Skip to content

Security & Data Privacy

Iristick.Collector is designed with data protection at every layer — from encrypted communication and token-based authentication to EU-hosted infrastructure and role-based access control. This page explains how your data is handled, stored, and protected.

Architecture Overview

Iristick.Collector consists of a web portal (Vue3), native mobile apps (iOS/Android with Kotlin Multiplatform shared logic), and a Spring Kotlin backend API. All components are containerized with Docker and orchestrated via Kubernetes on AWS.

flowchart LR
    A[Web portal] -->|HTTPS / TLS 1.2+| D[Backend API]
    B[Android app] -->|HTTPS / TLS 1.2+| D
    C[iOS app] -->|HTTPS / TLS 1.2+| D
    D --> E[PostgreSQL on AWS RDS]
    D --> F[Keycloak]

Data in Transit

All communication between clients (web portal, mobile apps) and the backend API is secured with HTTPS / TLS 1.2+. API requests are authenticated with OAuth2 JWT tokens issued by Keycloak.

No unencrypted data leaves the client.

Data at Rest

All data is stored in PostgreSQL hosted on AWS RDS in EU regions (Iristick's own AWS account). Database encryption at rest is enabled through AWS RDS.

Storage Limits

  • Currently there are no storage limits per customer
  • File upload limit: 10 MB per file

Authentication & Access Control

Authentication

User authentication is managed through Keycloak using OAuth2 with JWT tokens. Email verification is required at signup.

Role-Based Access Control

Two roles govern what users can do:

Role Capabilities
Admin Full access: manage templates, asset lists, users, and observations
User Collect data, view assigned templates and asset lists

API Authentication

The REST API uses OAuth2 authorization code flow. All API endpoints require a valid JWT token.

Data Export

Collected data can be exported from the web portal in CSV format, ready for analysis in external tools.

Audit Logging

User actions — including logins and data modifications — are logged in the backend.

Backup & Disaster Recovery

  • Automated daily backups via AWS RDS with encryption enabled
  • Container-level resilience through Kubernetes with automatic pod recovery
  • Database recovery handled through AWS RDS infrastructure

Compliance

GDPR

Iristick.Collector is GDPR compliant:

  • All data is stored and processed within EU regions
  • In the unlikely event of a breach, we follow GDPR's 72-hour notification requirement
  • Data deletion requests are honored — data is removed from Iristick systems upon request

Data Deletion

When you request data deletion, your data is removed from Iristick systems. End-of-contract data return is handled directly with your account team.

Roadmap

The following security and compliance capabilities are planned:

  • MFA via TOTP and SSO integrations (Google/Microsoft)
  • ISO 27001 certification (in progress)
  • Persistent audit log storage with extended retention and export
  • Data Processing Agreements (DPA) and formal privacy impact assessments
  • API rate limiting and webhook support
  • Formal RTO/RPO targets and multi-region disaster recovery

For questions about security, compliance, or to request a DPA, contact support@iristick.com.