desktop 🠖 project information
GDPR Compliance Guide
This guide explains how Interviewer and Fresco handle participant data, how they fit within GDPR frameworks, and what responsibilities researchers must take on when deploying them.
Purpose of this guide
This guide is designed for researchers, ethics committees, IT departments, and data protection officers who need to understand how Network Canvas tools handle personal data and what measures are needed to ensure GDPR compliance.
The Network Canvas development team does not act as a Data Controller or Data Processor. No participant data is ever received, transmitted to, or stored by the developers. Researchers retain full control and responsibility for all participant data, and GDPR compliance is achieved through proper deployment, configuration, and institutional policies.
Interviewer vs Fresco: Key Differences
| Aspect | Interviewer (Desktop/Tablet) | Fresco (Self-Hosted Web) |
|---|---|---|
| Data Storage Location | All participant data stored only on your local device | Interview data stored in Postgres database; study assets stored in S3 via UploadThing |
| Data Transmission | No participant data transmitted externally unless you manually export it | Data remains on your infrastructure; no transmission to developers |
| Encryption | Device-level protections required (disk encryption, access controls are your responsibility) | Encrypted at rest when using providers like Neon; S3 server-side encryption enforced |
| Analytics/Telemetry | Does not collect analytics or crash logs | Optional anonymous usage/error analytics (can be disabled) |
| GDPR-Compliant Hosting | Not applicable (local device storage) | Possible when selecting an EU region (available on paid UploadThing plans) |
| Your Control | Complete control over participant data on your device | All participant data remains under your control at all times |
| Infrastructure | Your device | Your deployed infrastructure (hosting, database, storage) |
Your Responsibilities as Data Controller:
- Establishing a lawful basis for processing participant data
- Selecting GDPR-compliant hosting regions (Fresco only)
- Implementing appropriate data security measures
- Maintaining data retention and deletion policies
- Enabling participant rights (access, rectification, erasure)
Roles under GDPR
Data Controller
The research institution or individual researcher deploying the software is always the Data Controller. As the Data Controller, you determine why participant data is collected, which data is collected, how long data is stored, what lawful basis applies under GDPR, how consent and subject rights are managed, and where data is hosted and who has access to it.
Fresco and Interviewer developers
The Network Canvas development team provides the open-source software but does not receive or host participant data, does not monitor researcher use, and does not operate a data processing service. Therefore, the developers do not act as a Data Processor under GDPR. All data processing occurs entirely within infrastructure controlled by the researcher.
Interviewer (Desktop/Tablet application)
Interviewer is a fully offline application designed to run on researcher-controlled devices.
Data storage
All interview data is stored locally on your device. Data resides within the application sandbox on the local filesystem and is exported only when you manually export it. No automatic uploads or transmissions occur.
For GDPR purposes, this means you have complete control over participant data. Data residency is determined by the physical location of your device, and no third parties have access to the data through the software.
Network communication
Interviewer performs minimal network communication. The application queries the GitHub API to check for new versions, but no participant data or identifiable information is transmitted in these requests—only the current version number is sent. Beyond this update check, Interviewer makes no external connections, and all data processing occurs entirely offline.
Telemetry and third-party services
Interviewer does not include analytics or crash reporting, external scripts, fonts, or services, tracking mechanisms of any kind, or third-party data processors.
Other stored data
Application preferences for UI configuration are stored locally. These preferences do not contain participant data and cannot be used to identify participants.
Encryption and device security
Important: Interviewer does not perform internal encryption of its stored data.
You are responsible for enabling device-level encryption (such as FileVault on macOS, BitLocker on Windows, or device encryption on mobile platforms), implementing secure device access policies using passwords or biometric authentication, establishing safe export and storage procedures for exported data, and maintaining physical security of devices.
Using Interviewer in a GDPR-compliant manner requires securing the device where data is stored, regulating who can access the device, managing exported files securely, maintaining data retention and deletion policies, and ensuring devices are not lost or stolen. The software itself neither sends nor shares participant data, but you must implement appropriate technical and organizational measures to protect it.
Fresco (Self-hosted web application)
Fresco is a web-based platform deployed entirely by researchers. The software does not send participant data to any external party beyond your own infrastructure.
Deployment and hosting
Fresco can be deployed to Vercel, Netlify, researcher-managed Docker infrastructure, or any platform that supports Next.js applications. In every case, all participant data remains under your control, and the developers cannot access any data. Your chosen hosting provider must meet GDPR requirements, and you are responsible for selecting appropriate data residency options.
Postgres storage (interview data)
Fresco stores interview responses and study configuration in a Postgres database.
Default deployment: Neon
The recommended hosting provider, Neon, offers encryption at rest for all data, encryption in transit using TLS connections, automatic backups with point-in-time recovery, and role-based access control. For GDPR compliance, Neon provides EU hosting regions, data residency guarantees, compliance with EU data protection regulations, and Data Processing Agreements (DPAs).
When configuring your Neon database, select an EU region when creating your database, configure access restrictions appropriately, and implement retention policies according to your study requirements.
Self-hosted Postgres
For Docker deployments, you must configure disk encryption for the database volume, TLS for all database connections, and encryption at rest if required by your institution. Access control should include secure authentication mechanisms, network restrictions using firewall rules, and regular security updates. You must also implement automated backup procedures, secure backup storage, and tested recovery procedures.
S3-compatible storage (study assets only)
Fresco stores study introduction videos and images, protocol logos and branding, explanatory materials, and roster files (CSV/JSON) in S3—and these roster files may contain participant personally identifiable information (PII) depending on your study design.
UploadThing
Fresco uses UploadThing, which stores files in Amazon S3. You cannot choose a different storage provider, as Fresco requires UploadThing for asset management.
The free UploadThing plan uses US-based S3 storage by default, which may not be suitable for GDPR-sensitive data. Paid plans allow selection of S3 storage region, with EU regions available for GDPR-compliant storage. Region selection ensures data residency in the EU.
All S3 assets are automatically encrypted at rest, and Fresco enforces server-side encryption using SSE-S3 or SSE-KMS. Access is controlled through signed URLs, and files are not publicly accessible.
If your roster data contains PII, you must use a paid UploadThing plan, select an EU region (or other GDPR-aligned region), ensure your institutional policies allow S3 storage, document this in your data protection impact assessment, and include UploadThing in your data processing records.
Telemetry, analytics, and update checks
Fresco includes optional usage and error analytics that contain no participant data. These analytics collect only feature usage, error types, and performance metrics. You can disable analytics in Fresco settings or block them at the network or firewall level.
Update checks are triggered only when viewing the Settings screen. These checks query the GitHub API for version information, and no identifiable information is transmitted.
Logging and tracking
Fresco does not log IP addresses of participants, log request metadata that could identify participants, use cookies beyond essential session handling, include third-party frontend scripts or tracking pixels, or share data with advertising or analytics platforms.
Session cookies are used only for researcher authentication to the dashboard. They are not used for participant tracking and are encrypted and HTTP-only for security.
Data sensitivity
Although Fresco stores no participant photos or files uploaded during interviews, interview data itself is highly likely to constitute personal data under GDPR. This includes participant responses to survey questions, network data showing relationships between people, potentially sensitive information about participants and their social networks, and metadata such as interview start/end times and session identifiers.
This data should be treated as personal data and may include special categories of personal data depending on your study. It requires an appropriate legal basis for processing and must be protected with technical and organizational measures.
Responsibilities of researchers (Data Controllers)
To use Fresco or Interviewer in a GDPR-compliant manner, you must fulfill these responsibilities:
1. Establish a lawful basis for data collection
Under GDPR Article 6, you must have a lawful basis for processing personal data. Common lawful bases for research include consent (explicit, informed, and freely given consent from participants), public interest (research conducted in the public interest), and legitimate interests (research purposes with appropriate safeguards).
For special categories of data under GDPR Article 9, you must have explicit consent for processing sensitive data, or the processing must be necessary for research purposes with appropriate safeguards.
You should document which lawful basis you are relying on, how you obtained consent (if applicable), and what safeguards are in place for sensitive data.
2. Ensure compliant hosting
For Fresco deployments, choose hosting providers that offer GDPR-compliant hosting, verify they provide Data Processing Agreements (DPAs), and ensure they offer EU or appropriate regional hosting.
For Postgres (whether using Neon or self-hosted), select an EU region for data residency, configure encryption at rest and in transit, implement secure access controls, and limit access to authorized personnel only. For S3 storage via UploadThing, use a paid plan to select an EU region, verify region selection in the UploadThing dashboard, and document this choice in your compliance records.
Implement role-based access control, use strong authentication (multi-factor where possible), regularly review who has access to data, and remove access promptly when no longer needed.
3. Maintain device security (Interviewer)
Ensure secure storage of devices when not in use, maintain controlled access to devices, and establish procedures for lost or stolen devices. Enable full disk encryption, use strong passwords or biometric authentication, keep operating system and security patches up to date, and install anti-malware software. When exporting data, ensure secure transfer of exported data, encrypt data in transit and at rest, and securely delete data from devices when no longer needed.
4. Implement data governance policies
Collect only data necessary for your research, avoid collecting excessive personal information, and regularly review what data you are collecting. Define how long data will be stored, document retention periods in your privacy notice, and implement automated deletion where possible. Establish procedures for secure data deletion, delete data when retention periods expire, and honor participant deletion requests promptly.
Consider pseudonymizing data where possible, use case IDs instead of names during data collection, and separate directly identifying information from research data.
5. Enable participant rights
Under GDPR, participants have rights that you must facilitate. Participants can request copies of their data (right of access), and you must provide data in an accessible format and respond within one month. Participants can request corrections to their data (right to rectification), and you must update data when errors are identified.
Participants can request deletion of their data (right to erasure or "right to be forgotten"). You must honor these requests unless there are legitimate grounds to refuse, and you must document any refusals with clear justification. Participants also have the right to data portability, meaning you must provide data in machine-readable format when requested and enable transfer to another controller if requested.
Fresco and Interviewer do not automate these processes but they do not obstruct their implementation. You must establish procedures to honor these rights.
6. Conduct data protection impact assessments
Data protection impact assessments are required for large-scale processing of special category data, systematic monitoring of participants, or processing that may result in high risk to participants. You should assess the nature, scope, context, and purposes of processing; the necessity and proportionality of processing; risks to participants' rights and freedoms; and measures to address those risks.
7. Maintain records of processing activities
Document the purposes of processing, categories of data subjects and personal data, categories of recipients, data transfers (if any), retention periods, and security measures in place.
8. Provide clear privacy information
Your privacy notice must include the identity of the Data Controller (you or your institution), purposes of data collection, lawful basis for processing, how long data will be stored, participant rights and how to exercise them, contact details for data protection queries, and how to lodge a complaint with the supervisory authority.
Security best practices
For Interviewer
Enable full disk encryption on all devices and use strong passwords with a minimum of 12 characters including mixed case, numbers, and symbols. Enable automatic screen locking after inactivity, install security updates promptly, use anti-malware software, and restrict physical access to devices.
Export data only when necessary, transfer exported files using encrypted connections, store exported data on encrypted drives or servers, delete exported files from devices after transfer, and maintain audit logs of data exports.
Train staff on data protection requirements, limit device access to authorized personnel only, use separate user accounts rather than sharing accounts, and implement separation of duties where appropriate.
For Fresco
Use HTTPS for all connections (automatically enforced), keep platform and dependencies updated, monitor for security vulnerabilities, and implement intrusion detection if possible.
Use strong, unique passwords for admin accounts, consider implementing additional authentication layers, regularly review access logs, and limit dashboard access to authorized IP ranges if possible.
Restrict database access to the application only, use strong database credentials, enable database encryption, implement regular automated backups, and test backup restoration procedures.
Deploy behind an institutional firewall if possible, use VPN for remote access to the admin dashboard, monitor for unusual access patterns, and implement rate limiting to prevent abuse.
Data breach procedures
Establish a data breach response plan, identify who is responsible for breach response, and document procedures before a breach occurs.
In case of a breach, contain it immediately and assess the severity and scope. Notify your Data Protection Officer (if applicable), notify the supervisory authority within 72 hours if there is high risk, notify affected participants if there is high risk to their rights, and document all actions taken.
Prevent breaches through regular security audits, penetration testing for Fresco deployments, staff training on security practices, and incident response drills.
International data transfers
Within the EU, no additional measures are required, as data remains within GDPR jurisdiction. To countries outside the EU, ensure an adequate level of protection exists, use Standard Contractual Clauses if needed, document transfer mechanisms, and conduct a transfer impact assessment.
For Network Canvas deployments, choose EU regions for all services (Neon, UploadThing), avoid transferring data outside the EU unless necessary, and if transfers are required, implement appropriate safeguards.
Demonstrating compliance
Maintain documentation including privacy notices provided to participants, consent forms (if applicable), Data Processing Impact Assessments, records of processing activities, Data Processing Agreements with service providers, security policies and procedures, staff training records, and incident response procedures.
Conduct annual reviews of data processing activities, regular security audits, staff training updates, and reviews of service provider compliance.
Working with ethics committees and IT departments
For ethics committees
When preparing ethics applications, address what lawful basis you will use for processing personal data, where participant data will be stored, what security measures are in place, how participant rights will be honored, what the data retention period will be, and how data will be securely destroyed.
For Network Canvas-specific information, note that Interviewer stores data locally on encrypted devices, Fresco stores data in EU-region Postgres and S3, no data is transmitted to software developers, and you maintain full control over data at all times.
For IT departments
For Interviewer, infrastructure requirements include desktop or tablet devices with disk encryption, secure storage facilities for devices, a secure network for data export and transfer, and regular security updates.
For Fresco, you need Next.js hosting (Vercel, Netlify, or Docker), a Postgres database (we recommend Neon with an EU region), an UploadThing account (paid plan with EU S3 region), and HTTPS enabled (which is automatic on hosting platforms).
All data remains within researcher control, with no third-party data processors beyond hosting infrastructure. Standard web application security practices apply, and regular security updates are required.
Specific scenarios
Collecting sensitive personal data
GDPR Article 9 defines special categories of personal data including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.
Processing these categories requires explicit consent or another Article 9 lawful basis, a higher standard of security measures, stricter data minimization, enhanced privacy notices, and a more rigorous Data Protection Impact Assessment.
When using Network Canvas for sensitive data, deploy Fresco in an EU region only, enable maximum security features, implement additional access controls, consider additional encryption layers, and document all safeguards thoroughly.
Longitudinal studies
Longitudinal studies present challenges including the need to re-identify participants for follow-up, extended data retention periods, and multiple consent points.
Address these challenges by using pseudonymous identifiers where possible, storing the linking key separately from research data, updating privacy notices for each wave, refreshing consent if processing changes, and implementing secure participant identification procedures.
Multi-site studies
Multi-site studies involve challenges such as data transfers between sites, multiple Data Controllers, and the need to coordinate compliance.
Address these by establishing clear Data Controller roles, implementing Data Sharing Agreements, using consistent security measures across sites, coordinating privacy notices, and considering a joint Data Controller arrangement.
Conclusion
Fresco and Interviewer are designed to give researchers complete control over participant data, enabling GDPR-compliant research when deployed and configured appropriately.
The software developers are not involved in data processing—all data remains under your control. GDPR compliance is your responsibility as Data Controller; the software enables compliance but does not guarantee it. Proper configuration is essential: choose EU regions, enable encryption, and implement security measures. Documentation is crucial—maintain records of all compliance measures. Regular review is necessary, as compliance is an ongoing process, not a one-time achievement.
GDPR compliance is achieved through appropriate hosting choices (EU regions, compliant providers), robust security practices (encryption, access control, monitoring), clear institutional policies (retention, deletion, participant rights), proper documentation (privacy notices, DPIAs, processing records), and regular review and updates (security audits, policy reviews).
The software provides the foundation for GDPR-compliant research. Your deployment decisions, security practices, and institutional policies determine whether that foundation results in actual compliance.
Additional resources
GDPR information:
Data protection in research:
Service provider documentation:
Network Canvas resources:
- Deployment Guide - Deploy Fresco to compliant infrastructure
- Advanced Deployment - Self-hosting options for maximum control
- Using Fresco - Platform features and functionality
- FAQ - Common questions including GDPR summary
Getting help
If you have questions about GDPR compliance with Network Canvas, start by reviewing this guide thoroughly, as most questions are addressed here. Consult your Data Protection Officer for institution-specific guidance, contact your ethics committee for advice on compliance for your specific study, engage your IT department for assistance with technical implementation, and reach out to our User Community for peer support.
The Network Canvas team cannot provide legal advice on GDPR compliance. We can only explain how the software works and what data it processes. Compliance decisions must be made by you in consultation with your legal and compliance advisors.