This study site has implemented stringent protections to safeguard participants’ confidentiality. All communication between project servers and participants’ computers is routed through Secure Sockets Layer (SSL) encryption technology, the gold standard for protecting data transfer from unauthorized access. This is the same secure hypertext transfer protocol (HTTPS), that banks and other commercial websites use to transfer credit card information in an encrypted format.
Participant’s email address will not be shared with third parties.
Any information participants provide on this site will be stored on a secured database. Information collected will be associated with a unique ID and not with the participant’s email address. When data is used for analysis, no personally identifying information will be associated with the data.
Please remember that we cannot guarantee the confidentiality of information sent by e-mail.
Technical Details (you can ignore this part if not interested)Web Hosting:
We will be using servers hosted by the University of Virginia to run a medium size Linux virtual machine running Tomcat for hosting our Java based web application.Data Storage:
We will be using a MySQL database hosted on the same server that is running the web service.
On a regular schedule ( every 5 minutes ) all non-essential data participants provide - specifically including any medical history information, will be pulled onto a separate server where it can’t be directly associated with any identifying information about the participant. Please see the full Data Security document for additional information:
Please see our Data Security document for detailed information.Form Security:
Once data files are downloaded, they will be stored securely on an investigator’s computer. Results will be reported in aggregate.
At the software level, our security model is built on the popular Spring Security Framework. We currently use a form based authentication (a web login form) that provides the following basic projections and features:
- Every URL in the site requires authentication.
- CSRF attach prevention (http://en.wikipedia.org/wiki/Cross-site_request_forgery))
- Session Fixation Protection (http://en.wikipedia.org/wiki/Session_fixation)
- Security header integration
- HTTP Strict Transport Security for secure requests
- X-Content-Type-Options integration
- Cache Control
- X-XSS-Protection integration
- X-Frame-Options integration to help prevent Clickjacking