PrivTAP: Privacy preserving trigger-action platform

PrivTAP logo

Try it out!


PrivTAP (if this link doesn't work, it means that our AWS project has expired...  But don't worry, you can still check the Demo Video, or clone our GitHub repositories and run it locally)

Demo Video

GitHub repository: FrontEndBackEnd

Project description

This project concerns the development of a Trigger-Action Integration web application
that lets users connect triggers and actions provided by external service providers. The core of
this project is to preserve the privacy of users’ sensitive data by letting the user have fine-grained
access control over his/her data. Third-party service providers can add both triggers and actions,
and select related privacy levels depending on the associated data needed. Also, two service API
endpoints should be provided to show the platform’s behavior.

Some examples of already existing multi-party Trigger-Action Integration Platforms are Microsoft
Flow, Zapier, and IFTTT: all suffer from different kinds of privacy violations, listed here:

  • personal unnecessary and unintended data being shared both with the integration platform
    and with the action service, which could have a public audience;
  • lack of access revocation, once data has been shared, there is no way to delete the resource on
    the platform side neither on the action service from the user point of view;
  • lack of fine-grained access control, when the privacy configurations of the platform differ from
    those fine-grained trigger services or action services, resulting in altered access control.

This project aims to develop a web application prototype that could fix these privacy issues and
guarantee a safe integration system.


The platform we built is composed of two different web apps, one for end users and one for service provider developers.

End-user web app

  • Registration/Login with a Google account
  • View existing triggers
  • View existing actions
  • Get predefined automations
  • Create a new automation
  • List all the user's automations
  • Accept/Modify the privacy preferences of each service provider7






































Service provider web app

  • Registration/Login with credentials
  • Create trigger
  • Create action
  • Define the privacy requirements of triggers/actions












A high-level overview of the architecture can be seen in the following image. On the left side, there is an online
service (e.g. Facebook) which represents a trigger service, on the right side the action platform (e.g.
Phillips Hue) can be seen. Trigger and action services define the rules to connect to them and use
their APIs. In the middle, between trigger and action services, the privTAP platform is located.

The implementation of the PrivTAP platform follows a three-tier architecture style, therefore
it includes three layers: the client layer, which is responsible for views and controllers that define
the user interfaces, the application logic layer, which is responsible for handling all the logic of
the application, communicating with external APIs, and retrieving data from the last tier, which is
the data layer, responsible for storing all the data required for the functioning of the application.

For the backend, we choose as framework SpringBoot, and as database MongoDB. The frontend was made in React, using bootstrap and the React Bootstrap library for some of the pages. The app was automatically deployed on Amazon AWS. This was done using Github: when a developer pushed something on the main branch, if the tests are all passed and at least one other member of the team accepts the pull request, the new version was deployed on AWS.






  • Federica Tommasini:
  • Danilo Castiglia:
  • Giulia d'Auria:
  • Anamarija Lukač:
  • Bernard Bačani:
  • Vedran Hernaus:
  • Luka Bokarica: