@@ -750,14 +750,14 @@ The product shall not collect Personal Data without explicit authorization.
#### 5.2.12.3 MI-NPER-2: No Personal Data sent outside endpoint
VPN shall not send Personal Data outside of the endpoint at all.
The VPN shall not send Personal Data outside of the endpoint, except for the minimum data strictly necessary for user authentication, access control (e.g., IDP/OIDC integration), and subscription management. No Personal Data shall be collected or transmitted as part of the core VPN tunneling and routing functionality.
* Reference: TR-DMIN
* Objective: Data minimization
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer
* Activities: Review the documentation of the packet capture for any form of Personal Data
* Verdict: There is no Personal Data collected => PASS, otherwise FAIL
* Evidence: Packet capture
* Activities: Review the documentation of the packet capture for any form of Personal Data. Identify if any captured Personal Data originates from the tunneling functionality or is otherwise outside the documented scope of necessary authentication/access control.
* Verdict: If there is any Personal Data collected that is not strictly necessary and explicitly justified for authentication, access control, or subscription management => PASS, otherwise FAIL
* Evidence: Packet capture alongside the manufacturer's documentation justifying the necessity of any transmitted authentication data.
#### 5.2.12.4 MI-NPER-3: Minimize Personal Data required for use, service provisioning and payment