Data protection and security settings
complete
J
Justin
Is there anyway we can have more security settings added into the app? Like various GDPR settings, MFA, privacy (even if its not done currently) like "Please dont share my data" and more common options?
Log In
v
vision assemblies
I think the current explanations on privacy and security are as good as you can make them, in the given set-up. they instill trust in terms of transparency, overall clarity, and documenting good faith – in as much as this can be done in anonymous written text.
– one passage though seems not clear to the non-technical person, like me:
"The only way that this environment can be accessed is with a password-protected, locally stored secret key from only one specific computer. And even if we accessed that environment all services would be containerized and they would only communicate with each other. It would require an infrastructure change and quite some technical effort and knowledge to get direct access to any of your data."
– maybe this can be improved and clarified.
otherwise, thanks for that!
Steffen Bleher
vision assemblies: awesome thanks for letting us know!!
Steffen Bleher
complete
Thanks to everybody for your very thoughtful ideas, questions, and comments. We created a memo on data protection and security in our documentation (https://docs.capacities.io/more/data-protection) and updated all inconstancies on our website. If you have further questions or remarks feel free to share them with us at team@capacities.io. By that we can continuously improve the transparency and processes around data. If you didn't hear the news we also just launched a backup feature for all data.
Thanks again. Best, Steffen.
Steffen Bleher
Merged in a post:
bring FAQs + Data Security Declaration in Line - being explicit about privacy & data policies & architectures
v
vision assemblies
I am happy Capacities and the related GbR is transparent, and forwardly engaged in terms of data security.
As this is of utmost importance for Note- & PKM-Apps, especially if privately used, I think it's
very
important to get this as transparent & straight as possible.When it says in the FAQs
"All your data is stored on encrypted servers in Germany with regular backups. Only you have access to your content."
I was very happy.
Then, this is not really reflected directly in the Data Security Declaration. There it simply says:
Inhaltsdaten
Die im Rahmen der Nutzung von capacities.io von dir hinterlegten und bereitgestellten Inhalte (z. B. Notizen, Texte und
Meiden
;-) ) werden ebenfalls von uns gespeichert. Rechtsgrundlage der Verarbeitung der Inhaltsdaten ist Art. 6 Abs. 1 s.1 lit. a DSGVOI do not want to be nit-picky about such things. And I do trust the best intentions, as it sounds Capacities gets privacy right out of principle.
Likewise, I think it's important the real security architecture is transparent, clear, consistent, and technically verifiable.
In that spirit I'd propose to bring these descriptions in line, maybe deepening them.
(There was no section to comment on clarity for DSD / FAQs as there was for documentation; so I put it here...)
Also, I think an explicit statement on data ownership (& it's future-proofness) is what sets the best note-/PKM-apps apart. It's always good for community building to be as explicit and traceable as possible about all these central privacy / security / ownership matters.
Steffen Bleher
Hi vision assemblies.
Thanks so much for your long ticket, really appreciated it. As you already stated privacy and data protection is one of our core principles. I'm currently drafting a document that is outlining insights into how we store and treat data in general.
Thanks for pointing out the inconsistency, we'll work on this as well. You are right that these details matter.
We'll keep you updated.
v
vision assemblies
Steffen Bleher: thanks Steffen! Appreciated!
– In the meantime (while you are working on the overall 'picture') I think it would already be of help for some (at least for me) to know, whether content I put into Capacities is actually encrypted w/ user pwds (or such) on servers, or not... To me it sounds like this is the case – but looking into the DSD I became unsure...
... and the knowledge of that would certainly change my use / behavior, while you are working out stuff differently (maybe).
v
vision assemblies
– just as follow-up & to make this more concrete:
"All your data is stored on encrypted servers in Germany with regular backups" – I think some clarification of what that means here in the feedback-area / forum would already help
– on my overall point see e.g. https://www.outlinersoftware.com/topics/viewt/9864/5 which I just found... :-)
v
vision assemblies
hey Steffen Bleher!
– sorry, I really, really don´t want to appear as nagging-type :-D
but could you (or michael_v_h) just say what – currently – "All your data is stored on encrypted servers in Germany" means (with focus on whether "encrypted servers" means all data I put up in an Capacities "item" are encrypted or not, and what that means).
It will
very practically
shape my further current use of Capcities :-) Thx a load already!best, oliver
(– PS: I also think
these kind of questions
are those that people in the wider PKM community have an eye on, see link above...)Steffen Bleher
vision assemblies: You're absolutely right. Currently drafting a longer article on this.
Short answer: Our drives are encrypted and can only be accessed by Capacities. All your items are stored there, but they can be read by Capacities server-side. So it's not encrypted client-side.
v
vision assemblies
Steffen Bleher: thanks for this little forward notice, Steffen!
I guess I have to wait for some details to better understand to what " can be read by Capacities server-side" means (i.e., are my access credentials tied in or not as precondition to read server side...?).
but it already helps to get the general drift.
if not already on your mind, you might include such rather basic questions on non-tech user-side :-)
– thx again! appreciated!
Steffen Bleher
vision assemblies: Short answer again: yes, of course. All content is tied to access credentials. If you don't have these credentials you will never be able to read that content.
v
vision assemblies
Steffen Bleher: 👍
Steffen Bleher
in progress
Awesome, thanks for the details. We will work on creating some pages on that. It's important to be transparent.
Our company is based in Germany and we are by law enforced to be GDPR compliant.
I'll keep you updated with the docs
Steffen Bleher
Hi, these are great suggestions. Capacities is fully GDPR compliant. Could you elaborate a bit on the options you'd expect and what they would do? Your data, for example, is by default not shared with anybody. Only if you select it and share the link.
J
Justin
Steffen Bleher: Sure! Lets just start with basic GDPR, where does it say that its compliant? I looked and I saw nothing security related in any of the documentation (I understand its still a work in progress - great work too!). My current company is looking for an alternative to Notion and I believe this is perfect but needs to mature, one of the things they look for is security settings and where its spelled out and how its worded. I don't see anything that says what developers have access to and what they don't (Some people actually like sharing data with devs to help, I would for my personal notes), or what kind of logging is done on the back end, MFA options, SSO options, and things like that.
J
Justin
I will try and find more concrete examples too.