Data Security and ActivityInfo
The security of the information gathered and stored in ActivityInfo is of paramount importance for us. Having worked in the field we know what it is like to handle confidential and sensitive information and we take up the cause of protecting what the humanitarian organizations trust us with.
This blog post is about the precautions and actions we take to ensure that your data is always safe in ActivityInfo. You can also view our Webinar on Data Security in ActivityInfo.
Physical Security and Backups
We use the Google Cloud Platform (GCP) to host our data. This means that we rent servers from Google which is a global leader in data infrastructure. The data is stored in servers in multiple locations across Europe including regions such as Belgium and the Netherlands. Strict physical security is implemented by Google and entering these places or getting near the servers requires authorization.
By keeping multiple copies of the data in these locations we make sure we have enough backups in case of a natural disaster or failure of one region's server. At the same time renting servers instead of owning servers gives us the power to dedicate our resources and energy in developing the tool instead of managing the infrastructure.
The moment your data moves from your browser to the web servers they are encrypted with SSL security. Attachments and images are additionally encrypted at rest. This ensures that the data will be private and integral at all times.
ActivityInfo has employment agreements in place in the same way a UN organization or an NGO for example has an employment contract to ensure that employees will abide with rules, regulations and confidentiality requirements.
We define our relationships with our staff, with our clients and with our suppliers with contracts that clearly define and enforce confidentiality. We also sign a Service Level Agreement (SLA) with the organizations that have a subscription with ActivityInfo that specifies our obligations and Terms of Service and clarifies issues such as data ownership and data security.
General Data Protection Regulation (GDPR)
Additionally, the General Data Protection Regulation law, which was put in place by the EU in May 2018, assists in better clarifying the roles of each actor regarding data privacy and lists action points for which each actor is responsible. So BeDataDriven, the provider of ActivityInfo acts as the data processor and has outlined responsibilities regarding data privacy. You can read more about the EU General Data Protection Regulation on the official GDPR website.
Security by design
When using ActivityInfo you can select who can view and who can edit the data you collect. There is a wide variety of permissions that you can grant to your users to refine their access to the information you collect in ActivityInfo.
Read about the types of user permissions and Roles in our User Manual. and take a look at our latest blog post which lists the advanced permissions we have recently released.
Cloud vs on-Premise
Sometimes we are asked whether it's possible to host host ActivityInfo on an organization's servers. We've tried this in the past, but our own customers concluded that they weren't able to provide the same level of service -- and data security -- on premise as we could provide with our cloud-based organization. Maintaining and securing infrastructure requires a significant amount of resources in terms of team, time, costs. With ActivityInfo.org, you benefit from a full team focused on the application and its security 24/7, and an even bigger team at the Google Cloud Platform focused on the underlying infrastructure -- all with zero planned downtime and weekly updates.
Do you have a specific question regarding the way we handle data security? Don't hesitate to contact us.