Data security

Hi

Can anyone please tell me about commcare data security?
Where data is stored (server location)
Clear text or encrypted? If encrypted, how?
Backup - how many, where, and encrypted?

Thanks,
Gordon

Hi Gordon,

Data on CommCare mobile is stored encrypted-at-rest (symetric AES256) by
keys that are secured by the mobile user's password. User data is never
written to disk unencrypted, and the keys are only ever held in memory, so
if a device is turned off or logged out the data is locally irretrievable
without the user's password.

Data is transmitted from the phone to the server (and vis-a-versa) over a
secure and encrypted HTTPS channel.

On the server side for projects using the https://www.commcarehq.org
server: Data is hosted in a HIPAA compliant cloud at an enterprise-grade
ISO 27001 compliant data center. Data is secured with at-rest encryption,
regular offsite backups, intrusion monitoring, biometric physical access
security, etc.

Currently data for projects using https:/www.commcarehq.org is stored
inside within the United States.

Please let me know if you have any other questions.

-Clayton

Note: Dimagi makes every effort to ensure the security, consistency,
reliability, and availability of data using our cloud services. The
specifics I have provided here are examples of Dimagi's approach and
mechanisms to comply with that level of service, not a conveyance of
specific contractual obligations. We reserve the right to change the
specific mechanisms used to secure data and communications for customers to
improve security and compliance with evolving best practices (IE: We may
move to a stronger cipher than AES256 in the future and reserve the right
to make such a decision). Our contractual obligation to customers of
CommCare HQ are governed by documents like our EULA
https://www.commcarehq.org/eula/, Privacy Policy
http://www.dimagi.com/policy/, and Product Agreement
https://www.commcarehq.org/product_agreement/.