Data security measures

At KoboToolbox, we take data security seriously. Data security means protecting our users’ data from threats. We constantly monitor and work to improve the KoboToolbox security framework, so we can continue to meet the growing needs of the industry.

If you are located in the European Union, you can sign a Data Processing Agreement (DPA) with Kobo that covers your account and the data you collect. You can review the DPA template here, and the electronic version is available to sign here.

Our administrative, organizational, physical, and technical measures for data security on KoboToolbox servers are based on three principles: confidentiality, integrity, and resilience.

Confidentiality

Physical access control

  • Physical access control measures are implemented by Amazon Web Services (AWS), which provides hosting for KoboToolbox servers. These measures include: video surveillance and physical security of server and network facilities, maintaining key card access control, and restricting access to authorized personnel only.
  • To learn more about AWS technical and organizational measures for physical access control, see the full list of data center controls provided by AWS.

Electronic access control

  • All KoboToolbox accounts are password-protected. Through visual feedback on password complexity, users are supported to create stronger passwords.
  • Only encrypted password hashes are stored on the KoboToolbox server, using the default open source framework provided by Django and the PBKDF2 algorithm with a SHA256 hash. Plaintext passwords are never saved on the server.
  • All database content is encrypted at rest (disk-level encryption).
  • Data sent to the server is encrypted in transit using SHA256 with RSA encryption
  • Users can also choose to enable encryption of their project data (data-level encryption), which renders it inaccessible at all stages of data processing and requires a private key to decrypt locally.

Internal access control

  • Only authorized system administrators can access the KoboToolbox servers for the purposes of updating installed software or maintaining the server infrastructure.
  • Our team will never access your data unless you have given us explicit permission for support purposes.
  • System administrators require additional authentication, including Secure Shell (SSH) public key authentication, to access the KoboToolbox servers and two-factor authentication to access AWS control panels.
  • AWS provides a log of all activity in the AWS Console. For SSH connections to individual KoboToolbox server instances, Kobo collects system access events by SSH key, which can then be matched to the authorized users.
  • SSH is protected against brute-force attacks and unauthorized access by limiting connections at the firewall level to only explicitly allowed IP addresses.

Data Protection by Design and Default

  • Only basic information is required to create a KoboToolbox user account.
  • Kobo staff are required to adhere to Kobo’s privacy policies.
  • Data processed on behalf of the user is not accessed by Kobo.
  • Users have the option of applying advanced encryption, which encrypts data using a public key before it is submitted to a KoboToolbox server and requires a private key to decrypt on a local computer.
  • KoboToolbox also offers the option of removing information in bulk once it has been collected, facilitating the pseudonymization of Personal Data through the removal of identifiers.
  • See “Electronic access control” (above) for details about visual feedback on password complexity.

Integrity

Data Transfer Control

  • All data in transit is protected using SHA-256 with RSA encryption.

Data Entry Control

  • Through their KoboToolbox permissions, users control who can enter data.
  • For most requests, HTTP access logs stored on the server include the authenticated user.

Availability and resillience

  • Kobo performs daily backups of all databases to a separate remote location. In case of a critical outage, all user data will be restored as quickly as possible from the most recent backup.
  • Firewalls block all external requests except for SSH connections from a small list of explicitly allowed IP addresses.
  • Public HTTP and HTTPS traffic cannot connect directly to the KoboToolbox server. Public traffic is serviced by the AWS load balancer, which then forwards it to Kobo’s frontend servers.
  • KoboToolbox servers are configured to use multiple concurrently running server instances and to increase the number of instances to avoid the impact of any localized failures.
  • In case of any failures that threaten continuous operation of critical aspects of the KoboToolbox software, system administrators are available to intervene to restore service as quickly as possible.
  • Kobo’s reporting procedures include automated alerts, escalation of user-reported issues, and self-noticed problems by staff.
  • Contingency plans include the availability of multiple staff members in multiple geographic locations who can respond to emergencies and restore service.
  • KoboToolbox servers have the demonstrated ability to continue operating in a degraded state, receiving submissions while simultaneously recovering lost data via to-the-minute point-in-time recovery (PITR).
  • Users who abuse their accounts by overburdening the KoboToolbox server may be suspended or their account may be restricted.