data security mobile phone

The Evolution of Data Privacy: A Q&A with Bojil Velinov, Head of DevOps & Automation at Luna 


Bojil Velinov, Head of DevOps & Automation at Luna, talks about the evolution of data privacy and how Luna is addressing privacy and data security at the company.

From your perspective, how has the conversation on data privacy evolved, and how are you addressing it at Luna?

Data privacy is moving more and more into mainstream conversation, from breaches of social media sites and data leaks to ransomware attacks at medical institutions. Some of our utmost personal information is stored in these places, so it becomes very intimate when such information falls outside of our control. 

Bojil Velinov
Bojil Velinov, Head of DevOps & Automation at Luna

On the professional side, at the last Amazon Web Services annual re:Invent conference, the people I met with and the talks I attended combined my interests in healthcare, regulatory compliance, and data governance. The apparent perspective is that the industry is increasingly focusing on protecting the data subject, which is the technical term for whom the collected data is about. I want to see this topic continue to get more attention.

How are you addressing data privacy at Luna?

We address data privacy and security in multiple ways. We operate by embedding “privacy-by-design” as part of our core values, and we recognize that online privacy needs to be built upon a foundation of data security measures. 

For example, one best practice we have is conducting yearly penetration tests, a type of security test that ensures our application stack is well protected against some of the most common attacks on the internet. It’s one of the ways we work to secure our platform. 

We also assess the risk(s) for every software feature, such as a login button, entry for one’s username, file uploads, and such. As part of our development process, we ask ourselves: “How do we prevent this feature from being vulnerable to attack?” Implementing detection, prevention, and recovery pieces into each assessed feature is part of our development life-cycle. By exercising due diligence in our design, development, and release processes, we keep the application stack more secure–and ultimately guard privacy.

How do you operationalize privacy-by-design at Luna?

It’s good to think outside the box, such as what possible future attacks on the software could occur. For example, how do we architect a way to be resilient to future vulnerabilities? One way is to utilize continuous integration and deployment (CI & CD) coupled with monitoring tools, security brainstorming sessions and vulnerability scans. 

We’ve taken privacy and security into account very seriously, and from the inception of the platform, one approach we utilize, for example, is envelope encryption–it’s a way to encrypt something in multiple layers. You can envision this as putting a box within a box, but imagine if each was locked within each one, and they have separate keys to unlock them. 

Another approach we have taken is not storing the data in the same location. We keep data fragmented. This way, if one particular location is compromised, it doesn’t reveal the complete picture of what the data represents. 

People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

People have become increasingly aware of the importance of data security and how it affects data privacy. The volume of personal data people generate on the internet pertains to their privacy and their ownership of that particular data. I think what we do often try to put ourselves in the user’s perspective. People who contribute to the Luna platform see how their data is utilized and to some degree magnified. That starts with our language and how we talk about it, it goes through how we implement the guards of that data and finishes with the granular controls of the data we give to each individual. All this establishes trust and demonstrates transparency. 

Can you share more about the penetration test?

There are various ways of having a good posture from a security perspective. For example, how do we ensure our domain or company email is not used by a third party for spoofing? 

Pretend that a bad actor is phishing, for example. In phishing, a technique of fraudulently obtaining private information, email is the most common media. Nowadays there are some “geeky” mechanisms at our disposal, such as using specific signatures in the domain name system (DNS) records. Historically, DNS are the servers that help us find things on the internet. They are the ones knowing where you need to “land” when typing a website name in your browser’s address bar. Now, the same system is utilized to protect us from spam and phishing by allowing the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. This is technically known as DomainKeys Identified Mail (DKIM).

Here’s how it works:  You send an email from lunadna.com to a recipient using Gmail, for example. Upon receiving that email, the Gmail server checks for a setting in the lunadna.com  domain system. It says, “I am receiving this from this particular email service/server, can you confirm the server is authorized to send emails on your behalf?” Simple, yet powerful. I highly recommend any engineer involved with their company’s email and DNS to set this up. 

Many sites today use multi-factor authentication. What are the concepts here?

The concepts are evolving in multi-factor authentication. The tools around them are evolving. At Luna, we try to balance the impact of “extra steps” the member must take and their overall sign-in experience. At the same time, be upfront in explaining why we are putting such controls in place. In short, it’s because we really care for your data security, and we want to ensure that the person entering the platform is indeed you.

Take, for example, the case of ransomware attacks. The breaches in most of these security incidents, at various companies or individual accounts, happen because the password was compromised. That’s really the weakest link in the chain. It’s best not to reuse your passwords! Try using password manager technology to be most data safe. If one of your accounts gets compromised, bad actors can try it on other sites. If you did not reuse your password, you’d be less vulnerable. If you did, then you are out of luck.

Multi-factor authentication, in some cases referred as 2FA, can be leveraged in different ways, such as using email verification, text message, etc. It’s that additional control you put in place that, to some degree, provides another layer of protection. It also has its vulnerabilities, though. 

A practical way to think about multi-factor authentication is to balance the work required for authenticating the user to keep the bad guys out while keeping the process user-friendly. You don’t want to annoy your new participants with a slew of controls before they can see the benefit of your application. A little friction goes a long way, and it’s certainly better than the pain associated with sensitive data loss. 

Read about Luna’s Data Protection Impact Assessment.


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Data Privacy Protection

How To Maintain Data Privacy in Today’s Uber-Connected World


2020 may be coming to an end, but it marks the beginning of the decade in which we had the largest amount of baby-boomers entering retirement age.

It is also the decade for coming of age for the last millennia generation. In the previous decade, the telephone, radio, and TV had a big influence on their lives. Now, internet connectivity, social networks, and instant information is changing everything we knew about communication. Both generations benefit from the exposure and existence of technology, or what we now have evolved to call, “high-tech.”

While earlier technologies were rendered as one-directional communication, new technologies have evolved to ingest vast amounts of input, processes, all while delivering information to us more quickly, efficiently, and accurately. Both past and current technologies depend on personal data to validate themselves and improve their services.

In today’s über-connected world, data privacy is more important than ever before. Everywhere we go, we leave behind a trail of data breadcrumbs that share valuable information about who we are and what we do. Whether knowingly or unknowingly, we often victimize ourselves to fulfill our desire for high-tech convenience. But even the simplest activities, like checking the weather or connecting to a free WiFi network, can put our data at risk. With modern internet-connected devices literally in the palm of our hands, we are constantly under indirect surveillance. Sites we visit regularly, products we engage with on social media, articles we read on search engines all contribute to our digital profiles. 

This raises the questions, how much exposure of our private lives is beneficial to ourselves and society? How much of our private data is monetized with no direct benefit to us as the creators? These questions contain many perceptions and tangents and raise many conversations between team leaders at LunaPBC. We strive to understand all arguments related to data collection, but always resort to the unanimous agreement that people belong at the center. Until every company aligns with our values and beliefs, it’s at least assuring to know that data privacy is headed in the right direction, with the implementation of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). I’m anticipating other federal and state legislative initiatives aimed at protecting individual data on the horizon. 

Privacy is directly connected to our liberties, but liberties don’t exist in a vacuum. We all have to, more-or-less, agree on what’s right even as complex social organisms. For society to not only exist but thrive, liberties should require justice, and achieving this may require individuals to partially share some privacy. In other words, individuals, as integral members of the society, should always be in control of their privacy. Our actions, demands, and understanding of privacy can help us shape a “new” internet, and with that our continuous stream of data.

Obtaining data privacy, reducing your digital vulnerability, and maintaining control starts with protecting your passwords.  

Don’t Make Your Password Easy to Guess

  • 123456 and password are the most commonly used passwords. Don’t use them.
  • Switching a letter for a symbol (p@ssw0rd!) is an obvious trick hackers know well.
  • Avoid favorite sports teams or pop culture references. Use something more obscure.
  • Don’t use a single word like sunshine, monkey, or football. Using a phrase or sentence as your password is stronger. 
  • Don’t use common number patterns like 111111, abc123, or 654321.
  • Adding a number or piece of punctuation at the end doesn’t make your password stronger

Create More Than Just a Strong Password, Create Various Strong Passwords

  • The strength of your passwords directly impacts your online security.
  • Use a password manager to remember all your passwords.

Kicking off the decade with data privacy top of mind can ensure you have yourself safe and secure years ahead. 


About Luna

Luna’s suite of tools and services connects communities with researchers to accelerate health discoveries. With participation from more than 180 countries and communities advancing causes including disease-specific, public health, environmental, and emerging interests, Luna empowers these collectives to gather a wide range of data — health records, lived experience, disease history, genomics, and more – for research.

Luna gives academia and industry everything they need from engagement with study participants to data analysis across multiple modalities using a common data model. The platform is compliant with clinical regulatory requirements and international consumer data privacy laws.

By providing privacy-protected individuals a way to continually engage, Luna transforms the traditional patient-disconnected database into a dynamic, longitudinal discovery environment where researchers, industry, and community leaders can leverage a range of tools to surface insights and trends, study disease natural history and biomarkers, and enroll in clinical studies and trials.


Bojil Velinov

Bojil Velinov

Head of DevOps and Automation