GDPR - US-based servers with kf.toolbox.org

niha1993 · February 18, 2021, 1:54pm

Hello everyone,

I found the official documentation on GDPR compliance for the kf toolbox org instance (Privacy Policy | KoBoToolbox) and sent an e-mail upon which I received confirmation of compliance from the kobo support team. However, when I talked to our data protection officer today, he said that because the kf toolbox org servers are hosted in the U.S. (Harvard university) this is not the case. I am a little confused on who is right now. Anyone can help?

I was also wondering whether we could register for the OCHA instance then instead (we are a German-based NPO), as the servers are in Ireland which would eliminate the issue.

Thank you for your help and time!

All the best,
Nina

ks_1 · February 19, 2021, 9:36pm

The best way for such compliance is to host it on your own servers, that’s what we are doing.

fmeinck · February 26, 2021, 2:15pm

I have the same problem. I must host the server in the EU as funded by an EU grant. Is there a way to register for the Humanitarian server e.g. by paying for it if one doesn’t qualify for it?

Or can someone recommend a consultant who would be available to set up the server at my institution as University IT have been very unhelpful?

Kal_Lam · February 26, 2021, 2:26pm

Welcome to the community, @niha1993, @fmeinck! Maybe, @tinok should be able to provide you with a suitable response.

fmeinck · February 26, 2021, 2:38pm

Thank you @Kal_Lam

tinok · March 16, 2021, 1:16am

Hi all, even though the non-humanitarian server (kf.kobotoolbox.org) is in the US, we still comply with the GDRP. If your organization requires you to use an EU-based server but you or your organization are not doing humanitarian work (or you don’t work for an EU-based organization that already runs its own KoBoToolbox server) then the only solution at the moment is to use a custom installation. We may set a new public one up in the EU if there is more demand for it. Please add your name and organization to this thread if this would be of interest to you.

wroos · March 16, 2021, 9:04am

Hello,
Is there an official document available (link), please, for your full compliance with GDRP for each of the two accounts/servers

HHI
OCHA?

Thanks in advance.

tinok · March 18, 2021, 8:55pm

@wroos The best documents would be

HHI server:

OCHA server:

Vanderburg · March 24, 2021, 11:02pm

I have the same question about GDPR compliance.

The data of Kobotool is hosted in the USA on Amazon Webservices (thus not on Harvard University as mentioned in the authors question). See statement ref: Data Storage — KoBoToolbox documentation

When there is personal data collected, the kobotoolbox solution is regretfully not EU - GDPR compliant,

A solution would be to have a kobotoolbox instance on an EU based server if that is supported by Kobotoolbox organisation (?)

Vanderburg · March 24, 2021, 11:06pm

Where can I find more information about a custom installation to be on a EU based server?

fmeinck · April 14, 2021, 12:43pm

Just in case this is helpful for anyone else. The IT and Data information system at Edinburgh University have advised me that using the non-humanitarian server, even if all storage is in the US, can be GDPR compliant as long as all the data are fully encrypted on this server - so can’t actually be seen. What matters, they say, is that the server on which you visualise the raw data is in the EU and adequately protected.
That said, a EU based non-humanitarian server would be fabulous!