From day 1 we’ll have to store personally identifying information:
How do we store all of this securely? Note that it’s not just about public relations, it’s also about legal requirements (e.g. GDPR). Where (in which jurisdiction) is it stored? Who has access?
GDPR may be a big issue. As I understand it (and I really don’t understand it very well), GDPR can be an issue for any web server hosted in the affected area (which is something arguably we should avoid) but also for any relevant data about any users from the affected area, which is something we can’t easily avoid (and don’t want to avoid - we want users from around the world). Anyone with relevant experience with GDPR and similar issues?
I have some experience with GDPR. It’s not as onerous as folks think it is.
We don’t have to store PII encrypted. We can if we choose to, but it’s not a requirement. We simply have to ensure only authorized people have access to it, which can be achieved simply by controlling access to the deployment server.
As for access - keep it limited. The sysadmin for the deployment server will have access to things, of course. It’d probably be wise to have one or two developers with access, too. Anyone who has access, until we are a legal entity, must be listed with contact details in a public privacy statement. See here for an example.
This is also under (broader) consideration in this post:
I have experience with COPPA. For MVP, a requirement of “don’t ask age, and have a way to quickly delete PII if requested by a parent.” is sufficient, although this is not the ironclad get-out-of-COPPA-free card that many think it is.
The COPPA regulations are currently in the very beginning stages of being revised, and will probably be different in a year or two.
At first, by employing tested-and-true implementation techniques, such as mature authentication/authorization frameworks and separating personal data from non-sensitive data in a manner that allows for more rigid security control, at all levels - datastore, caching, application in-memory-data, API methods and network.
Later, by requiring careful audit from experienced members of our project (in terms of information security), and actually enforcing the rigid security control mentioned above.
That is yet to be defined (I think)…
That too, at least speaking in precise terms - but, preliminarly, of course as few people as necessary: Maybe one sysadmin, one DB administrator… and one or two trusted developers, although these shouldn’t actually need to have real PII (as dummy or anonymized data should probably serve well for all purposes I can think of right now), and if they do, it should be on a case-by-case basis.
In terms of the software, whether moderators or site/instance admins will have access to these via the platform is something that hasn’t been discussed yet AFAIK (or has it?).
If it depends on me, I’d say no. Not until there’s a demonstrated need for some specific PII access anyway, at which point it could be implemented if the merits are deemed valid.