Implement a push notification service in the application about reach4help HOT 7 CLOSED

Free version is not GDPR compliant from the chart the have.

from reach4help.

Free version is not GDPR compliant from the chart the have.

This requires investigation then before picking a platform, whoever picks this issue, please perform a decision log on it

from reach4help.

I would suggest https://www.twilio.com/notify since we'll have a meeting to get free credits

from reach4help.

I would suggest https://www.twilio.com/notify since we'll have a meeting to get free credits

@webmonger do you have info on this one to see if it's GDPR compliant?
PS: nice suggestion @puzzledbytheweb

Also, did a bit of digging, and in order to use Twilio Web push notifications, we have to create a Firebase Cloud Messaging project (so this is the real push client). So not sure if we should have the extra trouble for doing it in Twilio?

Also, @webmonger do you have legal problems with FCM?

from reach4help.

I think we need some requirements or a functional specification from backend on this feature. I feel like we may be over complicating things a tiny bit here. Is in-house development of this completely out of the question?

This was recently implemented into an app at work. We used firebase. The documentation is very good, and you can actually find a pretty good guide on it written on medium:
https://medium.com/@anum.amin/react-native-integrating-push-notifications-using-fcm-349fff071591

Here is the official latest integration guide for backend: https://invertase.io/oss/react-native-firebase/v6/messaging/quick-start#messaging-quick-start

from reach4help.

Had a productive conversation with David regarding GDPR compliance. Pasting it here for transparency.

`David Alecrim:flag-pt: 18 minutes ago
We can, I just think that the hard part here is not the implementation (I also implemented this kind of features before), the problem here is the compliance regarding GDPR, which is why I'm blocked here

David Alecrim:flag-pt: 17 minutes ago
Either way, it's in the backend board now also

AlexV 4 minutes ago
Alright, so that's a loaded question which goes much further than the reach of this app... While many of the GDPR controls are going to be specific with how the apps control and process EU citizen data, there also needs to be considerations on the organization level as well.
With firebase we are considered the data controller. If we sign the necessary paperwork(which I think is only available on the paid plan), Google is our data processor. If we don’t sign anything with google, we are considered the processor AND controller.
So even with google as our processor, we still can't pass on any GDPR obligations on to Google. They only perform a technical service for us, no organizational and legal services. Their privacy policy is not a dependency or part of our privacy policy. Because we are the controller and they the processor, they may only process the data as we instruct them to, and we are responsible whatever happens.

AlexV 2 minutes ago
GDPR is not so much about ticking boxes like storing data “securely”, but about planning any processing of personal data in accordance with certain principles (like data minimisation, using a proper legal basis, ect (all explained in gdpr text). Following these principles are not something that can be outsourced.

David Alecrim:flag-pt: 1 minute ago
I get your point here, then let's add @wilson Rodrigues and the backend team to the conversation, to see how we will deal with this data flow that is necessary to have

AlexV < 1 minute ago
Maintaining records of processing is only necessary under certain circumstances. The choice of our tech stack does not affect this. Even if you are not required to keep these records, they are a good exercise to make sure you are demonstrably GDPR-compliant.
Also, processing data that is subject to the GDPR in third countries like the US is fine as long as you take suitable precautions. The data processing agreement Google offers to you will likely already list the necessary aspects. Technically, you either need an EU adequacy decision or other suitable safeguards in the data processing agreement contract to transfer data internationally. The US privacy shield is currently recognized as adequate.

AlexV < 1 minute ago
perfect

AlexV < 1 minute ago
I'll actually copy and paste this all into the github ticket.`

FYI: I wrote up this small primer on GDPR for The Progressive Coders Network a few months ago. I think it's a pretty relevant read to this situation. https://docs.google.com/document/d/1bh6SN1nDPwNpYrxKSnC9aIsjs_uG3AyI19iXkJKbyis/edit?usp=sharing

from reach4help.

I think we need some requirements or a functional specification from backend on this feature. I feel like we may be over complicating things a tiny bit here. Is in-house development of this completely out of the question?

This was recently implemented into an app at work. We used firebase. The documentation is very good, and you can actually find a pretty good guide on it written on medium:
https://medium.com/@anum.amin/react-native-integrating-push-notifications-using-fcm-349fff071591

Here is the official latest integration guide for backend: https://invertase.io/oss/react-native-firebase/v6/messaging/quick-start#messaging-quick-start

so have we decided to proceed with firebase cloud messaging?
We are already using Firebase's Firestore and Firebase Authentication in the web-client currently
I have experience integrating FCM into web apps using their web SDK and also with react native apps as mentioned above.

This is the document that outlines firebase's data security and privacy details: https://firebase.google.com/support/privacy

if we decide on using this, I can integrate FCM into the web-client app

from reach4help.