Written by: Kris Castner, M.A., M.A., A.B.D.

.

.

As any graduate student knee-deep in thesis or dissertation research can tell you, there are a lot of factors to consider when discussion comes to data security guidelines! Not to mention, how any one of them can impact your ability to conduct or successfully complete a study while protecting your assets.

.

That is why we are happy to take a moment to address the topics of data storage, access, and security.

.

We will give you an idea of the precautions we take to protect our users and your data, while linking this to considerations for student researchers looking to meet the Institutional Review Board’s (IRB) specifications for student researchers conducting original studies.

.

.

Security Basics: "How are my Project and Data Protected by Dedoose?”

.

If you recall from our blog about the early days of our company/product, Dedoose was designed from the ground up by researchers, with security being the key factor in mind. As social scientists ourselves, we too are familiar with the nuanced process of navigating the spaces of data protection, security, and confidentiality.

.

Although we are happy to describe the policies, practices, and certifications we currently implement in Dedoose below, we encourage you to reach out if a particular certificate of importance to you is not addressed.

.

Our experience with clients ranges from those working in the military and government, to private institutions and University systems.

.

Long story short, we are always willing to work with you, regardless of what precautions you need!

.

Below are a few of the certifications our cloud host, Microsoft Azure, and Dedoose have passed: 

.

• ISO/IEC 27018
• Soc2
• ISO27001
• FedRamp
• HIPPA
• GDPR
• EU-US Privacy Shield Framework (Data Transfers to the US)

.

We know that "living in the cloud” means that if you work with others, all members of your team will have access to your data anytime, anywhere, with all the evolving power of Dedoose in a completely real-time and collaborative environment.

.

This ease of remote access and team use are major benefits of our platform. However, these can raise questions when needing to talk to advisors or research committees when it comes to data integrity and specific storage standards.

.

.

Rest assured: we take every precaution to ensure that we are always on the front edge when it comes to best practice in data security standards.

.

We take our users and their research assets seriously. As such, we backup our promises with ongoing certification renewals and upgrades every year.

.

A Note on GDPR (General Data Protection Regulation): We remain committed to protecting all our users’ personal information and research data. This comes packaged with our promise never to sell or trade your personal information with any third parties.

.

Because we respect your privacy, we require you to “opt in” to any communications directly from us. We give our users full control of how you view, store, and export or share your project information from your end of the experience.

.

Data Communication Security - All communication within Dedoose takes place through an AES (Advanced Encryption Standard) 256 CBC (Cipher Block Chaining) Encrypted SSL/TLS (Secure Sockets Layer) tunnel using a premium SSL/TLS-EV certificate.

.

This means when it comes to user data security in Dedoose: 

.

• We do NOT store user passwords
• Logins are authorized by SHA-256 (encrypted with a one-way write key)
• In the event of database compromises, passwords WILL NOT be revealed
• Logins are verified by Leviathan Security Group
• All data communications occur through a “two-lock” system
• Immune from “man-in-the-middle" technical attacks
• Immune from “brute force” password attacks
• Our login system follows the security industry’s best practices

.

Physical Data Center Security at Microsoft - Our users should note that data centers overseen by Microsoft have extensive measures for ensuring data and user protection.

.

Security measures at Microsoft Azure database centers include access approval at every portion of the facility, which reduces the risk of unauthorized persons gaining physical access to data.

.

.

If You Have a Dedoose Subscription, You Are Protected by the Best!

.

As fellow data lovers and professionals from a range of disciplines, we join you in wanting to ensure that every step of the research process is not only smooth, but secure.

.

We are always looking for ways to enhance our current security certifications. We frequently update these throughout the year to stay up to date with the best practices and industry standards.

.

One major difference between Dedoose and “the other data guys” is our insanely friendly support staff. As such, they are always happy to field your data security questions.

.

If you find yourself wondering about aspects of data or project safety considerations that are not addressed here, reach out to our team by emailing [email protected]

.

Data Retention Questions (for Deleted Data, Too!) You may also feel assured knowing that by default, Dedoose holds onto a backup of all user data for restoration purposes for a period of up to 2 years. During this time, all data is encrypted using AES256.

.

In the event that you would like our backups permanently removed for your projects, simply send us a request in writing!

.

.

IRB Basics: “What Is Required for Students Planning to Store Data on Their Personal Laptops, Desktops, or USB Drives?”

.

To be clear, Dedoose has no affiliation with the Institutional Review Board, otherwise known to graduate and doctoral students everywhere simply as the “IRB.”

.

But we are happy to take a moment to briefly outline how the core data security controls recommended by the IRB overlap with the data security features of Dedoose that we outlined above.

.

We will make sure you understand some of your options for keeping your data anonymous, confidential, or de-identified (all forms can be analyzed and stored using Dedoose!).

.

Whether or not your project contains sensitive and/or personally identifiable information, these recommendations should be followed as best practice.

.

Core Control Basics: IRB Data Security 101

.

Password Protection- Now you know the basics about a few of the precautions we take on our users’ behalf when it comes to protecting project data and participant confidentiality. Rest easier knowing that our password protection system also complies with the IRB’s reqs.

.

Identifiers for Portable Device Usage and Storage – Generally, if you must have participant or media identifiers you should also plan to encrypt these and move them to a secure system (like Dedoose!) after collection. In this respect, you can use Dedoose to “house” your media files, audio, video, transcriptions, and more, not only securely, but all in one place.

.

De-Identify Your Data- You can fulfill this requirement for your data by ensuring that any direct or indirect identifiers (ex. Name, SSN, health information, etc.) linked to participants is stripped and deleted.

.

Make Your Data Confidential- On the other hand, you can link participants with identifying data in a confidential manner if you are able to guarantee identifying factors are protected from being disclosed outside of the research team and project.

.

You can separate identifying information from the media files and replace them with unique codes or nicknames. Always remember to store your code keys separate from your participants’ identifiers and track these meticulously.

.

Is Anonymous Data Right for You? Unlike the data protection methods above where links to participants and data are present, you can also choose to render your data anonymous.

.

This means that you can guarantee there is no way to link respondents to data. No identifying information is obtained to associate subsequent data collection with participants, so there is no concern that their identities will be revealed.

.

According to the IRB, your PI (Primary Investigator) should delete or destroy identifiable information as soon as possible after collection. You should be sure to hold on to confidentiality agreements signed by your participants for as long as you retain their information as a good rule of thumb. Always check with your committee, PI, or University requirements.

.

.

Relax. Enjoy the Protection of a Data Analysis App Made for Researchers, by Researchers. We Got You.

.

Simply put, Dedoose employs the most secure procedures for data encryption in all data storage, back up and transmission actions.

.

In the event you or your company requires additional levels of protection or clearances/certificates, we are happy to accommodate your requests! We have experience working with clients who work in healthcare, the military/government, private institutions and funding agency policies, who often require such added measures of protection.

.

As a reminder, Dedoose staff has NO ACCESS to your project encryption key, and these are not stored anywhere on Dedoose!

.

Final Thought (Encryption Keys): there is no way for our insanely friendly support team to help you if you lose your encryption key – that is how secure this information is! Remember to be careful with your key by storing it in a VERY safe place.

.

.

We hope this blog has helped you to better understand the boxes we have to check to provide you with top-notch data security. Your project data is precious to you, and to us!

.

We are honored to earn your trust, and provide you with a safe, effective, and easy-to-use data analysis tool.

.

  If you are looking for more information regarding data storage and IRB guidelines in relation to projects, feel free to check out these trusted sources as well!

.

https://safecomputing.umich.edu/dataguide/

.

https://msutexas.edu/irb/_assets/files/guidelines-for-class-related-projects.pdf

.

Sensitive Data Guide- You can use this link to understand the cloud computing and encryption standards that are recommended for institutional data.

.

Happy (and Safe) Data Wrangling!

;