What about data privacy?
Personal information is gathered with the app. Privacy is of utmost importance and is taken seriously. For an elaborate overview of the privacy measures, please read the privacy declaration.
In short:
Anonymous data is stored and provided with a unique identifier code. The provided email address is used once to send credentials. This email in combination with the credentials is not stored and after the information is send, no longer available.
Data is stored on a secure server and adheres to the General Data Protection Regulation (GDPR) Rules. Security is treated with diligence.
Some security measures we have in place
(1) Where are the data stored? And is there a data encryption protocol at the end point?
When working offline, the collected data is stored in the app; once online the data is transferred over HTTPS to the psymate.io platform and is removed from the mobile device.
(2) How are data stored once they reach the server, e.g. are they encrypted on an EU/UK based server?
At the psymate.io platform, the data is stored to encrypted disks.
(3) What security measures are on the servers to prevent unauthorised access to the data, e.g. brute force protection, administrative interfaces only accessible from particular IP addresses?
All network traffic to the psymate.io platform is monitored for suspicious activity. The administrative interfaces are protected by two factor authentication (2FA) and all activity is logged and monitored for unauthorised access
(4) What is your protocol for keeping/deleting data once our account expires?
If any remaining data exists on the psymate.io platform, it will be deleted.
(5) Is PsyMate ran on your own infrastructure or does it use cloud servers like AWS, google, azure?
The psymate.io platform runs on virtual private servers hosted on a 3rd party certified private infrastructure and is distributed for high availability over 2 datacenters in The Netherlands, Europe. The psymate.io platform is not using public cloud servers or services.
(6) What sort of Identifiable data does the App record. Phone numbers are probably an obvious one, but can it also read IP address, names, etc?
The app exchanges the following data with the psymate.io platform only (and is not exchanged with the 4D backend systems): device and app info (like OS and version) to allow for device specific in-app software updates and for OS version specific error monitoring; ip-address for session management/load balancing and for white/blacklisting once suspicious behaviour is detected. On logfile analysis this data is only used in an aggregated way, so no single user/device can be identified.
(7) Is PsyMate ran through Maatstricht University and so therefore GDPR compliant? Are you compliant with any data security standards (e.g. iso27001)
The services used by the psymate.io are ISO27001:2013 and NEN7510:2017 certified. Data processor agreements and Subprocessor agreements are in place.
(8) Are any third parties given access to the data.
No.
(9) Where are the data from the app kept for 15 years?
We can store the data for you during this period on our servers (located in Belgium) or you store the data yourself, after we have transferred everything to you after the study has ended. In the latter case, we destroy the data on our servers
(10) Where are the data stored?
The data is stored on servers in Belgium and is fully covered by European directives. No data (nor backups) are stored on servers that fall outside European regulations.
(11) How is the data monitored?
The coordinating researcher will log in regularly and check the completion of the questionnaires. The aim is to do this more than once a week, so that any absentees can be contacted quickly.
(12) How is the destruction of the information provided: when and how will the data be destroyed, how will the app be deleted, etc.?
The data is stored on the user’s smartphone and transferred through the psymate.io platform and the storage servers once the phone establishes a stable internet connection. After confirmation, the data on the device is deleted. If data should remain on a device, it is not accessible to third parties. When the app is deleted, all connected data also disappears.
For information about the data on our servers, I refer to the first answer. As mentioned, our preference is for a formal transfer of the data to the researcher and it is the researcher who is then responsible for the legal retention periods and the destruction of the data. The procedures followed are the subject of the processing agreement.
If you want more information you can find it here.