Policy and process doc for @platform privacy standards

[cpswan]

This came up in an architecture call where we were discussing our use of analytics.

We need to have a clear privacy policy about what data we do collect, how long we keep it, who we might give it to, and under what circumstances.

This questionnaire that Torrentfreak used for VPN services should provide a good place to start, and perhaps we might also look at the privacy policies of some of the respondants.

1. Do you keep (or share with third parties) ANY data that would allow you to match an IP-address and a timestamp to a current or former user of your service? If so, exactly what information do you hold/share and for how long?

2. What is the name under which your company is incorporated (+ parent companies, if applicable) and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits on concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps would be taken in the event a court orders your company to identify an active or former user of your service? How would your company respond to a court order that requires you to log activity for a user going forward? Have these scenarios ever played out in the past?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? Do you provide port forwarding services? Are any ports blocked?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS/IPv6 leak protection? Do you support Dual Stack IPv4/IPv6 functionality?

11. Are any of your VPN servers hosted by third parties? If so, what measures do you take to prevent those partners from snooping on any inbound and/or outbound traffic? Do you use your own DNS servers?

12. In which countries are your servers physically located? Do you offer virtual locations?

[atsigndenise]

@cpswan I've captured this on my the Policies and Procedures Doc. In addition, we do have 6 legal agreements, and much of this is covered in Privacy Policies for the website and apps. However, I'd like to get clarification in our dev sprint meeting.