This is my personal opinion.
I would say, it is secure as possible, we are patching the servers frequently, but we can’t provide any warranty.
About the Neuchatel medical dada stolen yesterday: were they using something appropriate or no: Des milliers de données médicales neuchâteloises publiées sur le darknet - rts.ch - Neuchâtel
If you store your data on the cluster, they’ll be backuped on a second datacentre. This add more risk as more servers are involved.
If you let your data on the NASAC for example, it is managed as best as possible, but still, the data is duplicated on a second datacentre, and backuped, risk increase.
If you let your data on your own NAS: as this isn’t your duty, maybe the NAS will be misconfigured, or not uptodate. If you backup your NAS, you increase the risk. If you don’t, you increase the risk to loose all your data forever.
Not very encouraging, I know. The thing is that it is more and more frequent that data provider requires a high security storage, but in reality, each day we can see highly secured things been hacked. It is more a legal requirement than a security requirement I guess.
So I would say, to be safe you should avoid to work with sensitive data, or at least, anonymize them or deidentificate before importing them on the cluster. But again, were are they stored outside of Baobab?
So to be concise: no, Baobab is not meant to hold sensitive data as we apply basic security only (but we do that seriously, so I’m not that worried that someone will hack us)
Maybe the solution is to not trust the services you use, but cypher/decypher your data on the fly.
Other suggestions welcome!