Created by OrgPad Info
Explore FAQs about OrgPad security, data integrity, and confidentiality! Find out how we protect your privacy, ensure GDPR compliance and more for a secure experience.
By default, your profile remains private and hidden from others. But there are times when others can see your profile:
They can see the following details:
Only exception is: If you contact someone through their profile, we send the message on your behalf. The receiver will be provided with your name and email address.
They can see your:
Anyone can share an OrgPage with you if they know your email address or send you a link.
By default, all your content is private. If you want to make an OrgPage public, you have to explicitly publish it in the share dialog. You will be asked for confirmation before publishing.
If you have found content that violates any of the terms and conditions of OrgPad usage, please do contact us.
We do our very best to ensure that OrgPad and your data are safe. However, nothing in the real world is 100% secure. Even the biggest and best companies make mistakes and have experienced breaches.
Should we detect that any data has been accessed without authorization, we will make sure to communicate what has happened as soon as possible. Should you suspect that OrgPad or your data has been hacked, please do contact us immediately at the email provided here.
Please consult the human readable Privacy policy.
Google search (or any other crawler) can access public or even indirectly publicly shared OrgPages and extract any information provided or linked there.
For instance, if you share an otherwise private OrgPage using the link for reading on your blog or in a social media post, people, bots, or crawlers will be able to access the contents of the OrgPage.
In the share dialog, you can reset share links. Beware that people, bots, or crawlers might have already copied your OrgPage.
We use Google Workspace SMTP relay service to send out automatic emails and Google Workspace for the personally written ones. Because of the nature how email works, Google can see the email addresses, subject and contents of the email sent. The connections from our servers and clients to Google are carefully encrypted.
Google has a robust, well-known email infrastructure. Currently, we could not do a better job, because of how SPAM filtering and email reputation work.
Another instance where you already share information with Google is when you use “Login with Google” OAuth2 authentication. We only use your first and last name, email, and profile picture when Google confirms your identity.
We treat everyone’s data with the same care as if it were our own most sensitive information. To ensure that these are not just empty words, we actually store our most sensitive data in OrgPad. We trust that our careful approach to programming and defensive infrastructure setup meets high security-standards.
We use battle-tested libraries form the Clojure/ClojureScript ecosystem that are quite foreign to most potential attackers. For the rest, we rely on Debian GNU/Linux, nginx, MinIO, PostgreSQL, and other well-known projects with a solid track record.
We use encrypted workstations and exclusively public key cryptography for SSH, and password managers for the rest. We only have highly trustworthy people on our team.
First of all, the password actually isn't stored anywhere. We only store a cryptographic fingerprint of the password (and a known “salt”) called a hash, as is the current best practice.
The technical implementation we use is the pbkdf2+blake2b-512 algorithm with 50k iterations and 12B random salt.
You can check if your email or password leaked somewhere using the renowned site Have I Been Pwned by Troy Hunt.
Nobody, at least not until you make something public or give somebody permission or a link to your content.
Public websites and social media are regularly scraped for links. If you or anyone else has shared a link to your content there, it can potentially be accessed.
No, the URLs are not guessable, even in their shortened form. For more details, read about the two kinds of links that exist in OrgPad.
Of course, you can reset sharing links if you don't want to share something anymore with the people you gave the OrgPage link to. This will generate new tokens and new short links (one for reading and another one for editing).
In general, this is a tough request, and we will be quite hesitant to grant access to anybody's account without substantial evidence that it is a legitimate request. We might err on the side of caution and not grant the access because, in most cases, we will be unable to verify the evidence with an independent authority.
We recommend solving issues related to digital inheritance, substitution, etc., in advance.
Please note that some of your data might stay in backups. You have the right to request the deletion of such data, after which we will not be able to recover anything.
https://orgpad.info/o/AElCAEeQNAEa-cIfEv2F1w?token=Bvf9R8wgZMFpWLpwkfLwUX
This URL has two parts:
These are UUIDs in BASE64 URL safe form with no padding. The two correspond to these UUIDs:
In fact, you can write the URL like this as well:
If the OrgPage is private, you need either ownership or permission to access it. You can also use a token for access. Both UUIDs together give 244 random bits, as we use UUIDv4, which has 122 random bits out of the total of 128 bits, which amounts to 5 undecillion or 5 316 911 983 139 663 491 615 228 241 121 378 304 or ~5,31 * 10^36 combinations. It's practically impossible for anyone to guess a single UUID, even after a million tries. Would they try so many, we would certainly notice it.
https://orgpad.info/s/MnmKZbTnu_v
This link still contains 11 BASE64 characters, having 66 random bits. This amounts to 73 quintillion or 73,786,976,294,838,206,464 or ~7.37 * 10^19 combinations, which cannot be guessed even if somebody tried a billion (10^9) combinations per hour. On average, it would take 168 years to find the first valid URL. Of course, if somebody attempted so many bad URLs, we would notice and block these efforts.
YouTube uses a similar approach even for unlisted videos. You can see an explanation here: https://www.youtube.com/watch?v=gocwRvLhDf8
It is highly unlikely. If you think you have lost any data or there are consistency concerns, do not make any changes to your OrgPages or the account.
Avoid even moving the canvas and contact us immediately at support@orgpad.info
OrgPad is currently not specifically designed to store classified information or to fulfill other specific regulatory and compliance requirements of government agencies at the national, state, and local level. Such requirements might also apply to contractors, educational institutions, and other customers that work with potentially sensitive information.
Examples where certifications might be needed include:
If you need a specific certification to be able to use OrgPad, please contact us. We might be able to obtain a certification for the public version or install your own instance of OrgPad on your premises in your datacenter.
An instance in your own data center might fulfill your needs without recertification.
We only share information with Facebook when you use “Login with Facebook” OAuth2 authentication. We only use your first and last name, email, and profile picture when Facebook confirms your identity.
The core team of OrgPad consists of three people. Pavel and Kamila also own â…” of shares in company OrgPad s.r.o. running OrgPad.
OrgPad support email:Â support@orgpad.info
To download EDN append /download to the path like this:
→
Download files/images by clicking on Download all:
and
You can also achieve the same result by appending /download-attachments to the path like this:
Please contact us for more specific data, such as:
Please note that retrieving this data might take an extended amount of time and effort and may require technical skills on your part to be useful.
All data is stored in Germany. The data centers we use are at least ISO27001 certified.
OrgPad has not undergone a HIPAA compliance audit.
We entrust our health records to OrgPad, and medical staff usually appreciate the overview it provides because it saves time and reduces uncertainty.
OrgPad does not handle credit card information. Credit card information is handled by Stripe.com. they fulfill all the usual certifications like PCI-DSS.
Currently, only the core team has access to the underlying storage systems.
We regularly test backups by recovering them to a new database.
For the database, we use fast in-server storage. This should be quite reliable, but if the server brakes, it could result in a few minutes of lost work and some downtime until we recover from a backup. Currently, we perform an encrypted database dump every 15 minutes.
For files, images, and videos, we use a distributed filesystem on 3 different servers. This is moderately performant but should be very reliable. Files, videos and images are backed up every 4 hours.
Additionally, every day, Hetzner takes a backup snapshot of the main infrastructure.
The provider has a DIN ISO/IEC 27001 certification.
secure connection using SSH
Print to PDF using this guide.
We use the German provider Contabo as just a storage space that is physically and administratively separate from the production provider but all data and metadata are already encrypted there.
secure connection using SSH
Every 4 hours, the data such as database dumps, files, videos, and images from the main server are copied to this server for backup. All this data is stored on a distributed filesystem on 3 different servers. After the data has been copied, it is encrypted and transferred to the disaster recovery storage.
The provider has a DIN ISO/IEC 27001 certification.
We currently use IndexedDB for storing information like the precalculated sizes of cells in an OrgPage. This improves performance but contains no relevant user data. However, this will change in the future if we introduce an offline mode, as we will need to store the data somewhere until it can be safely synchronized with the server.
In the OrgPad application, we only use first-party functional cookies. These cookies are necessary for the application to work properly.
To download the OrgPage as a single, plain HTML file, you can use command line tools like curl/wget or create a custom device in your web browser developer tools with a User Agent String containing:
Once you have activated the custom device, reload the page, and you will get a screenshot of the OrgPage and the contents of all cells as plain HTML. You can then save this page.
Details about the developer tools can be found in this guide.
Download the large image/screenshot of the OrgPage:
or the small image/preview of the OrgPage:
secure connection using SSH
We use:
You can verify this information in your web browser's developer tools and delete the cookies there. Also, you can use a private browser session, which automatically deletes all cookies after you close the window.
We use the Lithuanian provider Time4VPS as a secondary storage space where all data and metadata are already encrypted.
