How does Studo work?
Students can use the Studo App to access important websites of their universities. How does it work? Studo is a browser and mail client the same as Chrome, Safari, Internet Explorer, Apple Mail, Samsung Mail & Co., only the display of some content is optimized for mobile devices. The websites of the supported universities are partially simplified and optimized for mobile devices, and students' mails can be read and answered on mobile devices. Of course, the students' personal access data (username and password) will be sent exclusively to the university's servers, and there will be no processing or storage of the students' personal access data outside the area locally encrypted in the app and protected by the operating system. The technical implementation of the local storage of the access data is therefore equivalent to other common apps such as Apple Mail or Samsung Mail App. The access data for the student account are therefore not sent to servers of Studo - thus the students do not forward their access data to third parties.
Access to your university's website or mailbox is sometimes more secure with the Studo app, but at least always as secure as other browser solutions on the market. (Depending on which provider you compare with.)
Your user login credentials like username and password are transmitted exclusively in encrypted form via TLS/SSL to the university's servers. As with any mail client, the login credentials are stored locally on the end device in encrypted form and without other apps having access to them. The storage follows the standard that Google respectively Android and Apple respectively iOS set for the storage of private data, and which is also used by the operating system providers themselves.
The connections to our server are exclusively via TLS/SSL with additional certificate pinning to ensure maximum security. The Studo servers have an excellent A+ rating from Qualys SSL Labs. Further measures such as HTTP Strict Transport Security (HSTS), DNS Certification Authority Authorization (CAA), Certificate Transparency, Forward Secrecy and the support of the latest standards such as TLS 1.3 and HTTP/2 with simultaneous deactivation of old standards such as TLS 1.1, TLS 1.0, SSL 3 and MD5 ensure that the Studo infrastructure is always state-of-the-art and secure.
Received and sent mails are, of course, only cached locally on the user's device, just as with other classified as secure native mail clients, and are not transmitted or stored on Studo servers. The connection is only made between the mail client (Studo App) and the mail server of the linked university and uses the security standards for transport encryption of the respective university. Due to technical and organizational measures, the Studo team therefore has no access to your access data (username and password), your received mails or your sent mails.
Studo is also far ahead of many other browsers when it comes to data protection. Studo complies with all applicable data protection laws in the European Union. The servers on which the HTML API reader works are located in the EU and are owned by a EU companies. On request of the Graz University of Technology, a "Certificate of Compliance with Data Protection Law" was issued, which concluded that Studo is 100% GDPR compliant and allows the exercise of all rights of the GDPR.
Will my data be resold to third parties?
No! Your data, such as your university username, your university password, your exam results, your e-mails etc. are not stored on Studo servers. They are only stored on the server of your university or locally encrypted in an area on your device that is secured by your operating system. Studo employees cannot access them, so for technical and organizational reasons they cannot be shared with third parties. Studo is an app by students for students, so there will never be a forwarding of data.
Where is my data stored/processed?
For the Studo team data protection and data security is the most important concern. That's why your university username, university password and your e-mails are only encrypted locally in your operating system secured area on your device and are not transferred to Studo servers. As described in the declaration of consent, your university-related data (except your login credentials, which are never processed on Studo servers) are processed exclusively on servers in the European Union. The processing will only be done by companies located entirely within the European Union, but will not be stored there as described in the declaration of consent. This ensures the highest level of security and privacy. Information such as your personal calendar entries and chat messages are also backed up exclusively on servers in the EU by EU companies for data safety purposes. This backup means that you can still access for example your personal calendar entries when you buy a new phone. As described above, this backup data is transmitted exclusively via TLS encrypted connections using the most modern encryption methods. Data stored as backup are also stored on the Studo server encrypted via Encryption At Rest (dm-crypt of the Linux kernel with the aes-xts-plain64 algorithm with key size of 2048 bit and hashed via SHA256) to ensure the highest possible level of security.
Privacy by Design.
Best regards from your Studo Team