@ The VPN provider shall not require PII for use of the product, including for pay
The VPN provider shall not store any PII of the user on remote data processing systems.
Guidance: VPN providers may use remote systems to handle support tickets, e-mail and a knowledgebase. The VPN provider shall not store any PII in remote data processing systems without abundantly clear and explicit permission from the user.
* Applicability: (optional, for requirements that depend on a feature)
* Reference: TR-NPII
* Objective: Confidentiality
@@ -499,8 +501,6 @@ The VPN provider shall not store any PII of the user on remote data processing s
* Verdict: Policy is consistent with not storing PII and samples of stored data contain no PII
* Evidence: Policy, samples of stored data, documentation of why the samples don't contain PII
FIXME is this useful? Is there a use case where the VPN client sends PII to the provider but the provider doesn't store the PII? For now, don't include as a mitigation for any use cases.
#### 5.2.8.6 Mapping of mitigations to risk factors and security profiles
