We know your ideas are extremely important to you and your business, and we’re very protective of it. After all, PRE.DO’s own ideas are hosted on PRE.DO, too!
Please send firstname.lastname@example.org an email if you have a suspicion about any potential PRE.DO-related security vulnerability.
We follow and keep up with recommendations and best practises from Google, and are in direct dialogue with the Firebase core-team.
Ideas can only be accessed by the idea owner, individuals invited by the idea owner or teams invited by the team owner. These security rules are implemented server-side in the Firebase Real-time database Security Rules framework, so unauthorized access to data is built into the data-model, from the ground level.
The PRE.DO front-end web-application is implemented using the React framework and a number of Open-Source packages.
The PRE.DO back-end is running on Firebase Cloud Functions developed using the Node.js framework.
Emails are sent via the Sparkpost service.
Ideas are stored in the Firebase Real-Time database, and secured tightly with firebase security rules.
Uploaded images and files are stored on the Google and Firebase Cloud Storage.
We never store any passwords, but users can reset their passwords under their user profile.
Respect the intellectual property rights of others!
You are solely responsible for ensuring that you have all required permissions to use and share any data, images and files you add or upload to the PRE.DO platform. You are solely responsible for complying with any local regulation for your county, state or region.
For each team created in PRE.DO, a minimum of one team admin is assigned. The team admin(s) can invite and remove members of the team, and change team settings including logo and team name.
If a member has been removed from a team, they do no longer have access to ideas shared with the team. They do still have access to ideas individually shared with their account. Team admins can re-invite a removed team member who will have access to the same shared content as previously.
Google Firebase runs on the Google Cloud Platform. Therefore the PRE.DO security model is built upon the Google Cloud Platform Security model. This model includes details on:
No PRE.DO employees ever access private ideas unless required to for support reasons.
Support staff may need to access settings related to your support issue. In rare cases staff may need to pull a copy of your data, this will only be done with your consent. When working on a support issue we do our best to respect your privacy as much as possible, we only access the ideas, files and settings needed to resolve your issue. To ensure the integrity of data while resolving issues we might clone data and save these while working on the issues. These cloned data will be deleted as soon as the support issues has been resolved, and you will be notified about it.
Only the PRE.DO SysAdmin (email@example.com) has full access to the database and uploaded images and files.
Some PRE.DO users or teams might invite PRE.DO staff to their ideas or teams. We only access these teams or ideas on user requests and for support only.
We do a full backup of the PRE.DO databases, uploaded images and files daily. These backups are stored on an AES with 128 bit blocks and a 256 bit key encrypted backup disc only accessible to the PRE.DO SysAdmin.
When a user deletes an idea we do not retroactively remove ideas or data from backups, as we may need to restore the data for the user if it was removed accidentally.
If you chose to stop using PRE.DO, you have the option to get your data in a portable format and the right to be forgotten. If you do wish so, please notify firstname.lastname@example.org directly, and we will send you your data within 10 working days, and delete your account.
If your account has been inactive for 1825 days (5 years) we consider it as inactive and we will ask you if we can delete it. If e-mails remains unanswered for another 365 days we will delete your account. In this process we will not contact any other person with the same domain name as yours. Keep this in mind if you are an Admin.
To continuously improve the user experience of PRE.DO and to provide end-user support, and relevant and valuable information to our users, we share anonymised user information with these services:
Have a question, concern, or comment about PRE.DO security? Please contact email@example.com.
Document version 1.0.1, updated April 21st 2018.
This document only exist in this english version.