simtk.org

Dear OpenCap team,

I'm working in Germany where data privacy is a very big topic. To that end:

1. Are the recorded videos processed by the webserver? Or is the video processing done on the local machine?
2. What data is sent out over the web? Is it sent over SSL? Is the security certificate of the server up to date?

Thank you!

Matt

Hi Matt. We have more information about security and the infrastructure in this document (https://docs.google.com/document/d/1DBw ... sp=sharing). To answer your specific questions:
1) Yes - videos are processed by servers that are currently in the US. We are aware that GDPR requires servers to be located in the EU, we are working on that.
2) You can see what info is sent where in the attached doc, but effectively videos and de-identified biomechanics data are sent between the local machine, AWS S3 storage, and backend servers. All servers are encrypted, have up to date SSL certificates, and all transmission is encrypted (TLS 1.2).

OpenCap meets all of the privacy and security laws in the US, but not GDPR yet. We have worked with some European institutions so they can still use OpenCap, so feel free to email us if your institution needs specific information from us.

Dear Scott,

what is the current state of GDPR compliance?

Kind regards,
Markus

Hi Markus,

The elements of OpenCap are GDPR compliant, but because data is being sent out of EU, we have to sign a data processor agreement. We're finalizing this for the first institution soon, and hope to have a general version in the next few months. Feel free to reach out over email in a month or two to check in on the status of the general data processor agreement.

Scott