KoboToolbox allows National Society staff and volunteers, IFRC staff and International Committee of the Red Cross (ICRC) staff to conduct surveys and collect data.
Migrating projects (including submissions) from one server to another is possible but requires technical skills. Please see the detailed migration guide for more information.
These terms of service apply to the KoboToolbox instance available at kobonew.ifrc.org. KoboToolbox is licensed for use under the GNU license.
Welcome to KoboToolbox, the website and service (“the Service”), owned and operated by the International Federation of Red Cross and Red Crescent Societies (“IFRC”). This page explains the terms in which you may use the service for data collection, management and analysis purposes. By using the Site or any services provided on the Site (collectively, “Services”), you acknowledge that you have read, understood, and agree to be bound by the following terms of service and any future modifications to this agreement (collectively, the “Terms”). The Terms apply to all visitors, authorized users, and others who access the Service (“Users”). Your use of the Service indicates that you accept these Terms and to the collection and use of your information as set forth in our Privacy Policy. If you do not accept these Terms, do not use the Service.
You must register a user account to access the Service. Your account grants you permission to use the Site and Services. You must adhere to all policies posted within the Services. As a condition of your use of the Services, you warrant to IFRC that you will not use the Services for any purpose that is unlawful or prohibited by these terms, conditions, or notices. You may not use the Services in any manner which could damage, disable, overburden, or impair the Services or interfere with any other party’s use and enjoyment of the Services.
You acknowledge that you are responsible for all activity occurring under the use of your account. You are responsible for maintaining the security of your account and password. IFRC will not be liable for any loss or damage that results from your failure to do so. You are solely responsible for all your account activity when using this service.
IFRC makes no representation that usage of the Services or any related content are appropriate or available for use in your country. You acknowledge and agree that you are responsible for ensuring that your use of this service complies with all relevant local and international laws.
You are responsible for any data or content uploaded to the service and retain full ownership of it. In using this service, you understand the service allows you to share your data with others and acknowledge that IFRC will not be responsible for how your data is used by others if is shared or made public. If you leave this service, we will make all reasonable efforts to remove your data.
We take the privacy and security of your data seriously and will make all reasonable efforts to ensure it as defined in our Privacy Policy. We will not share your data with third parties, except as necessary to provide the Services. Our team will not view your data directly, unless granted permission by you, to provide you with technical assistance.
When using the API, you must include your account’s unique API key. Unauthorized use of your API key, including transfer to another user, is prohibited. You may not use the API in any manner which could damage overburden or impair the ability of IFRC to over the service to other users. In such an event, IFRC reserves the right to suspend or limit your accounts access to the API.
We disclaim all responsibility and liability for the availability, timeliness, security or reliability of the Services or Site, or any software provided through the Site or for any harm to your computer, loss of data or other harm that results from your use of the Services.
IFRC may restrict access to or terminate user accounts whenever activity is detected that is contrary to the terms of use, privacy policy, puts individuals or the service at risk, or in other ways not aligned with the intention of the use of the platform.
The provision of these Services shall not be construed as a waiver, express or implied, of any of the privileges or immunities of the International Federation of Red Cross and Red Crescent Societies.
Any dispute involving IFRC that cannot be resolved amicably shall be subject to arbitration held in accordance with the United Nations Commission on International Trade Law (UNCITRAL) arbitration rules as at present in force of which the Parties have taken due notice. The place of arbitration shall be Geneva, Switzerland, and the language to be used in the arbitral proceedings shall be English. The arbitral tribunal shall have no authority to award punitive damages. The arbitral award shall be binding and final.
Data privacy policy (in effect from 1 December 2020 for all users)
This data privacy policy applies to the KoboToolbox instance owned and operated by the International Federation of Red Cross and Red Crescent Societies (“IFRC”) available at kobo.ifrc.org. KoboToolbox is licensed for use under the GNU license.
This data privacy policy distinguishes between data that is controlled by IFRC and data that is processed by IFRC. IFRC is:
A data controller of very limited data about site visitors and account holders (i.e., we determine the purposes, conditions and means of the processing of personal data). IFRC collects webpage analytics from unregistered and registered users of its webpage using Google Analytics – pages visited, clicks, browser used, language choice, country of origin and so on. For registered users, IFRC collects e-mail and basic information as part of the registration process and stores users’ preferences in their profile (e.g., language).
A data processor of data collected by account holders (i.e., processes data on behalf of a data controller). Once a registered user creates a project, IFRC stores the information related to the survey (e.g., form) and data collected by the account holder (i.e., submissions). This includes data submitted by participants completing forms designed by registered users and can include personal information.
IFRC takes very seriously the privacy, confidentiality and security of personal information and any data collected or stored using KoboToolbox.
Data that we control
Data under our control which includes site visitors’ data (website analytics) and registration data (username, password and profile) is used in aggregated ways to monitor usage and growth of IFRC KoboToolbox instances. This enables us to report especially on humanitarian activities. Personal information from registered users is used to provide services to and communicate with those users. Registered users can view, edit, and delete their personal information stored in their profile, opt-out of communication emails, or delete their account. Personal information is never shared with or sold to third parties.
Data that we process
IFRC processes data on behalf of registered users who created a project and collected data. Registered users fully own their application data and IFRC does not use, share, or sell that information. Metadata about projects may be used in aggregated ways to analyse usage with the permission of the account holder. This metadata does not include personal information.
Registered users are the data controllers with respect to any personal data they collect using KoboToolbox. This means that they are responsible for ensuring that any data they collect, and use is handled responsibly, securely and in accordance with any applicable data protection laws and/or policies. IFRC allows users to share application data publicly or with selected users. Please be aware that information shared publicly is visible to anyone and can be indexed by search engines. IFRC is not responsible for how registered users handle survey participants’ personal information but strongly recommends that personal data not be shared publicly.
IFRC is committed to protecting the data you entrust to us. We employ industry-standard best practices (both technical and administrative) to protect against unauthorized access to your data. We cannot guarantee, however, its absolute security. To protect from loss of data, we do frequent system and incremental backups, which are stored encrypted in various locations. To further protect your data, we encourage you never to share your login information and to enable two-factor authentication. If you have any questions regarding our security and backup procedures, please contact us.
We may need to modify this privacy statement from time to time, so please review it frequently. If we make material changes to this policy, we will notify you here or by means of a notice on the Kobo landing page so that you are aware of any changes with relation to what information we collect, how we use it, and under what circumstances, if any, we disclose it.
If you are uncertain about our data privacy policy or have any questions or requests with regard to our data protection practices, please contact us. We will respond to your request as quickly as possible.
There are three points of vulnerability for Kobo data: (a) on the data collection device (laptop/mobile phone), (b) in transmission, and (c) on the server. These are mitigated as follows:
On the data collection device, the data is available in clear text until it is transmitted, so we recommend that the device be locked so that unless an authorised user unlocks it, the data cannot be obtained. Once transmitted, the data is deleted from the device.
In transmission, Kobo uses TLS by default.
The data on the server is as secure as the server itself and heavily dependent on the server administration and safety protocols and processes. Some agencies, including IFRC, have chosen to set up their own server partly to guarantee the security of their data to a higher level than that provided by the freely accessible servers. IFRC's Kobo server has disk-level encryption enabled.
As an advanced feature, Kobo also supports end-to-end encryption of data payloads so that the data packages are encrypted with a public key when the form submission is finalised on a handset and can only be decrypted by a matching private key held on an individual’s local computer. This data is fully encrypted on the device, in transmission and on the server and needs to be downloaded from the server to a local environment before its local decryption (this renders inaccessible any of the server-provided reporting and analysis options).
In practice, we’ve found that these points have always been sufficient to alleviate any data protection concerns on a technical level. Also, the actual data protection vulnerabilities are rarely technical but far more often due to poor form design. So we also recommend that anyone deploying any form (whether using Kobo or any other tool) carefully consider whether there is any real need to collect personally identifiable information in the first place. Unless they are explicitly doing beneficiary tracking (in which case the most critical point of vulnerability is the beneficiary database where the full information about beneficiaries is brought together, which is not Kobo), there is rarely a need to do so.
The ICRC conducted a security review of IFRC’s Kobo server in May 2021 and found it secure for their purposes.
As a standard practice for externally hosted servers, the IFRC does not conduct penetration testing. However, given the wide use of the IFRC Kobo server and the nature of the data hosted on it, we would be happy to accept offers for penetration testing.
Data shall only be stored, processed, sub-processed, backed-up, cached or otherwise hosted on servers in locations approved by the organisation.
Under no circumstances shall US servers be used.
The service provider shall at all times advise the organisation where data is held and processed, and consult with the organisation should a change in location be contemplated.
The service provider shall involve sub-processors only with the consent of the organisation to both the entity concerned and the purpose of the sub-processing and comply with the contractual requirements even where data is processed by sub-processors.
If the service provider receives a request for information of the organisation, it shall notify the organisation of such a request; in case of a non-disclosure order, the contract should require that the service provider asserts its contractual obligation to notify the organisation of a request for its information.
Any information of the organisation processed by the service provider or any sub-processors remains the organisation’s property and assets. Such information, including information about where data is stored or by whom it is processed, is confidential and the service provider must not disclose such information to any third party without prior written consent from the organisation. If the service provider receives a request for information from a State where organisation enjoys P&I, it shall explicitly assert organisation’s privileges and immunities and state that data stored with the service provider constitutes property and assets that belong to the organisation and are subject to absolute immunity from search and seizure. Should the organisation not itself be in a position to do so, the service provider shall approach the relevant Ministry of Foreign Affairs, informing that Ministry of a request for information and asserting the organisation’s P&I.
In case of a request for information, and if privileges and immunities are not accepted by authorities, the CSP shall raise legal defences as instructed by the organisation. If the organisation cannot be notified of a request, the service provider shall raise all reasonable legal challenges available under the law applicable, including that of the State requesting information, to both the prohibition on notice and the legal demand to disclose the data.
The contract is governed by Swiss law. The Parties shall not, under any circumstances refer to US law.
We provide the service to all National Societies, ICRC and IFRC secretariat free of charge. Please observe the following fair use policy when using the server:
When capturing photos, restrict the image size by setting the largest side of the image to 2048px or less instead of full size. This will also make downloading media file attachments faster for you. You can achieve this in the Kobo/ODK Collect app by going to General settings and adjusting the Image size setting by using Open Camera with the Kobo/ODK Collect app (see instructions) or in XLSForm (see instructions).
Avoid capturing videos, as they will quickly increase the file size of form submissions and especially the download size of media file attachments. If you cannot avoid capturing videos, disable high-resolution video in the Kobo/ODK Collect app by going to General settings and unchecking the “High res video” setting or by using Open Camera with the Kobo/ODK Collect app (see above).
Delete your exports from the server after you have downloaded them, as they multiply your projects’ file size allocations.
