FAQs - Security
What steps has OSF taken to comply with GDPR?
What types of data does OSF collect?
Can I have my data deleted?
You’re always welcome to deactivate or delete your account. If you’d like to delete your account and personal data, please email firstname.lastname@example.org.
Can I opt out of having my data collected?
You’re always welcome to deactivate or delete your account. You should be aware that information that you've shared with others or that others have copied may also remain visible after you have closed your account or deleted the information from your own profile. In addition, you may not be able to access, correct, or eliminate any information about you that other users have copied or exported out of the Websites, because this information may not be in our organization's control. Your public profile may be displayed in search engine results.
How can I export my data?
In your account settings, click the Export Account button and our support team will be in touch shortly.
What if I don't want to make anything available publicly in the OSF?
The OSF is designed to support both private and public workflows. You can keep projects, or individual components of projects, private so that only your project collaborators have access to them.
How secure is my information?
Security is extremely important for the OSF. When you sign up and create a password, your password is not recorded. Instead, we store a bcrypt hash of your password. This is a computation on your password that cannot be reversed, but is the same every time it is computed from your password. This provides extra security. No one but you can know your password. When you click "Forgot your password," the OSF sends you a new random password because it neither stores nor has the ability to compute your password.
How does the OSF store and backup files that I upload to the site?
For OSF Storage, files are stored in multiple locations and on multiple media types. We keep three types of hashes (MD5, SHA-1, SHA-256) for files. We keep parity archive files to recover from up to 5% bit error. We use Google Cloud for active storage and Amazon Glacier as a backup location. File backups are hosted at Glacier, and there are daily backups on Google Cloud for 60 days. Please refer to Google Cloud and Glacier documentation for details about the other robustness features they provide.
The OSF database is backed up via streaming replication 24 hours a day, and incremental restore points are made twice daily. Further, the OSF database is maintained in encrypted snapshots for an additional 60 days. Database backups are verified monthly.
Operational data (e.g., config files) for other OSF services are backed up in primary cloud file storage for 60 days.
Logs are primarily stored in Google Cloud cold storage indefinitely. In certain cases a third party aggregation service is used for up to 90 days, then backed up to Amazon S3 indefinitely.
Is data stored on OSF Storage encrypted? What are my options?
Transfer of data to OSF storage is encrypted with SSL. If you would like your data to be encrypted at rest, you can encrypt it before uploading to OSF Storage. You can also use the Amazon S3 add-on and implement server-side encryption to encrypt your data before saving it on S3 servers and decrypt it when you download it. Otherwise, data at rest is not encrypted on OSF Storage.
Is the OSF HIPAA compliant?
You should refer to your institutional policies regarding specific security requirements for your research.