Per Thomas Pronk’s recommendation (https://www.facebook.com/groups/853552931365745/permalink/3503493476371664/), I was hoping you could give an update on a secure save server? I know others have asked about security in the past
(e.g., HIPAA compliance?), and that the servers are GDPR compliant, but as I understand, this applies specifically to EU citizens, though safeguards are in place to protect any personally identifiable information. I would like to make a case for getting a Pavlovia site license to my university. Any information you may be able to provide regarding security of data storage in place would help immensely in this.
Oh, yes, just to be clear we are certainly GDPR compliant )and we will remain so after Brexit transition period ends).
We are also super-secure and careful with your data. We can help you with the documentation you need for that but, to give you an idea:
our server is a physical server, bolted into a highly secure datacenter with ISO 27001 certification
our encryption meets very high standards (including NIST, HIPAA and PCI DSS)
we subjected the server to serious “penetration testing” from a CREST-certified security firm (Nettitude) who found no issues for sensible users (choosing sensible passwords etc)
we’re happy to sign privacy and data-sharing agreements (we don’t share data with anyone so it’s easy)
unlike other providers, we have minimal cookies throughout our sites and, to be on the safe side we turn off things like GoogleAnalytics during participant data collection (surprisingly, others don’t!)
unlike certain competitors we don’t store PII like IP addresses on your behalf (although it you want to do that yourself in your JavaScript code you can of course). Note that, like all online sites, we do store these in security logs, as required for security reasons, but they aren’t combined with participant data
we have security software in place to detect and automatically respond to attacks (Intruder Detection Software and Intruder Prevention Software)
granting admin access to the server is considered very carefully (currently only 2 people)
As well as avoiding data theft, we are also careful about avoiding data loss. We provide 3 levels of backup to prevent data loss in the event of
a broken disk (immediate duplication via RAID array)
an entire broken server (duplicate server that can be activated within hours)
an entire destroyed datacenter (nightly backups to another city)!
All in all, we are really extremely secure and careful with your data and we have had no incidents regarding security.
If your institution needs documentation about these sorts of things (HECVAT or similar documents etc) then we’ll be happy to help. You could email sales at opensciencetools.org and I’ll pick it up with you there
I greatly appreciate all this information! I will compile it for my program and present this to our IRB. If I have any further questions, I will reach out to Open Science. Thank you again for taking the time to respond.
Hi,
I got a related question on GDPR compliance. What kind of cookies are stored during data collection? Only strictly necessary cookies, or also other types of cookies? To be fully compliant, is a cookie bot or other cookie control procedure required? If not, can I refer my participants to a document/website/… that assures them that apart from the technically necessary cookies, no other cookies are saved?
Best, Hendrik
Thanks Wakecarter. It’s somewhat confusing. On the Pavlovia website, I read that Pavlovia does use cookies and local storage when necessary, including Google Analytics, but I’m not sure if that only for researchers, or also for participants.