Fedia.io is a service running the Kbin and is part of a federated network of servers called the fediverse. Fedia.io is intended to facilitate a community around the information security discipline, as well as those who are interested in security. You can reach us by contacting firstname.lastname@example.org if you have any questions, need to submit a request, want to file a complaint, or otherwise have thoughts. We are also reachable on Fedia.io using the username @support.
Please note that the following information only pertains to the Fedia.io service. Access to the Fedia.io service through 3rd party apps may have additional data privacy terms. Fedia.io does not control or manage any 3rd party apps. Contact the manufacturer of such apps for additional information.
Fedia.io is a social media service designed to let you communicate with others. It processes basic personal information required to deliver the service. Your interactions with the site are temporarily recorded in system logs. Fedia.io requires a password and email address for the purpose of authenticating that you are the legitimate owner of your account. Fedia.io uses authentication cookies that enable you to use the service. Fedia.io will send emails upon registration and at other times as requested by you. The data you post or upload to Fedia.io remains available in the service until you delete it. Personal information that you post will, by design, propagate out to other fediverse instances which Fedia.io does not and cannot control. Due to the public nature of information posted to Fedia.io, this service is not appropriate for processing sensitive personal information. This site uses reasonable security measures to protect data stored in the service.
Fedia.io does not sell or account data to 3rd parties. Due to the open nature of fediverse software such as Mastodon used by Infosec.Exhcange, 3rd parties may be able to scrape or collect publicly available information from APIs available APIs. Additional information may be found here.
Fedia.io stores a session-based cookie with an identifier in the browser of unregistered and registered site visitors until the browser is closed. This is done to ensure a secure (https) connection and allow general functionality on the site.
For registered users, the cookie stores your logged in status until you logout. This cookie is stored for a year. These cookies are strictly necessary for the site to function properly.
Fedia.io will also process push notification, popups, and redirects based on your preferences (by clicking Allow/Accept). You can disable these by clicking on the padlock icon at the top of your browser and deselecting these features.
Types of Personal Data Processed by Fedia.io
Fedia.io processes the following types of personal data:
• Registered user information: email address, userid, password, IP address, metadata, subscriptions, and server preferences.
• Profile information: profile picture, bio, display name, profile metadata/hashtags (which may infer detail s about our users).
• Follower and following information: For registered users on Fedia.io, this includes information about the user's followers and who the user is following. In some cases, this information may include the name, email/contact information (if optionally provided in the public profile description), instance ID, and other profile information as well as publicly-shared posts of follower/following users.
• Content: Posts, DMs, likes, & boosts that are accessible via ActivityPub.
• Website Visitors: IP address, metadata.
• Metadata: Information about the browser or system used to connect to Fedia.io, your machine's operating system, display resolution, web browser and browser version, date of access to the website, and details your logged-in sessions. If you email us, we may also see email header information.
Note: Fedia.io administrators do have the ability to access any content you publish through Fedia.io, including private or direct messages (DMs). DMs are recorded temporarily in our application logs and stored in our database until deleted by the user. We have access to the database and logs. DMs will only be read for the purpose of debugging technical issues with the site or in response to a complaint of a rule violation involving DMs or because of a valid court order.
Just to be safe, avoid sharing sensitive information via DMs. Use Signal, email, or some other encrypted channel.
Metadata in Media Files
Media files, such as images and videos, submitted to Fedia.io have metadata, such as Exif information, stripped as part of processing.
Purposes for processing data
The personal data described above is required to make the service work.
Registered user information is necessary to provision and administer accounts.
Profile information is provided by you and can be as much or as little as you desire. The same goes for follower/following information and content. If you include sensitive or special category data in your profile information, such as details about your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or health information, or details about your sexual orientation or sex life, you are, legally-speaking, manifestly making this information public, which is a very lawyerly way of saying “it’s on you.” The service is designed to share that data freely.
IP address and other machine identifiers are collected by default by Fedia.io, for the purposes of allowing mods to block/disable access to instances, detecting and responding to security incidents, rendering the site properly on different devices, and to facilitate the connectivity that allows the site to operate across the internet.
Because the Fediverse (including other instances of Mastodon, and related platforms) is, in effect, a network of independently operated databa ses sharing data with one another, personal data is stored in databases (both a Postgres database that we control on Hetzner, and other databases controlled by other instance admins).
Some information (such as user access, registration, errors, etc.) are also stored in separate Linux system logs. These logs serve the purpose of maintenance and security of the server and are removed after 4 weeks.
Legal basis for processing data
We rely on consent obtained by the user's (third-party) ActivityPub service for processing follower information, posts, DMs, likes, & boosts. We also rely on your consent granted when you create an account, update your profile, post, contact us via the email@example.com email address or follow users on this instance.
In the unlikely event that you do something that violates the terms of service we rely on legitimate interests for subsequent processing (i.e., account suspension, deletion, or if necessary, reporting to authorities). If we are served with a legal order requiring us to provide information relating to you in connection with suspected or alleged misuse of the service, we will validate the legitimacy of the order prior to complying with it. In most instances, we will comply with valid legal orders, and our lawful basis will be the necessity to comply with a legal obligation. In exceptional circumstances, we reserve the right to seek the aid of legal defense to challenge the order.
Please don't let it come to that.
We rely on contractual necessity and legitimate interests to host this instance and deal with emails. We have a standard hosting agreement in place with Hetzner for hosting in Germany and Finland.
Retaining your data
In the Preferences section of your account, you can set an automatic deletion period for your posts, likes, and boosts. This will delete posts from your home instance. However, if your posts have been copied, liked, or boosted by other users onto other instances, your deletion preferences may not always be honored by the administrators of other instances which may have received a copy oy of your posts or profile information.
Similarly, if you have a DM conversation with a user on another instance, and you delete your DM records, this does not necessarily delete the record of the conversation held by the other user.
Fedia.io stored profile information, likes, boosts, posts, images, and DMs in a database and in backups. Fedia.io does not disable or remove accounts after a period of inactivity, so if you create an account here, it will remain on in our database, along with the aforementioned data, until:
• you choose to delete it;
• we delete the account manually;
• we delete the instance;
• something really bad happens that causes data loss
Log data produced by the Mastodon software and the Nginx web servers contain IP address information, timestamps, and other telemetry about you r connection and session typically seen in Linux syslog, access.log, and error.log files. The Fedia.io server automatically purges lo gs after 4 weeks to make optimal use of server space. Log information is not backed up.
Exercising your rights
All rights can be directly exercised through the Fedia.io service, including:
• Correcting your profile information, posts, DMs and so on. You can also change your profile information di rectly at any time by going to Settings → Profile and making changes there.
• Requesting a copy of the data stored about you. In terms of the right of portability, you can download you r data as .json and .csv files by going to Settings –> Import/Export –> Data Export and downloading your data. It's probably a good idea to do this periodically. Further information is available here.
• Implementing limits of who can view certain aspects of your profile and post data. Further information is available here.
• Deleting your account and all information it contains. Further information is available here.
• In the event you have technical difficulties with the above self-directed facilities, you may contact us f or assistance by sending an email to firstname.lastname@example.org.
• Depending on where you reside, you may also have the right to lodge a complaint with a Supervisory Authority.
Data Protection Measures
Other than personal data intended for public consumption, such as profile information and posts, personal data processed by Fedia.io is accessible only to authorized administrators and moderators by means of logical access controls. In addition to limited access, the following additional security measures are in place:
• strong, robust identity management & authentication, including 2FA for our hosted instance and email;< /div>
• reasonable security hardening of Postgres database, Nginx web servers, and other kbin software components;
• daily, redundant backups of instance data;
• encryption in transit (TLS 1.1-1.3, via LetsEncrypt);
• regular security patching
• firewall software
The infrastructure used to host Fedia.io is located in Germany and in Finland at Hetzner facilities. Hetzner is responsible for physical security, power, cooling, hardware support, network and internet connectivity. Object storage, which includes image attachments, videos, and so on, are hosted with BackBlaze. Other than the content of media you may submit, BackBlaze does not have access to personal data. Media is stored in BackBlaze buckets located in the US and in the EU. Media is served to site visitors through the Bunny.Net Content Delivery Network, which retains cached copies of media on edge servers in many countries around the world. Bunny.net does not have access to personal information beyond that which is included in media submitted and the IP address information of visitors downloading media files. The geographical location of these hosting services and data backups are subject to change. Notice of such changes will be posted to the @support account. The administrators and moderators of Fedia.io are located throughout the world, including the USA, UK, and Australia. The geographical location of administrators and moderators are subject to change without notice, however, will not include countries embargoed by the US government.
By posting, your profile information and your content is available globally, so please think twice before posting anything personal, and especially before posting the personal data of anyone else!