Digital Security

While web-based technologies can be empowering for civic organizations, governments, and political parties, they can also create new forms of risk to these groups and the citizens who have entrusted them with their information. The personal information of people and internal governmental reports should remain confidential. Election data or lists of citizen complaints must be free of manipulations and spam. Public platforms giving voice to those at risk of censorship must be kept accessible despite attempted censorship from hacking or denial-of-service attacks.

NDI takes its responsibility to protect the data entrusted to our DemCloud hosting platform very seriously.
People at computers

Supporting Open-Source Communities

Each open-source system distributed through DemTools is a unique and complex piece of software supported by a different community of users and developers. For tools developed by NDI staff or consultants, like Apollo, NDI collaborates with independent security experts to perform an in-depth audit of the code. For externally developed systems, we support the communities behind the projects with third-party assessment and vulnerability testing whenever possible.

NDI takes the obligation to protect the data entrusted to our DemCloud hosting platform very seriously. Our DemCloud infrastructure is hosted on Amazon Web Services, which provides a powerful set of security and systems management tools to keep DemTools stable and secure. NDI monitors alerts for security vulnerabilities; and critical patches are applied as quickly as possible, with standard patches applied on a regularly scheduled basis. DemCloud is also shielded by Cloudflare’s state of-the art web application firewall, which provides protection against common types of hacking and denial of-service attacks. All DemCloud servers are backed up nightly with copies preserved on a rotating basis. These backups are designed for recovery in the event of a catastrophe; generally speaking, individual sites cannot be recovered to restore lost data without special arrangements.

The data in DemCloud servers belongs to the citizens and organizations who put it there. As the system administrators, NDI has access to the data stored on DemCloud, but will never disclose user-contributed information to a third party unless compelled by law. NDI will gather usage metrics and track engagement to better manage services, assess user needs, and inform DemTools donors of the impact of their contributions. Administrative access to DemTools servers is strictly controlled and regularly audited.

Security is a Team Effort

NDI performs holistic risk assessments to determine how best to protect the users of DemTools, and works to inform partners on the range of security threats they face. It is important to recognize that all security systems have flaws, and while NDI exercises due diligence, there is always the risk of a new vulnerability being exploited. As such, we encourage everyone, particularly security experts who want to have a positive impact on global civil society, to support this effort and responsibly disclose their suggestions for improvements to the DemTools programs. We are grateful for community feedback and are committed to rapidly addressing security gaps that are identified.

NDI pledges to communicate proactively with DemTools users to alert them to potential threats or exploits. Furthermore, uncovered issues and vulnerabilities in the various opensource projects in the DemTools suite will be shared with core team members upstream to better protect all users of our open-source communities.

Ultimately, security is a shared responsibility and users must feel empowered to do their part. For this reason, NDI encourages individuals in the DemTools community to practice good digital hygiene, such as using strong passwords, setting up two factor authentication, responsibly sharing access to webapps, and performing regular software updates on their own computers—all elements that impact the safety of everyone.

Hosting DemTools on Your Own

If you choose to host a DemTools site on your own, please be aware that hosting any web application can be difficult. Be careful to ensure that your users are protected and that you are following best practices to secure your servers and applications—and the people you are serving.


Info Sheet: