Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update terms of service and/ or monarch-link app for user data timeout #909

Open
VenissaCarolQuadros opened this issue Nov 6, 2024 · 1 comment
Open

Update terms of service and/ or monarch-link app for user data timeout #909

VenissaCarolQuadros opened this issue Nov 6, 2024 · 1 comment
Assignees
@jeffbl

Comments

@VenissaCarolQuadros
Copy link
Member

We need to update the terms of service and/ or monarch-link-app for user data timeout. The data includes:

  1. The code the Monarchs are subscribed to and the associated secret key (generated by the server)
  2. The SVG data published by the user and the user-readable channel title

We need to decide on:

  1. How long each of the components of this data is stored
  2. Whether or not the user can force a particular code if it has been erased from the server store (for now: Yes! Unless there is a very strong reason not to)
  3. How we handle scenarios where the code a user wants to use (2.) is already assigned to another user
@VenissaCarolQuadros VenissaCarolQuadros self-assigned this Nov 6, 2024
@jeffbl jeffbl mentioned this issue Dec 9, 2024
Merged
9 tasks
@VenissaCarolQuadros
Copy link
Member Author

VenissaCarolQuadros commented Jan 7, 2025
edited
Loading

Recommended changes to terms of service:

  • The Overview of the IMAGE Extension in the web store needs to be modified to reflect that we now support Monarch and that you will be able to view automatically generated, partially or completely customized experiences on it using the authoring tool. (Refer "allowed use")
  • Currently any data shared between the Extension, TAT and monarch-link-app is encrypted using AES-CBC. We do not explicitly describe the data flow in our current terms but I believe we meet this condition with our current setup -> Extensions must transmit "personal and sensitive user data" over a secure connection (e.g. HTTPS, WSS) and stored at rest using a strong encryption method such as RSA or AES.
  • We do not have any explicit terms on user data timeout. However, to avoid storing unused data indefinitely on our server a cron job has been setup to delete entries that haven't been updated in the last hour (Save source graphic in monarch-link-app and clear unused entries periodically #927).

Handling user data timeout:

  • Currently, the user can force a particular share code if it has been erased from the server store. In the off chance that this code is already assigned to another user (chance is 1/262144), 401 is returned. This might need to be revisited when this is no longer just a prototype!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeffbl jeffbl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeffbl @VenissaCarolQuadros