The odk support becomes a user with admin rights despite being repeatedly retired

directorccpa · October 26, 2021, 2:21am

I see one user named support@getodk.com in my user list.
it has a site wide administrator role assigned to it.
I change its role to none.
after few days, I am surprised to find it again with the admin role assigned.
I repeat the previous action, but only for a few days before it automatically shifts back to admin role.
this time I Retire the support user.
But to my surprise, it again appears and with the same ADMINISTRATOR role!.

Its security concern!

2. What app or server are you using and on what device and operating system? Include version numbers.

3. What you have you tried to fix the problem?

4. What steps can we take to reproduce the problem?

5. Anything else we should know or have? If you have a test form or screenshots or logs, attach below.

yanokwa · October 26, 2021, 4:27am

When you use a hosted service, the provider typically has some level of access to your account in order to provide and support the service.

In your case, you are using ODK Cloud and we detail the level of access in the Business Agreement you agreed to. The relevant language is:

ODK and its Sub-processors will only Process Customer Data to provide the Services and to fulfill ODK's obligations under the Agreement.

We make this reality transparent by showing support@getodk.org as an administrator because it is that account that provisioned the other administrators and does upgrades, backups, and the like.

Access to this provisioning user is tightly controlled by the technical and organizational measures outlined in Appendix 2 of the ODK Cloud Data Processing Agreement.

Typically, we will not access your account unless you give us permission or we are required to access the account as part of an abuse or fraud investigation.

If you do not trust the measures described above, you can enable managed encryption for even more data security.

If none of this is acceptable to you, you can always self-host and we provide detailed instructions to do that at https://docs.getodk.org/central-install/. Note that if you self-host on any of the popular cloud providers (e.g., Digital Ocean), they have similar access to your account and similar policies about that access.