UPDATE: they have dropped Persona!

@nextgraph @liaizon @OpenSourceCollective On infrastructure: yes, we run primarily on Heroku, which relies on AWS. This is a legacy decision the engineering team inherited, and moving away from it is non-trivial at our scale. Here again, the work we're doing around decentralization will hopefully help us spin up separate instances in Europe and progressively migrate what needs to be migrated.

@nextgraph @liaizon @OpenSourceCollective We've applied for decentralization grants to help make it happen. We're a small team and prioritizing this alongside everything else is genuinely difficult.

All that said, we've already made real progress over the past few years: white-labeling work, consolidated data import/exports, and we're currently refactoring our ID system in a way that will also support better decentralization.

@nextgraph @liaizon @OpenSourceCollective On GDPR: it does apply to us. Yes, we're a US-based non-profit (though most of our team is based in Europe), but several of the fiscal hosts on the platform are European. We take that obligation seriously. We'd like to get to a place where European users have their data stored in separate regional instances; this is on our roadmap.

@nextgraph @liaizon @OpenSourceCollective On self-hosting: it's true that it's harder than it should be. The platform wasn't built with self-hosting in mind, and over the years we've added layers of business logic tightly coupled to our own instance. On top of that, our primary users are fiscal hosts. The platform's features are therefore oriented around these organizations which operate at a much larger scale. This is part of why self-hosting at the collective level feels so out of reach.

@nextgraph @liaizon @OpenSourceCollective On encryption: it's not accurate to say all data is stored unencrypted. Sensitive documents like tax forms uploaded to S3 are encrypted before upload (https://github.com/opencollective/opencollective-api/blob/main/server/lib/tax-forms/index.ts#L44), as are certain sensitive fields in the database (https://github.com/opencollective/opencollective-api/blob/5e374c160750fc259ee4163230c764956efda36f/server/graphql/v2/mutation/LegalDocumentsMutations.ts#L126).

@opsocket @liaizon

We're indeed adding a persona integration on the platform to help Open Source Collective manage their KYC program. It is not something we're forcing on anyone, just a bridge we're creating for fiscal hosts relying on this service.

For the rest, I'll let Open Source Collective comment.

They're aware of this thread and are preparing a reply as we speak.

@opsocket @liaizon copy-pasting the reply I've made on the Github issue:

We (opencollective.com) are agnostic to the KYC provider that fiscal hosts use. Our integration was built primarily as a manual KYC tool, and you can use any backend you want - or even run your own program.