Merge branch 'master' into vrapeutic-1131vz0j9gj

digitalpublicgoods/kiva-protocol.json

@@ -0,0 +1,82 @@
+{
+  "name": "Kiva Protocol",
+  "clearOwnership": {
+    "isOwnershipExplicit": "Yes",
+    "copyrightURL": "https://github.com/kiva/aries-guardianship-agency/blob/master/LICENSE"
+  },
+  "platformIndependence": {
+    "mandatoryDepsCreateMoreRestrictions": "No",
+    "isSoftwarePltIndependent": "",
+    "pltIndependenceDesc": ""
+  },
+  "documentation": {
+    "isDocumentationAvailable": "Yes",
+    "documentationURL": [
+      "https://protocol-docs.web.app/"
+    ]
+  },
+  "NonPII": {
+    "collectsNonPII": "No"
+  },
+  "privacy": {
+    "isPrivacyCompliant": "Yes",
+    "privacyComplianceList": [
+      "National Civil Registration Authority Act (Sierra Leone)"
+    ],
+    "adherenceSteps": [
+      "As described previously, Kiva Protocol follows 'privacy by design' principles, including data minimization, non-correlation, and user control/ selective disclosure. And of course, no PII is ever written to the ledger. However, for any given implementation it remains up to our government partners to define their own governance policies and determine their compliance with all relevant laws.  Therefore all terms of service, privacy policies, etc. are defined on a project basis. \nInter-agency data sharing between the National Civil Registration Authority and the Bank of Sierra Leone is permitted under the National Civil Registration Authority Act.  Additional regulations governing the use of the eKYC platform to facilitate new account onboarding and customer due diligence are being developed by the Bank of Sierra Leone. A broader initiative to develop a consumer protection regime in Sierra Leone - which may include privacy and consumer financial protection - is being conducted by UNCDF with support from Innovations for Poverty Action (IPA)."
+    ]
+  },
+  "standards": {
+    "supportStandards": "Yes",
+    "standardsList": [
+      "Developers for this project have been active in the development of the W3C Verifiable Credentials specification, the W3C Decentralized Identifier specification, the DIDComms specification incubated at the Decentralized Identity Foundation, and other identity communications specification work hosted in the Aries RFC repository. Test support work is ongoing, as many of these specifications are still in incubation and evolving."
+    ],
+    "implementBestPractices": "Yes",
+    "bestPracticesList": [
+      "Kiva Protocol has been awarded the ID2020 Certification Mark, and won the World Bank ID4D’s Mission Billion Challenge Global Prize. Its design and operational model embodies best practices around privacy, agency, and open and standards-based technologies, and specifically adheres to the ID4D Principles of Identification.  Though it isn’t formally measured, the community also actively seeks to support Privacy by Design and principles of data minimization and non-correlation so that users can have confidence sharing data between issuers. The Core Infrastructure Initiative badge is a part of certifying the components of the system that are part of Hyperledger and project results can be found here https://bestpractices.coreinfrastructure.org/en/projects/4088."
+    ]
+  },
+  "doNoHarm": {
+    "preventHarm": {
+      "stepsToPreventHarm": "Yes",
+      "additionalInfoMechanismProcessesPolicies": "The fundamental architecture of the system prevents some of the most common abuses of personal data and privacy. For example, information in the individual's wallet is not accessible without explicit consent by the individual. Privacy is protected through the use of unique identifiers that reduce the possibility of correlation."
+    },
+    "dataPrivacySecurity": {
+      "collectsPII": "Yes",
+      "typesOfDataCollected": [
+        "Identity data previously collected and stored by government identity agencies (e.g., civil registries, birth registries, voter registries, etc.)",
+        "Financial transaction data provided to individual data subjects by their financial service providers"
+      ],
+      "thirdPartyDataSharing": "Yes",
+      "dataSharingCircumstances": [
+        "The personal information held in Kiva Protocol is only shared with third-parties with the express consent of the individual data subject. Even then, the individual has the ability to selectively disclose only those attributes which are necessary for the particular use case, including the ability to use zero-knowledge proofs to disclose a simple 'yes/no' or 'positive/negative' response instead of the actual data itself (e.g., 'Yes' to a query of 'Is over 18?' instead of the actual date of birth).",
+        "Kiva Protocol currently allows individual data subjects to: \n1) share identity credentials with a financial institution or government agency, \n 2) share credit history or other financial transaction records with a financial institution or government agency, \n 3) share data with other individuals in a peer-to-peer manner. No data is shared with third-parties without the express consent of the individual data subject."
+      ],
+      "ensurePrivacySecurity": "Yes",
+      "privacySecurityDescription": "Kiva Protocol stores identity data previously collected and stored by government identity agencies (e.g., civil registries, birth registries, voter registries, etc.). It also stores financial transaction data provided to individual data subjects by their financial service providers. Holding these data in Kiva Protocol’s cloud-based digital wallet infrastructure typically provides higher levels of privacy and security than the on-prem or hybrid databases maintained by identity agencies in Kiva partner jurisdictions. Each data subject wallet is encrypted with its own key. A defense in depth approach is used throughout the architecture to ensure that no one failure can compromise the entire system. This includes, but is not limited to, a Web Application Firewall, separation of duties, regular dependency patching, and security monitoring. In addition, we run regular security audits to find and address vulnerabilities in our configuration, software and architecture. The last audit used ioActive."
+    },
+    "inappropriateIllegalContent": {
+      "collectStoreDistribute": "No"
+    },
+    "protectionFromHarassment": {
+      "userInteraction": "No",
+      "addressSafetySecurityUnderageUsers": "",
+      "stepsAddressRiskPreventSafetyUnderageUsers": [
+        ""
+      ],
+      "griefAbuseHarassmentProtection": "",
+      "harassmentProtectionSteps": [
+        ""
+      ]
+    }
+  },
+  "locations": {
+    "developmentCountries": [
+      "United States of America"
+    ],
+    "deploymentCountries": [
+      "Sierra Leone"
+    ]
+  }
+}

digitalpublicgoods/rapidpro.json

@@ -0,0 +1,103 @@
+{
+  "name": "RapidPro",
+  "clearOwnership": {
+    "isOwnershipExplicit": "Yes",
+    "copyrightURL": "https://github.com/rapidpro/rapidpro#license"
+  },
+  "platformIndependence": {
+    "mandatoryDepsCreateMoreRestrictions": "No",
+    "isSoftwarePltIndependent": "",
+    "pltIndependenceDesc": ""
+  },
+  "documentation": {
+    "isDocumentationAvailable": "Yes",
+    "documentationURL": [
+      "Technical documentation: https://rapidpro.github.io/rapidpro/docs/",
+      "API Explorer: https://rapidpro.io/api/v2/explorer/",
+      "FAQs: https://community.rapidpro.io/faqs/"
+    ]
+  },
+  "NonPII": {
+    "collectsNonPII": "Yes",
+    "checkNonPIIAccessMechanism": "Yes",
+    "nonPIIAccessMechanism": "RapidPro has an extensive API and raw data export (via CSV, JSON) that enables an authorized user or service to extract/access data stored within the platform."
+  },
+  "privacy": {
+    "isPrivacyCompliant": "Yes",
+    "privacyComplianceList": [
+      "GDPR"
+    ],
+    "adherenceSteps": [
+      "UNICEF RapidPro is aligned to the the General Data Protection Regulation (GDPR). RapidPro is designed to be interoperable with external systems and deployed in any hosted environment. This allows governments and organisations to either deploy RapidPro locally so that data is kept internal, or integrating RapidPro with a preferred system for storing information."
+    ]
+  },
+  "standards": {
+    "supportStandards": "Yes",
+    "standardsList": [
+      "REST",
+      "JSON",
+      "CSV"
+    ],
+    "evidenceStandardSupport": [
+      "https://rapidpro.github.io/rapidpro/docs/components/"
+    ],
+    "implementBestPractices": "Yes",
+    "bestPracticesList": [
+      "Principles for Digital Development."
+    ]
+  },
+  "doNoHarm": {
+    "preventHarm": {
+      "stepsToPreventHarm": "Yes",
+      "additionalInfoMechanismProcessesPolicies": "UNICEF recommends the cloud hosting option, this is the most cost effective, reliable, and secure option. Technically, the global LTA vendor and hosting provider could access the data, but they are contractually bound by the Data Protection Provision to refrain from viewing or copying any CO data without consent. \n https://docs.google.com/document/d/1kmFgABHgksd8cSbZ743M7_wFA0cWahbJ2glp1kMeLF8/edit#heading=h.nj3bw1n0zk2q"
+    },
+    "dataPrivacySecurity": {
+      "collectsPII": "Yes",
+      "typesOfDataCollected": [
+        "Data collected by RapidPro may or may not include PII depending on the use case being deployed. \nThe only data required to operate the platform is a unique identifier specific to the communication channel being used (e.g SMS, WhatsApp, Telegram). However, these unique identifiers are not necessarily PII."
+      ],
+      "thirdPartyDataSharing": "Yes",
+      "dataSharingCircumstances": [
+        "Data collected by RapidPro may or may not include PII depending on the use case being deployed. \n\nThe only data required to operate the platform is a unique identifier specific to the communication channel being used (e.g SMS, WhatsApp, Telegram). However, these unique identifiers are not necessarily PII."
+      ],
+      "ensurePrivacySecurity": "Yes",
+      "privacySecurityDescription": "User information will never be publicly available and the option exists to hide contact information on RapidPro. Unfortunately, there is no such thing as true data protection, even when data is locally stored and hosted in a country. However, UNICEF RapidPro has worked hard to ensure that the cloud hosting is very secure, and one of the benefits of cloud hosting is automatic data and security upgrades and patches."
+    },
+    "inappropriateIllegalContent": {
+      "collectStoreDistribute": "No",
+      "type": "",
+      "contentFilter": "",
+      "policyGuidelinesDocumentationLink": "",
+      "illegalContentDetection": "",
+      "illegalContentDetectionMechanism": ""
+    },
+    "protectionFromHarassment": {
+      "userInteraction": "No",
+      "addressSafetySecurityUnderageUsers": "",
+      "stepsAddressRiskPreventSafetyUnderageUsers": [],
+      "griefAbuseHarassmentProtection": "",
+      "harassmentProtectionSteps": [
+        ""
+      ]
+    }
+  },
+  "locations": {
+    "developmentCountries": [
+      "Rwanda",
+      "United States of America"
+    ],
+    "deploymentCountries": [
+      "Bangladesh",
+      "India",
+      "Jordan",
+      "Malawi",
+      "Nepal",
+      "Pakistan",
+      "State of Palestine",
+      "Sudan",
+      "Swaziland",
+      "Uganda",
+      "Zimbabwe"
+    ]
+  }
+}

digitalpublicgoods/surveillance-outbreak-response-management-and-analysis-system.json

@@ -0,0 +1,99 @@
+{
+  "name": "Surveillance Outbreak Response Management and Analysis System",
+  "clearOwnership": {
+    "isOwnershipExplicit": "Yes",
+    "copyrightURL": "https://github.com/hzi-braunschweig"
+  },
+  "platformIndependence": {
+    "mandatoryDepsCreateMoreRestrictions": "No",
+    "isSoftwarePltIndependent": "",
+    "pltIndependenceDesc": ""
+  },
+  "documentation": {
+    "isDocumentationAvailable": "Yes",
+    "documentationURL": [
+      "https://github.com/hzi-braunschweig/SORMAS-Project/tree/development/docs"
+    ]
+  },
+  "NonPII": {
+    "collectsNonPII": "Yes",
+    "checkNonPIIAccessMechanism": "Yes",
+    "nonPIIAccessMechanism": "Non personally identifiable information (PII) can be imported or exported using the SORMAS API. The SORMAS API has configurations to permit pseudonymized or anonymized data exchange as well as user right configurations."
+  },
+  "privacy": {
+    "isPrivacyCompliant": "Yes",
+    "privacyComplianceList": [
+      "GDPR"
+    ],
+    "adherenceSteps": [
+      "The data collection and management in SORMAS are governed by the General Data Protection Regulation (GDPR) where it applies. The countries using SORMAS are responsible for complying with regulation and local legislation."
+    ]
+  },
+  "standards": {
+    "supportStandards": "Yes",
+    "standardsList": [
+      "REST"
+    ],
+    "evidenceStandardSupport": [
+      "https://github.com/hzi-braunschweig/SORMAS-Project"
+    ],
+    "implementBestPractices": "Yes",
+    "bestPracticesList": [
+      "Principles for digital development"
+    ]
+  },
+  "doNoHarm": {
+    "preventHarm": {
+      "stepsToPreventHarm": "Yes",
+      "additionalInfoMechanismProcessesPolicies": "Data transferred throughout SORMAS API or exported   can be pseudonymized if needed. SORMAS Keycloak is available as an alternative authentication provider to the default authentication method. SORMAS is checked on a yearly basis by an external security audit."
+    },
+    "dataPrivacySecurity": {
+      "collectsPII": "Yes",
+      "typesOfDataCollected": [
+        "Surveillance data (e.g; case, contacts, events, samples, Immunizations, etc) only and fully owed by the public health authorities in the country that uses the tool"
+      ],
+      "thirdPartyDataSharing": "No",
+      "dataSharingCircumstances": [
+        "We the developers of the tool have no access to the data."
+      ],
+      "ensurePrivacySecurity": "Yes",
+      "privacySecurityDescription": "Data transferred throughout SORMAS API or exported can be pseudonymized if needed. SORMAS Keycloak is available as an alternative authentication provider to the default authentication method. SORMAS is checked on a yearly basis by an external security audit. \n https://github.com/hzi-braunschweig/SORMAS-Project/blob/development/sormas-base/doc/keycloak.md \n In addition, there is a configuration in the tool that stakeholders can use to define the read, write, or even complete anonymization access to entities or their PII data for users of the system. \n Since each country setup their own server (either local or cloud), we encourage stakeholders to always go with a solution having a server backup configuration."
+    },
+    "inappropriateIllegalContent": {
+      "collectStoreDistribute": "No",
+      "type": "",
+      "contentFilter": "",
+      "policyGuidelinesDocumentationLink": "",
+      "illegalContentDetection": "",
+      "illegalContentDetectionMechanism": ""
+    },
+    "protectionFromHarassment": {
+      "userInteraction": "Yes",
+      "addressSafetySecurityUnderageUsers": "Yes",
+      "stepsAddressRiskPreventSafetyUnderageUsers": [
+        "The interactions between users and contributors takes place on the GitHub platform mainly. This ensures transparency of the communication. The SORMAS users and contributors consist of public health professionals who are in the age group of the working population (more than 20 years old)."
+      ],
+      "griefAbuseHarassmentProtection": "Yes",
+      "harassmentProtectionSteps": [
+        "https://github.com/hzi-braunschweig/SORMAS-Project/blob/development/CODE_OF_CONDUCT.md"
+      ]
+    }
+  },
+  "locations": {
+    "developmentCountries": [
+      "Germany",
+      "Nigeria",
+      "Ghana",
+      "France"
+    ],
+    "deploymentCountries": [
+      "Nigeria",
+      "Ghana",
+      "Fiji",
+      "Germany",
+      "Switzerland",
+      "France",
+      "Ivory coast"
+    ]
+  }
+}

nominees/kiva-protocol.json

@@ -39,5 +39,5 @@
       "contact_email": "bryanp@kiva.org"
     }
   ],
-  "stage": "nominee"
+  "stage": "DPG"
 }

nominees/rapidpro.json

@@ -44,5 +44,5 @@
       "org_type": "funder"
     }
   ],
-  "stage": "nominee"
+  "stage": "DPG"
 }

nominees/surveillance-outbreak-response-management-and-analysis-system.json

@@ -32,5 +32,5 @@
       "org_type": "owner"
     }
   ],
-  "stage": "nominee"
+  "stage": "DPG"
 }