These terms of service apply to the KoBoToolbox instance available at kobonew.ifrc.org. KoBoToolbox is licensed for use under the GNU license.
You must register a user account to access the Service. Your account grants you permission to use the Site and Services. You must adhere to all policies posted within the Services. As a condition of your use of the Services, you warrant to IFRC that you will not use the Services for any purpose that is unlawful or prohibited by these terms, conditions, or notices. You may not use the Services in any manner which could damage, disable, overburden, or impair the Services or interfere with any other party’s use and enjoyment of the Services.
You acknowledge that you are responsible for all activity occurring under the use of your account. You are responsible for maintaining the security of your account and password. IFRC will not be liable for any loss or damage that results from your failure to do so. You are solely responsible for all your account activity when using this service.
IFRC makes no representation that usage of the Services or any related content are appropriate or available for use in your country. You acknowledge and agree that you are responsible for ensuring that your use of this service complies with all relevant local and international laws.
You are responsible for any data or content uploaded to the service and retain full ownership of it. In using this service, you understand the service allows you to share your data with others and acknowledge that IFRC will not be responsible for how your data is used by others if is shared or made public. If you leave this service, we will make all reasonable efforts to remove your data.
When using the API, you must include your account’s unique API key. Unauthorized use of your API key, including transfer to another user, is prohibited. You may not use the API in any manner which could damage overburden or impair the ability of IFRC to over the service to other users. In such an event, IFRC reserves the right to suspend or limit your accounts access to the API.
We disclaim all responsibility and liability for the availability, timeliness, security or reliability of the Services or Site, or any software provided through the Site or for any harm to your computer, loss of data or other harm that results from your use of the Services.
The provision of these Services shall not be construed as a waiver, express or implied, of any of the privileges or immunities of the International Federation of Red Cross and Red Crescent Societies.
Any dispute involving IFRC that cannot be resolved amicably shall be subject to arbitration held in accordance with the United Nations Commission on International Trade Law (UNCITRAL) arbitration rules as at present in force of which the Parties have taken due notice. The place of arbitration shall be Geneva, Switzerland, and the language to be used in the arbitral proceedings shall be English. The arbitral tribunal shall have no authority to award punitive damages. The arbitral award shall be binding and final.
A data controller of very limited data about site visitors and account holders (i.e., we determine the purposes, conditions and means of the processing of personal data). IFRC collects webpage analytics from unregistered and registered users of its webpage using Google Analytics – pages visited, clicks, browser used, language choice, country of origin and so on. For registered users, IFRC collects e-mail and basic information as part of the registration process and stores users’ preferences in their profile (e.g., language).
A data processor of data collected by account holders (i.e., processes data on behalf of a data controller). Once a registered user creates a project, IFRC stores the information related to the survey (e.g., form) and data collected by the account holder (i.e., submissions). This includes data submitted by participants completing forms designed by registered users and can include personal information.
IFRC takes very seriously the privacy, confidentiality and security of personal information and any data collected or stored using KoBoToolbox.
Data that we control
Data under our control which includes site visitors’ data (website analytics) and registration data (username, password and profile) is used in aggregated ways to monitor usage and growth of IFRC KoBoToolbox instances. This enables us to report especially on humanitarian activities. Personal information from registered users is used to provide services to and communicate with those users. Registered users can view, edit, and delete their personal information stored in their profile, opt-out of communication emails, or delete their account. Personal information is never shared with or sold to third parties.
Data that we process
IFRC processes data on behalf of registered users who created a project and collected data. Registered users fully own their application data and IFRC does not use, share, or sell that information. Metadata about projects may be used in aggregated ways to analyse usage with the permission of the account holder. This metadata does not include personal information.
Registered users are the data controllers with respect to any personal data they collect using KoBoToolbox. This means that they are responsible for ensuring that any data they collect, and use is handled responsibly, securely and in accordance with any applicable data protection laws and/or policies. IFRC allows users to share application data publicly or with selected users. Please be aware that information shared publicly is visible to anyone and can be indexed by search engines. IFRC is not responsible for how registered users handle survey participants’ personal information but strongly recommends that personal data not be shared publicly.
IFRC is committed to protecting the data you entrust to us. We employ industry-standard best practices (both technical and administrative) to protect against unauthorized access of your data. We cannot guarantee, however, its absolute security. To protect from loss of data, we do frequent system and incremental backups which are stored encrypted in various locations. To further protect your data, we encourage you to never to share your login information and to change your passwords regularly. If you have any questions regarding our security and backup procedures, please contact us.
We may need to modify this privacy statement from time to time, so please review it frequently. If we make material changes to this policy, we will notify you here or by means of a notice on KoBo landing page so that you are aware of any changes with relation to what information we collect, how we use it, and under what circumstances, if any, we disclose it.
There are three points of vulnerability for KoBo data: (a) on the handset, (b) in transmission, and (c) on the server. These are mitigated as follows:
On the handset, the data is available in clear text until it is transmitted, so we recommend that the handset itself is encrypted (a standard Android feature) so that unless an authorised user unlocks it, the data cannot be obtained. Once transmitted, the data is typically deleted from the handset.
In transmission, KoBo uses TLS by default.
On the server, the data is as secure as the server itself and is heavily dependant on the server administration and safety protocols and processes. Some agencies, including IFRC, have chosen to set up their own server partly to guarantee the security of their data to a higher level than that provided by the freely accessible servers. IFRC's KoBo server has disk-level encryption enabled.
As an advanced feature, KoBo also supports end-to-end encryption of data payloads so that the data packages are encrypted with a public key when the form submission is finalised on a handset and can only be decrypted by a matching private key held on an individual’s local computer. This data is fully encrypted on the handset, in transmission and on the server and needs to be downloaded from the server to a local environment before its local decryption (this renders inaccessible any of the server-provided reporting and analysis options).
In practice, we’ve found that these points have always been sufficient to alleviate any data protection concerns on a technical level. Also, the actual data protection vulnerabilities are rarely technical but far more often due to poor form design. So we also recommend that anyone deploying any form (whether using KoBo or any other tool) carefully consider whether there is any real need to collect personally identifiable information in the first place. Unless they are explicitly doing beneficiary tracking (in which case the most critical point of vulnerability is the server database where the full information about beneficiaries is brought together, which is not KoBo), there is rarely a need to do so.
The ICRC conducted a security review of IFRC’s KoBo server in May 2021 and found it secure for their purposes.
As a standard practice for externally hosted servers, the IFRC does not conduct penetration testing. However, given the wide use of the IFRC KoBo server and the nature of the data hosted on it, we would be happy to accept offers for penetration testing.
Data shall only be stored, processed, sub-processed, backed-up, cached or otherwise hosted on servers in locations approved by the organisation.
Under no circumstances shall US servers be used.
The service provider shall at all times advise the organisation where data is held and processed, and consult with the organisation should a change in location be contemplated.
The service provider shall involve sub-processors only with the consent of the organisation to both the entity concerned and the purpose of the sub-processing and comply with the contractual requirements even where data is processed by sub-processors.
If the service provider receives a request for information of the organisation, it shall notify the organisation of such a request; in case of a non-disclosure order, the contract should require that the service provider asserts its contractual obligation to notify the organisation of a request for its information.
Any information of the organisation processed by the service provider or any sub-processors remains the organisation’s property and assets. Such information, including information about where data is stored or by whom it is processed, is confidential and the service provider must not disclose such information to any third party without prior written consent from the organisation. If the service provider receives a request for information from a State where organisation enjoys P&I, it shall explicitly assert organisation’s privileges and immunities and state that data stored with the service provider constitutes property and assets that belong to the organisation and are subject to absolute immunity from search and seizure. Should the organisation not itself be in a position to do so, the service provider shall approach the relevant Ministry of Foreign Affairs, informing that Ministry of a request for information and asserting the organisation’s P&I.
In case of a request for information, and if privileges and immunities are not accepted by authorities, the CSP shall raise legal defences as instructed by the organisation. If the organisation cannot be notified of a request, the service provider shall raise all reasonable legal challenges available under the law applicable, including that of the State requesting information, to both the prohibition on notice and the legal demand to disclose the data.
The contract is governed by Swiss law. The Parties shall not, under any circumstances refer to US law.
We provide the service to all National Societies, ICRC and IFRC secretariat free of charge. Please observe following fair use policy when using the server:
When capturing photos, restrict the image size by setting the largest side of the image to 2048px or less instead of full size. This will also make downloading media file attachments faster for you. You can achieve this in the KoBo/ODK Collect app by going to General settings and adusting the Image size setting, by using Open Camera with the KoBo/ODK Collect app (see instructions) or in XLSForm (see instuctions).
Avoid capturing videos, as they will quickly increase the file size of form submission and especially the download size of media file attachments. If you cannot avoid capturing videos, disable high resolution video in the KoBo/ODK Collect app by going to General settings and unchecking the “High res video” setting or by using Open Camera with the KoBo/ODK Collect app (see above).
Delete your exports from the server after you have downloaded them as they multiply your projects’ file size allocations.