In a company environment, it's especially important to know when a software program connects to the Internet and which data are exchanged when it does so. In this chapter we discuss these details. Please note that the language is technical by necessity. Please use our glossary if necessary.
Data transfer when starting and closing Citavi
- When Citavi is started, it connects to the Citavi servers to check for updates. System adminstrators can block this check.
- When Citavi is started, it checks if a connection to Citavi Cloud is allowed. System adminstrators can block this check.
- When Citavi is started, it checks if the user has already logged into his or her account once on the computer. If so, Citavi automatically logs the user into his or her account. This process is encrypted. An automatic log in does not occur under the following circumstances:
- If the user has never logged into his or her account on the computer
- If the user logged out after his or her last session
- If the user decided that login information should be automatically deleted each time Citavi is closed
- After a successful Citavi Account login, Citavi downloads the license information for the user from our server. This only applies to Citavi for Windows. Citavi for DBServer users receive their license information from the organization's computer that the SQL databases server with the Citavi database is running on.
- For the Citavi Account login and all following steps, Citavi communicates with the WebApi for our server. The communication over the WepApi uses HTTPS, Port 443.
- Configure your Firewall as described here.
Data transfer while working with Citavi
- Before a quick help text is displayed in the program for the first time, it is downloaded from the Citavi server.
- Citavi displays notifications on the Welcome Screen. We let users know about important program additions. Universities with a site license for Citavi can display relevant notifications for the campus community. Every user can add news feeds of interest to them. News items will only be refreshed if there is an active internet connection.
- When performing online searches, importing from files or from other programs, and when using citation styles we provide, Citavi connects to the Citavi servers to check for updated versions of the transformers and citation styles, then downloads the new version if available.
- If a user imports PDF files, Citavi looks up the bibliographic information for the PDF by analyzing the file:
- If a DOI, ISBN, PubMed ID, or ArXiv ID is found on the first five pages, it will be used to search for the bibliographic information.
- If no identifier is found, Citavi will try to identify the title by the heading size and will then search for it.
- During the online search, ISBN search, and full text search, Citavi only sends the search query to the respective server. Exactly how this works depends on the type of connection:
- Web service: These online resources communicate over the ordinary HTTP protocol on the default port 80 or over HTTPS, Port 443. These services are always contacted directly.
- Z39.50: These online resources use the Z39.50 protocol that is commonly used by libraries. Though it can use any port number, ports 210 and 3950 are common. If Citavi cannot communicate with a Z39.50 service directly because of a Firewall or other reason, it will send the request to a Webservice on the Citavi server using HTTPS, Port 443. The Citavi server then forwards the request to the Z39.50 service, and then returns the results. The Citavi server does not save any data.
To improve Citavi and correct program errors, we use the Microsoft Azure service Application Insights.
If the options under Product development are selected, program errors and their context and protocols will be sent to the Citavi team. Usually, only the name of the Citavi feature is sent. However, a user name might be sent if it is part of a file path: "Access to the file C:\Users\thomas.schempp\Documents\Citavi 6\... was denied." Sensitive information, such as passwords is never sent.
Data is only sent if the user selects the corresponding option under Tools > Options > General > Diagnostics or Tools > Options>General > Product development. A system administrator can block this option with the MSI Assistant.
Errors are always tracked in a protocol if they occur inside the Citavi Cloud infrastructure. These protocols never contain personally identifiable information.
Additional data transfers
All additional data transfer depends on where the Citavi project is saved:
If the Citavi project is on a computer, external drive, or in a local network there is no additional data transfer.
The Citavi project is saved in a Microsoft SQL database.
- For per-seat licenses Citavi for DBServer saves license information on the user's computer for 365 days. Users can then work on local projects with more than 100 references even if they don't have a connection to the company's SQL Server. To ensure that the user is within the expiration date of the temporarily saved license, Citavi pulls the date from our server with a WebAPI query.
- If all concurrent licenses for Citavi for DBServer are in use and an additional user tries to use a license, Citavi can send an email to the license administrator via the WebAPI. This email lets the administrator know that not enough licenses were available for all users. The email does not contain any personally identifiable information.
Cloud projects are saved in the Citavi Cloud, which uses Microsoft Azure Cloud. Microsoft operates many data centers around the world. We use the data centers in Western Europe (Dublin and Amsterdam) for Citavi Account information and in Germany (Frankfurt and Magdeburg) for Citavi cloud projects. These last two data centers operate under the German company Deutsche Telekom and have special security measures to ensure that the U.S. government does not have any access to these data centers.
Citavi communicated with the WebApi continuously.
- Each Citavi installation sends an encrypted message (= token) to the Cloud project. The token ensures that the correct person can open the correct project with the correct role.
- The first time a Cloud project is opened, Citavi downloads the complete project information from our servers and saves it on the user's computer as a cache file. Each time the project is opened after that the differing information between the cache and the Cloud project will be downloaded. (The cache file is deleted when the user logs out of Citavi Account.)
- While working on a cloud project, Citavi uses the WebApi to save changes, synchronize, upload attachments, etc.
- To reduce the load on our webserver, in some cases, Citavi directly access the Microsoft cloud infrastructure. The connections are encrypted and protected (= Shared Access Token). We use this technology in the following situations (among others):
- Initial project download
- Upload of an existing project to the Cloud (in certain cases)
- Upload and download of attachments
- Saving a large amount of bibliographic information after a large import
- In addition to this data exchange, Citavi opens a communication channel over SignalR. With SignalR our serverscan inform a Citavi installation that another user made changes to a shared project. After this information is transferred, the changes are synchronized so that all project users have the current state. SignalR also makes it possible for users to communicate with each other, for example by sending chat messages using the Citavi chat feature. After a chat ends, the chat contents are deleted.