PRE.DO Security Policy


We know your ideas are extremely important to you and your business, and we’re very protective of it. After all, PRE.DO’s own ideas are hosted on PRE.DO, too!

Need to report a security vulnerability?

Please send uffe@pre.do an email if you have a suspicion about any potential PRE.DO-related security vulnerability.

Architecture

The PRE.DO website is hosted on the Amazon Web Services Lightsail service, and running on a WordPress installation, using a letsencrypt.org SSL (Secure Sockets Layer) certificate.

The PRE.DO web-application is hosted on Google Firebase. Firebase hosts only via SSL is a typical security technology used to establish encrypted link between a server (Host) & client (Browser).

We follow and keep up with recommendations and best practises from Google, and are in direct dialogue with the Firebase core-team.

Ideas can only be accessed by the idea owner, individuals invited by the idea owner or teams invited by the team owner. These security rules are implemented server-side in the Firebase Real-time database Security Rules framework, so unauthorized access to data is built into the data-model, from the ground level.

The PRE.DO front-end web-application is implemented using the React framework and a number of Open-Source packages.

The PRE.DO back-end is running on Firebase Cloud Functions developed using the Node.js framework.

Emails are sent via the Sparkpost service. 

Ideas are stored in the Firebase Real-Time database, and secured tightly with firebase security rules.

Uploaded images and files are stored on the Google and Firebase Cloud Storage.

We never store any passwords, but users can reset their passwords under their user profile

Intellectual Property Rights

Respect the intellectual property rights of others!

You are solely responsible for ensuring that you have all required permissions to use and share any data, images and files you add or upload to the PRE.DO platform. You are solely responsible for complying with any local regulation for your county, state or region.

Team Admins

For each team created in PRE.DO, a minimum of one team admin is assigned. The team admin(s) can invite and remove members of the team, and change team settings including logo and team name. 

If a member has been removed from a team, they do no longer have access to ideas shared with the team. They do still have access to ideas individually shared with their account. Team admins can re-invite a removed team member who will have access to the same shared content as previously.

Google Cloud Security

Google Firebase runs on the Google Cloud Platform. Therefore the PRE.DO security model is built upon the Google Cloud Platform Security model. This model includes details on:

  • Physical Data Center Security
  • Server and Software Stack Security
  • Data Access
  • Data Disposal
  • Secured Service APIs and Authenticated Access
  • Data Encryption
  • Intrusion Detection
  • Security Scanning
  • Compliance and Certifications, including AICPA-SOC, ISO 27001, SOC3, PCI-DSS & EU Data Protection Directive (aka GDPR).

Employee access

No PRE.DO employees ever access private ideas unless required to for support reasons. 

Support staff may need to access settings related to your support issue. In rare cases staff may need to pull a copy of your data, this will only be done with your consent. When working on a support issue we do our best to respect your privacy as much as possible, we only access the ideas, files and settings needed to resolve your issue. To ensure the integrity of data while resolving issues we might clone data and save these while working on the issues. These cloned data will be deleted as soon as the support issues has been resolved, and you will be notified about it.

Only the PRE.DO SysAdmin (uffe@pre.do) has full access to the database and uploaded images and files. 

Some PRE.DO users or teams might invite PRE.DO staff to their ideas or teams. We only access these teams or ideas on user requests and for support only.

Backups

We do a full backup of the PRE.DO databases, uploaded images and files daily. These backups are stored on an AES with 128 bit blocks and a 256 bit key encrypted backup disc only accessible to the PRE.DO SysAdmin.

When a user deletes an idea we do not retroactively remove ideas or data from backups, as we may need to restore the data for the user if it was removed accidentally.

Exit

If you chose to stop using PRE.DO, you have the option to get your data in a portable format and the right to be forgotten. If you do wish so, please notify uffe@pre.do directly, and we will send you your data within 10 working days, and delete your account.

If your account has been inactive for 1825 days (5 years) we consider it as inactive and we will ask you if we can delete it. If e-mails remains unanswered for another 365 days we will delete your account. In this process we will not contact any other person with the same domain name as yours. Keep this in mind if you are an Admin.

Privacy

To continuously improve the user experience of PRE.DO and to provide end-user support, and relevant and valuable information to our users, we share anonymised user information with these services:

PRE.DO is a company registered in the European Union and our data handling comply with rules and recommendations stipulated in the General Data Protection Regulation (GDPR) taking effect on May 25, 2018. Our Data Protection Officer (DPO) is Uffe Koch, uffe@pre.do, +45 2828 7878.

Contact Us

Have a question, concern, or comment about PRE.DO security? Please contact uffe@pre.do.

Document version 1.0.1, updated April 21st 2018. 

This document only exist in this english version.