You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

NOTE:

VP of privacy is needed.  


Hi Apache Software Foundation Community, 

This document outlines the selected process to launch the Community Survey 2022. 

Selected Distribution Process 

The 2022 ASF Community Survey is intended to be completed by committers, contributors, and users of any Apache Software Foundation project. We decided to distribute it using the following criteria:

  • Committers - We'll submit a personalized email to each apache.org email address with a unique link to take the survey. The responses will be 100% anonymized, unless the individual specifically shares their contact information and gives permission to further contacts to continue the research. 
  • Contributors and Users - We'll ask PMCs to directly invite their contributors and users to take the survey by sending notes to their mailing lists. The invite will have a universal link everyone could use to take the survey. All records will be anonymized. 

Below is a description of the software selected for the survey, as well as the Privacy Policy followed. 

Technology Selected 

First and foremost, The Apache Software Foundation entered a very powerful contract with Bitergia for this project, which includes a clear an extensive GDPR annex.  The ASF owns the data, we are only contracting with Bitergia to do the analysis of the input received via LimeSurvey - the selected technology to host the survey and receive anonymized responses. Bitergia does not have access to PII.

Bitergia has purchased a License from LimeSurvey that enables our survey to receive up to 10k responses. 

LimeSurvey provides a tool that allows the V.P. of D&I, to send emails with individualized urls but neither LimeSurvey nor Bitergia have access to the email addresses the invite will be sent to. 

We selected LimeSurvey as the platform to execute the 2022 ASF Community Survey. LimeSurvey is "the worldwide leading open source survey software" (Licensed: GPL v2 or later). We further selected LimeSurvey GmbH as the SaaS provider. Due to the provider being German, the data protection Terms of Service are excellent and follow BDSG, TKG, and GDPR. (See https://www.limesurvey.org/policies/terms-conditions, Section 10: Data Protection). As is typical of the strong German data protection laws, the privacy policy is excellent as well: https://www.limesurvey.org/policies/privacy-policy

LimeSurvey is an open source project which is over 15 years old (though admittedly there was a complete re-write in 2012).  Here is their bug tracker: https://www.limesurvey.org/community/bug-tracker  LimeSurvey currently has 1.3k stars on github: https://github.com/LimeSurvey/LimeSurvey. There are no currently published security advisories on the project.  The list of security vulnerabilities can be found here: https://www.cvedetails.com/vulnerability-list/vendor_id-6900/Limesurvey.html  The known vulnerabilities are apparently all addressed in the most recent release of the software.

(Myrle Krantz's contribution)

Launch Schedule

  1. Blogpost on survey published (Target date: )
  2. Survey Launch to Committers (Target date: )
  3. Send an ask to pmcs@apache.org to promote in their comms channels (Target date: )
  4. Publish social media messages (Target date: )
  5. Send reminders to individuals (Target date: )


NOTE: Reminders have been removed from the survey outreach plan. We won't be sending any more messages to committers@, all mentions of reminders have been strike out. 

Privacy Policy

The Apache Software Foundation has a contract with Bitergia that specifically says that information will be handled following the ASF privacy policy, and that results will only be used to further the goals of The Apache Foundation.

In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post and participation is opt-in only. we will inform the community members of the processing and offer them a way to opt-out.

GDPR Checks - WIP

☐ ASF, acting as Data Controller, has a legitimate interest in analysing the data accessed during a Bitergia analysis.

  • Yes. For gaining insight on different aspects related directly or indirectly to different aspects of software development in the analysed FOSS projects, including:
    • Sustainability and resiliency of the projects
    • Performance, including the performance and efficiency of the many processes related to software development.
    • Community, including aspects such as diversity, involvement, onboarding and exiting.

We have informed the community about the analysis and its purpose

☐ We have considered whether we can offer an opt-out.

☐ The subject matter and duration of the processing

  • Yes. DPA clause 4.1

☐ The nature and purpose of the processing.

  • Yes. DPA clause 4.1

☐ The types of personal data and categories of data subjects

  • Yes. DPA clause 4.1

☐ The obligations and rights of the controller

  • Yes. DPA clause 4.4

☐ Require that processors process personal data only on documented instructions from the controller (unless required to do otherwise by law)

  • Yes. DPA clause 4.5(a)

☐ Require that processors transfer personal data internationally only on documented instructions from the controller (unless required to do otherwise by law)

  • Yes. DPA clause 7

☐ Require that processors ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

  • Yes. DPA clause 6

☐ Require that processors take all measures required pursuant to Article 32 (Security of Processing), which includes the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk

  • Yes. DPA clause 6

☐ Require that processors obtain authorization from the controller before engaging a subprocessor and provide notice to the controller of any intended changes concerning the addition or replacement of processors, thereby giving the controller the opportunity to object to such changes

  • Yes. DPA clause 6

☐ Require the processor to contractually flow down the same data protection obligations in its contract with the controller to all subprocessors and hold the processor fully liable to the controller for the subprocessors’ performance of such data protection obligations

  • Yes. DPA clause 6

☐ Require that processors assist the controller by appropriate technical and organizational measures in responding to data subject rights requests

  • Yes. DPA clause 4.4(a)

☐ Require that processors assist the controller in responding to a data breach (including but not limited to complying with breach notification obligations)

  • Yes. DPA clause 8

☐ Require that processors delete or return all personal data to the controller, at the choice of the controller, after the end of the provision of services relating to the processing (unless continued storage is required by law)

  • Yes. DPA clause 4.5(e)

☐ Require that processors make available to the controller all information necessary to demonstrate their compliance with their Article 28 obligations and allow for and contribute to audits conducted by or at the request of the controller

  • Yes. DPA clause 4.5(f)

☐ Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.

  • Yes. DPA clause 4.5 ( i )

☐ Respond to the legal rights established by the GDPR 

  • Yes. DPA clause 5

FAQs

Will there be a message to committer@ explaining that they will receive a subsequent message?

Yes, we will add a sentence in the first email saying that we will send one reminder to take the survey if they haven't two weeks after the first invite. 

What is the content of the message to developers soliciting their participation in the survey?

See the full communications plan: 2022 ASF Community Survey - Communication plan

Who will be the from: address on the message?

Katia Rojas <katia@apache.org>

Lime Survey will be configured to send emails via Apache's SMTP server.

Will there be a personalized link to the survey?

Yes, each individual receiving the invite directly from Lime Survey will have a unique link that could be used only once. This doesn't compromise anonymity when taking the survey, since we are not correlating answers to unique links. 

Having a unique link helps provide opt-outs from reminders. 

How will non-Apache-id holders be able to request a survey?

We will reach non-committers via three channels: Blogposts in the official apache.org blog and the D&I blog, social media snippets and email shared to PMCs and PPMCs to share through their user and dev lists. These messages will contain a universal link to the survey and anyone who has that link could fill it. 

What will be done with the results?

The results will be analyzed by Bitergia, and will be used to inform the design of the contributor experience interviews. We'll publish a plan for these interviews two weeks after the survey launches. 

Bitergia will also produce a report with aggregated results, similar to what we posted about the 2016 Survey ran by ComDev (2)

Does this process conform to GDPR requirements?

Yes. In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post and participation is opt-in only.


  • No labels