Skip to main content

Security & Privacy

How KoNote protects participant data — and what you're responsible for.

Shared Responsibility

KoNote provides security features, but security is a shared responsibility. The software can only protect data if you configure and operate it correctly. This page explains both what KoNote does and what you must do.

What KoNote Does

Field-Level Encryption

All personally identifiable information (PII) is encrypted before being stored in the database.

  • Algorithm: Fernet (AES-128-CBC + HMAC-SHA256) for PII at rest
  • Encrypted fields: Participant names, birth dates, emails, phone numbers, progress note content, sensitive custom fields, registration submissions
  • Key storage: Your encryption key, stored as an environment variable (Azure Key Vault recommended for production)
  • Key rotation: Built-in key rotation command for changing encryption keys
  • Per-agency keys: In multi-agency deployments, each agency has its own encryption key — one agency's key cannot decrypt another's data

Even if someone gains access to the database, encrypted fields are unreadable without the encryption key. In shared hosting, one agency's key cannot decrypt another agency's data.

Dual-Database Architecture

KoNote uses two separate PostgreSQL databases.

  • Operational database: Participant records, notes, plans (normal CRUD operations)
  • Audit database: Immutable log of all data access and changes (INSERT-only)

The audit database cannot be modified or deleted through the application, providing a tamper-resistant record.

Role-Based Access Control

Five roles with different permissions, enforced at the middleware level.

  • Administrator: System configuration (no direct participant access)
  • Program Manager: Full access to their programs' participants and staff
  • Direct Service: Access to participants in their assigned programs
  • Front Desk: Limited access to specific fields only
  • Executive: Dashboard and reporting access

Staff can only see participants enrolled in programs they're assigned to. Admins are deliberately blocked from participant data.

Complete Audit Logging

Every significant action is logged with full context.

  • Data changes: Create, update, delete with before/after values
  • Data access: Who viewed which participant record and when
  • Authentication: Login, logout, failed login attempts
  • Metadata: Timestamp, user ID, IP address

Logs are searchable through the admin interface and can be exported.

Secure Authentication

Two authentication options, both using modern security practices.

  • Azure AD SSO: Integrate with your organisation's Microsoft 365
  • Local authentication: Passwords hashed with Argon2 (winner of the Password Hashing Competition)

Session tokens are stored in the database with configurable timeouts.

Secure Data Exports

Defence-in-depth controls on data exports to prevent unauthorised data extraction.

  • SecureExportLink: Time-limited download links with 24-hour expiry and nonce deduplication
  • Elevated exports: Large exports (100+ participants) or exports containing notes trigger admin notification and a 10-minute delay
  • Admin oversight: Admins can revoke export links before they expire
  • Download tracking: Every download is logged (who, when, how many times)
  • Re-validation: PII access permissions are re-checked at download time
  • Agency-wide export: AES-256-GCM encrypted export for full agency offboarding, with automatic model discovery and Diceware passphrase generation

Canadian Data Residency

For organisations requiring data to stay in Canada, KoNote supports deployment to Canadian infrastructure.

  • OVHcloud Beauharnois: Dedicated Canadian data centre in Quebec
  • Azure Canada Central: Microsoft's Canadian cloud region
  • Self-hosted: Deploy on any Canadian server you control
  • Encryption keys: Stored in Azure Key Vault or your secure infrastructure

Participant data, backups, and encryption keys all stay within Canadian borders.

Security Headers

HTTP security headers configured by default.

  • Content Security Policy (CSP)
  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options (clickjacking protection)
  • X-Content-Type-Options
  • CSRF protection on all forms

PHIPA Cross-Program Consent

Enforces Ontario PHIPA requirements for sharing clinical notes across programs within an agency.

  • Fail-closed design: Cross-program notes are hidden by default
  • Consent-gated access: Clinical notes only visible across programs when the participant or agency has explicitly enabled sharing
  • List and detail enforcement: Consent filters applied on both note lists (querysets) and individual note views
  • Exempt views: Aggregate counts, de-identified reports, and plan views are unaffected

Rate Limiting & Brute-Force Protection

Protections against automated attacks on authentication endpoints.

  • Account lockout: Participant portal locks accounts after repeated failed login attempts
  • Session security: Session tokens stored in the database with configurable timeouts
  • Secure cookies: Session and CSRF cookies marked secure in production
  • System checks: Startup validation ensures encryption keys, security middleware, and cookie flags are correctly configured

What You Must Do

KoNote's security features only work if you fulfil your responsibilities. These are not optional.

Protect Your Encryption Key

If you lose the encryption key, you lose access to all encrypted data permanently.

  • Store the key securely (password manager, secure vault)
  • Keep offline backups in secure locations
  • Never commit the key to version control
  • Limit who knows the key to essential personnel

There is no "forgot password" for encryption keys. Lost key = lost data.

Configure HTTPS

All production deployments must use HTTPS. Without it, data (including login credentials) can be intercepted.

  • Railway and Elestio provide automatic HTTPS
  • Azure requires configuration
  • Self-hosted requires a reverse proxy (Caddy, nginx) with certificates

Never run KoNote over plain HTTP in production.

Maintain Regular Backups

You are responsible for backing up both databases and verifying that backups can be restored.

  • Automated daily backups (minimum)
  • Store backups in a separate location from the primary database
  • Test restores regularly (at least quarterly)
  • Keep backups encrypted and access-controlled

If you don't have backups and something goes wrong, the data is gone.

Control User Access

KoNote provides the tools; you must use them correctly.

  • Only create accounts for people who need access
  • Assign the minimum role needed for each user's job
  • Remove accounts promptly when staff leave
  • Review user access regularly

Keep Software Updated

Security vulnerabilities are discovered over time. Updates address them.

  • Monitor the GitHub repository for releases
  • Apply updates promptly, especially security patches
  • Test updates in a staging environment if possible

Train Your Staff

Technical security is only part of the picture.

  • Train staff on acceptable use and data handling
  • Establish policies for sharing information
  • Create procedures for security incidents
  • Document your organisation's privacy practices

Compliance Features

PHIPA & PIPEDA Readiness

KoNote includes features to support compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario's Personal Health Information Protection Act (PHIPA).

  • Encryption of personal information (Fernet AES at rest)
  • Per-agency encryption keys in multi-agency deployments
  • Access controls and audit logging
  • Consent recording with immutable withdrawal tracking
  • Cross-program consent enforcement — clinical notes shared only with participant or agency permission
  • Data retention configuration
  • Multi-stage data erasure workflow with approval chain
  • Privacy policy template
  • Canadian data residency option (OVHcloud Beauharnois, QC)
  • Offline field collection data protection — PII tiers and device loss protocols

Note: Using KoNote doesn't automatically make you PHIPA- or PIPEDA-compliant. Compliance depends on how you configure and operate the system, your policies, and your staff practices.

GDPR Readiness

For organisations serving European participants, KoNote includes:

  • Consent tracking (consent_given_at field)
  • Data retention periods
  • Multi-program-manager erasure approval workflow
  • Automatic erasure execution when all approvals received
  • Audit trail of data processing preserved after erasure

Note: GDPR compliance requires more than software features. Consult with a privacy professional for your specific situation.

Accessibility (WCAG 2.2 AA)

KoNote is built with accessibility as a core requirement, not an afterthought:

  • Semantic HTML structure with proper heading hierarchy
  • Full keyboard navigation with WAI-ARIA roving tabindex patterns
  • WCAG 2.2 AA colour contrast compliance
  • Touch target sizes meeting WCAG 2.5.8 minimum (24px)
  • Screen reader compatible — WAI-ARIA roles for menus, tabs, and interactive elements
  • Skip navigation links on every page
  • axe-core automated accessibility tests integrated into CI pipeline
  • Service worker provides graceful offline fallback

Security Limitations

Being honest about what KoNote cannot do:

No Encrypted Search

Encrypted fields cannot be searched using SQL queries. Participant search loads accessible participants into memory and filters in Python. This works well up to ~2,000 participants but may slow down at larger scales.

Staff MFA via SSO Only

Staff local authentication doesn't include MFA. If you need staff MFA, use Azure AD SSO, which supports your organisation's MFA policies. The participant portal has built-in MFA (TOTP authenticator app or email verification codes).

No Automatic Intrusion Detection

KoNote logs access but doesn't automatically alert on suspicious patterns. You need to review audit logs periodically or integrate with external monitoring tools.

Questions About Security?

The technical documentation has more detail on security implementation. For organisation-specific questions, consider professional consultation.

Technical Documentation Professional Services