Security overview
How SMAAT protects research data
SMAAT is built for academic research, which means data protection is a product requirement — not an afterthought. This page documents how we encrypt data, where it is hosted, which sub-processors we use, and what an IRB or institutional procurement office needs to know before adopting the platform.
Last updated: 27 May 2026
Encryption architecture
Two layers, both researcher-controlled.
Layer 1 — server-side encryption. Every study's data is encrypted at rest using server-side encryption and is only accessible to the study owner and authorised collaborators. Data is encrypted in transit using TLS 1.2+ between the mobile app, the web dashboard, and the backend.
Layer 2 — optional end-to-end encryption with researcher-held keys. When a researcher enables E2E encryption for a study, the platform generates a public/private key pair. Participant responses and sensor data are encrypted with the public key on the participant's device before upload; only the private key — held exclusively by the researcher — can decrypt them. The private key is displayed once at study creation and must be downloaded immediately; SMAAT cannot recover it.
Key regeneration is possible at any time, but applies only to data collected after regeneration. Previously collected data remains decryptable only with the original key.
Data location & hosting
Primary infrastructure: DigitalOcean, Frankfurt (EU). The PostgreSQL database, application servers, and S3-compatible object storage (DigitalOcean Spaces) holding survey responses and uploaded files are all located in DigitalOcean's Frankfurt region.
Backups are stored in the same region. SMAAT does not transfer research data outside the EU as part of normal operation. A small number of sub-processors (Postmark for email, Expo for push notifications) operate from outside the EU but never receive participant-response payloads — see the sub-processor list below.
Access control
JWT-based authentication. Researcher sessions use httpOnly cookies signed with a rotating secret. Mobile-app authentication uses JWTs stored in the operating system's secure enclave (iOS Keychain / Android Keystore) via expo-secure-store.
Role separation. SMAAT enforces strict role checks on every GraphQL operation. Roles include study owner, project collaborator (Viewer / Editor / Owner on the Team plan), participant, and administrator.
Production hardening. The GraphQL playground is disabled in production, internal error messages are not exposed, CORS is restricted to the SMAAT frontend, and HTTP responses set standard security headers (HSTS, X-Content-Type-Options, Referrer-Policy, etc.).
Participant rights & permissions
Participants are presented with the informed-consent text and an explicit list of required permissions on the device before they enroll in a study. The mobile app only requests the permissions the study actually uses, and participants can revoke them at any time from the device settings or via the study's permissions screen inside the app.
Participants can leave a study at any time, which immediately stops notifications and ongoing passive data collection. They can also delete their account, which is irreversible.
The mobile app uses Apple's and Google's standard runtime permission dialogs for: location (foreground and background where required for geofencing), motion sensors (accelerometer, gyroscope, magnetometer, pedometer, barometer), camera, microphone, photo library, and notifications.
Sub-processors
SMAAT relies on the following sub-processors. Each is GDPR-aligned and operates under a Data Processing Agreement.
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| DigitalOcean | Application hosting and object storage (Spaces, S3-compatible) for participant survey data, uploaded files, and database backups. | Frankfurt, Germany (EU) | DPA |
| Cloudinary | Researcher- and study-uploaded image hosting and on-demand image transformation (study branding, survey media). | United States / EU (multi-region) | DPA |
| Postmark (ActiveCampaign) | Transactional email: account confirmation, password reset, study invitations, billing receipts. | United States | DPA |
| Stripe | Subscription billing and payment processing. SMAAT never sees or stores card numbers — they go directly to Stripe. | Ireland (EU) / United States | DPA |
| Expo (EAS) | Push notification delivery to iOS and Android devices via Expo's push service. | United States | DPA |
| Apple Push Notification service (APNs) | iOS push notification routing (used downstream of Expo). | United States / EU | DPA |
| Firebase Cloud Messaging (Google) | Android push notification routing (used downstream of Expo). | United States / EU | DPA |
Retention & deletion
Paid plans retain data indefinitely. On Basic, Pro, Team, and Enterprise plans, research data is retained for as long as your subscription is active. You can export your data as CSV (or SPSS, on Pro and above) at any time.
Free plan: 12-month rolling window. Data collected on the Free plan is subject to a rolling 12-month retention window — datasets older than 12 months are automatically deleted. If your study is longer than a year, or you need permanent retention, upgrade to a paid plan before the window expires.
Study deletion is permanent. Deleting a study removes all associated surveys, datasets, notifications, and uploaded files immediately and irreversibly from production and from backups on the next backup cycle. Download anything you need first.
Account deletion. Researcher accounts can be deleted on request to info@open-lab.online. Participant account deletion is available from inside the mobile app.
IRB / ethics submission template
The text below can be pasted into an institutional ethics-board submission. Adjust the bracketed fields to your study.
Data will be collected using the SMAAT platform (smaat.eu), an EU-hosted research application provided by Open Lab Online UG. Participants will install the SMAAT mobile application (Apple App Store and Google Play) and enrol in study code [code].
All study data are encrypted in transit using TLS 1.2+ and at rest in the platform's PostgreSQL database and S3-compatible object storage, both located in DigitalOcean's Frankfurt (Germany) data centre. The study uses public/private key end-to-end encryption: survey responses and sensor data are encrypted on the participant's device with a public key, and can only be decrypted by the investigator holding the corresponding private key. Open Lab Online UG cannot access the unencrypted data.
The platform's sub-processors and their roles are listed on smaat.eu/security. A Data Processing Agreement is available on request.
Participants will provide informed consent prior to enrolment and may withdraw from the study at any time via the mobile app, which stops further data collection immediately. They may also request deletion of their data by contacting [investigator email].
Prefer a standalone Word document for your IRB submission? Download the full IRB template (.docx) — same content as the block above, with appendices for your item set and consent form.
Need a signed DPA, ROPA entry, or vendor-security questionnaire? Email info@open-lab.online.
Responsible disclosure
Security researchers who believe they have found a vulnerability in the SMAAT platform are invited to report it to info@open-lab.online. We commit to acknowledging valid reports within 5 working days, not to pursue legal action against good-faith researchers, and to credit reporters in the security advisory when a fix is released (with the reporter's consent).
Questions before you adopt SMAAT?
Send your institution's security questionnaire to info@open-lab.online — typical turnaround is 2 working days.