# Data Security

## General Data Protection Regulation (GDPR) compliance, data security and user privacy overview

Our web-based platform ensures secure data transmission via HTTPS and follows best practices in data protection, including access control, encryption, and compliance with relevant privacy regulations such as GDPR. The following are some details of data security and user privacy controls. We can provide more details on specific measures upon request.

Data Encryption, Data Residency, Processing & Security

- Data in transit is in compliance with GDPR since we use standard HTTPS end-to-end encryption.

- Data at rest is not stored on the server, only in temporary RAM and is automatically purged prior to next use of the application.

- Since the data isn't stored on the server in permanent memory, and since each user utilizes a unique instance of the application (managed by gunicorn and Flask server applications), only the user has access to the data they are actively processing. It is destroyed when the exit the webpage. Nobody else, even an administrator, has access to another user's data.

- Similarly, there are no logs for personal data for any purpose including auditing.

Access Controls

- We utilize secure authentication policies and administrator roles in access to user management and the software server.

- No personal data is stored on the server, other than the provided user email address that they use for login purposes. Administrators do not have access to user passwords as they follow standard encryption practices. Billing services are provided by Stripe (https://stripe.com/).

License, User Rights & Consent

- [Software Terms of Service](./LICENSE.md)
- [End User Licence Agreement](./EULA.md)