Skip to main content
Onwards Upwards

Data Protection Impact Assessment

Under GDPR Art. 35, processing special-category data (such as data revealing mental health) at scale requires a Data Protection Impact Assessment. This page summarises ours. The full internal DPIA document is available to regulators and enterprise customers on request: dpo@onwardsupwards.app.

Last reviewed: 23 May 2026.

1. Nature, scope, context, purpose

Onwards Upwards is a self-directed journaling tool. Users record triggers, emotions, beliefs, and reflections to support personal growth. Processing is initiated by the user, for the user, on the basis of explicit Art. 9(2)(a) consent. We do not provide medical, diagnostic, or therapeutic decisions.

2. Necessity and proportionality

Journal text and tags are the minimum data needed to deliver the service. Insights aggregation is opt-out at any time from Settings → Insights. Retention is tied to account lifetime; deletion is self-serve and permanent.

3. Identified risks

  • Unauthorised disclosure of sensitive journal content.
  • Re-identification of users from aggregated insights.
  • Misuse of the service for clinical decisions it is not designed for.
  • Sub-processor breach or unlawful international transfer.

4. Mitigations in place

  • Row-level security on every user-scoped table; no cross-user reads possible.
  • AES-256-GCM envelope encryption for journal payloads at rest.
  • MFA + AAL2 step-up required for export and account deletion.
  • Generic error messages on the wire; raw DB errors logged server-side only.
  • Strict CSP, HSTS, Referrer-Policy, and Permissions-Policy on every response.
  • "Not a medical device" disclaimers in app, Terms, and Privacy Policy.
  • Sub-processors listed at /legal/subprocessors with SCCs/UK IDTA where applicable.
  • Audit log of consent, export, and deletion events, restricted to the actor.
  • Documented key-rotation runbook for the field-encryption master secret (24-month cadence, two-person review, dual-read envelope versioning) — see Trust & Compliance → Key management & rotation.

5. Residual risk & conclusion

Residual risk after mitigations is assessed as low. Processing may proceed without prior consultation of the supervisory authority under Art. 36. This DPIA is reviewed at least annually and whenever a material change is made to the processing.

Contact

Data Protection Officer: dpo@onwardsupwards.app. See also our Privacy Policy and Trust & Compliance pages.