Security & Trust

Last updated: 26 May 2026

Joinalyse hosts the research data of universities and the personal data of student participants. This page summarises the controls we have in place. It is meant for university data protection officers, ethics boards, and security teams evaluating Joinalyse for institutional use. For detailed legal text, see our privacy statement.

Infrastructure

  • Application, database, and primary backups run on Hetzner Online GmbH in the FSN1 datacentre in Falkenstein, Germany. Primary processing of personal data does not leave the EU.
  • Encrypted Borg backups are stored on a Hetzner Storage Box, also in the EU, with daily snapshots and a 30-day retention window.
  • All traffic is served over TLS 1.2 or higher (TLS 1.3 preferred) using Caddy and Let's Encrypt managed certificates. HTTP requests are redirected to HTTPS.
  • Each environment (production, staging, preview) runs on isolated Docker networks with no shared secrets across environments.

Application security

  • All deduplication and rate-limit keys are HMAC-SHA256 hashes with a server-side secret. No raw IP, user agent, or browser fingerprint is persisted.
  • Passwords are stored using bcrypt with a per-user salt; plain-text passwords never touch our database or our logs.
  • Account deletions are processed via a soft-delete plus a 30-day retention cron to satisfy GDPR Article 17 (right to erasure) while allowing accidental-deletion recovery.
  • Authentication and survey-submission endpoints are rate-limited fail-closed using Redis. If Redis is unreachable the limiter denies the request rather than allowing unmetered traffic.
  • Every response sends a Content Security Policy, HTTP Strict Transport Security, X-Frame-Options DENY, X-Content-Type-Options nosniff, and a strict Referrer-Policy.
  • All user input is validated server-side. Survey content is rendered using safe text bindings, never as raw HTML.

Privacy

Our privacy statement is the authoritative document for what we collect, why, and how long we keep it. Highlights:

  • A complete sub-processor register listing Hetzner, Resend, and Cloudflare with their purpose, location, and DPA + SCC basis.
  • Per-data-type retention schedules with the legal rationale (account, surveys, responses, logs, errors, analytics events, analytics aggregates).
  • A documented Data Subject Request procedure. Subjects can email [email protected] or use the in-product account deletion flow.
  • SkyWise International B.V. is the data controller; Prikr operates the platform as data processor under a written processing agreement.

Read the full privacy statement. See the sub-processor register.

Your right to object (GDPR Article 21)

We honor your right under Article 21 of the GDPR to object to processing of your personal data carried out on the basis of legitimate interest. At the same time, academic research relies on transparent distinctions to be meaningful. A study on gender pay gaps needs gender. A study on first-generation students needs study field and family background. We do not hide this trade-off.

Researchers on Joinalyse must justify in the survey description and consent flow why any attribute is used for matching. You can decline to participate in any individual survey. If you wish to object to a specific attribute being used for matching across surveys, contact us at the email below. We will action your request manually until granular per-attribute consent toggles ship in Settings, Privacy after the MVP launch.

To exercise this right, email [email protected].

Operational security

  • An internal incident-response runbook covers detection, containment, eradication, recovery, and lessons learned. Severity classification and on-call ownership are documented.
  • We notify the data controller within 24 hours of a confirmed or strongly suspected data breach, with a follow-up assessment within 72 hours to support GDPR Article 33 supervisor notification deadlines.
  • Independent penetration testing status: planned. The next test will be scheduled before institutional rollout; the resulting report will be made available to university DPOs under NDA on request.
  • We publish a vulnerability disclosure policy with a safe-harbor commitment for security researchers acting in good faith.
  • All operators with production access complete annual security awareness training and review the incident runbook quarterly.

Vulnerability disclosure policy.

Compliance

  • We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Dutch Uitvoeringswet AVG.
  • A Data Protection Impact Assessment is available on request to universities entering into a data-sharing agreement with Joinalyse.
  • A standard Data Processing Agreement template is available on request and can be customised per institutional requirements.
  • Joinalyse is not currently ISO 27001 certified. A roadmap toward certification is part of our post-launch security backlog; this page will be updated when a target date is committed.

Contact

For questions about this page or about Joinalyse security and privacy more broadly:

← Back to home