Whether you are surveying households, distributing vaccines, or monitoring elections, ODK offers industry-leading security to protect the data you collect. Some of our security features are automatic (e.g., vulnerability scanning), while others (e.g., end-to-end encryption) are configurable so you can strike the balance you need.
When it comes to security, it's important to verify claims. ODK's code is 100% open-source, so you can confirm that what we say is true. And if you aren't a security expert, below is the information your team needs to guide your decision-making.
Security practices
There are two ways to get access to ODK. You can use ODK Cloud (recommended), or if you are technical, you can self-host ODK on your own infrastructure.
The software is the same either way, but when you self-host, you are entirely responsible for the speed, stability, and security of the install. It's a huge responsibility.
If you choose ODK Cloud, we take care of all the IT details so you can focus on your important work. Below are the additional security features you get with ODK Cloud.
- Access Control & Firewall: ODK Cloud runs on hardened infrastructure with isolated CPU, RAM, network, and storage for each customer. Only secure HTTPS connections are allowed and external SSH or database access are not possible.
- Backups & Recovery Plans: ODK Cloud data is continuously backed up and can be restored to a specific moment in time. RPO/RTO guarantees are available.
- Database Security: ODK Cloud databases are encrypted at rest and isolated by customer. External database access is not possible.
- Data Governance, Compliance, Privacy: ODK Cloud is available in US or EU data centers. Data centers are GDPR compliant and ISO27K and SOC 2 certified. See Privacy Policy and Data Processing Agreement for more.
- Distributed Denial of Service (DDoS): ODK Cloud protects against common and most frequently occurring Layer 3 and Layer 4 attacks (e.g., SYN/UDP floods).
- Encryption: ODK Cloud requires encryption in transit (HTTPS) and at rest. Additional end-to-end encryption is available for zero-trust projects.
- Insurance: ODK Cloud is covered by General Liability and Professional Liability policies. Each has $2M/occurrence coverage.
- Maintenance & Updates: ODK Cloud infrastructure automatically updates outdated or vulnerable software. See Vulnerability Disclosure Policy for more.
- Penetration Testing: ODK Cloud has independent security audits and penetration tests that include testing OWASP Top 10 (e.g., broken access control, cryptographic failures, injection attacks, insecure design, misconfiguration).
- Physical Security: ODK Cloud data centers have 24-hour security, video surveillance, limited network access, etc.
- Single Sign-On (SSO) & Multi-Factor Auth (MFA): ODK Cloud offers fully-configured SSO via OIDC. MFA can be enabled at the identity provider.
- Uptime Management: ODK Cloud has had 99.9999% uptime since April 2023.
Independent audits
ODK Cloud is subject to white-box penetration tests and source code reviews from independent security firms. Email security@getodk.org to get the latest audit report.
Other resources
See our security documentation for more on threat models, hosting considerations, and device recommendations.
If you have any other security questions, email security@getodk.org.