Skip to main content

Security

The one of most important part is to provide our solution to customers in a secure way. All the connection where the application (Windows Client, Web Client or Mobile client) is communicating is encrypted. There are several micro services where what the application is uses but all of them are communicating via the https and the certificate is provided by the godaddy.com. All the communication is forced to use, secure connection if the certification is mission or expired the application will throw a security error and it is not possible to communicate with the services without a proper security layer.

All the Services are in the Microsoft Azure Cloud. We follow all the Microsoft Security best practices that is important to create a secure application.

Data location: West EU datacenter. All the services that we have are in West EU. (Including, databases, cache layer, storages, websites and monitoring services as well)

TheStorage application DO NOT Store any sensitive data about the customer like passwords, social security numbers or personal data. When the customer creates a connection to their Identity Provider (Azure Active Directory, Google Identity Cloud etc) we could sync only the directory data like: User Name, First Name, Last Name, User ID, and Job Title. We store this data into a temporary memory cache (NOT a persistent store) for 14 days. As the connection is broken the cache data will expire and there won’t be any connection between the item that the Application user stored in the database and the users. If the connection is establishing again the data could be map and all the information will be there.

There is one exception for storing personal data. TheStorage has an audit history log feature, where the users can check the product history. (Who owns, when it passed to another user, or gave back to the IT etc.) In this case there is a Microsoft Cosmos DB (Document DB) where this owner information (email Address, name and unique id) is stored. This information is only deleted after 90 days when the user canceled the subscription or if it is created a support ticket to remove this data.

Authentication

TheStorage uses Microsoft Azure AD B2C as an identity provider. We do NOT store any user credential, even the password hashes. This functionality is provided by Microsoft. We strongly recommend to our customers to use SSO providers. We currently supporting Azure Active Directory (Azure AD / Office 365), Google / G-Suite and Microsoft Account SSO’s. We are open to provide more, but as we see currently all of or customers use one of these SSO providers. If you use one of these SSO’s (especial Azure AD or G-suite) you can control the authentication flow, and we could follow all company policies. (Included Multifactor Authentication or Okta Auth0 etc) Azure AD B2C supporting two industry standard protocols: OpenID Connect and OAuth 2.0. The service is standards-compliant, but any two implementations of these protocols can have subtle differences. More information about Azure AD B2C here.

Storage

All customer data are stored in Microsoft SQL Azure Database. The connection between the service and the database are encrypted. (SSL/TLS) If the customer stores some sensitive data in the database (Like software keys or software license credentials) the service encrypts all the data with a symmetric encryption algorithm.

Application and Service Data

All the application and Service sensitive data (connection string, secure strings, keys etc) are stored in Microsoft Key Vault. This service is a Secure key management which is essential to protect data in the cloud. With Azure Key Vault the “TheStorage” can encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes our keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract the application and service keys.

Vendors

There are two vendors that we use:

  • Microsoft Azure Cloud
  • Godaddy.com (Certificates, Domains)

GDPR

Due the Identity Management is provided by Microsoft and all user data is available via SSO from the application perspective we do not store any GDPR related information about our customers. We only store those data that is belong to the tenant, but we do not store personal data about the user. From validation perspective we only store the invited users email address, and the invitation date. As we use Azure AD B2C Audit data like last successful and failed authentication is stored in B2C, and It is readable by the Livesoft Company Administrator. Currently only 1 person has a right to read audit data. If a customer needs all the tenant data, the administrator can export it from the application. But if a customer wants to delete ALL the data, the tenant administrator needs to write a ticket to here, and need to verify personal data. After the delete request sent it out, the company has 60 Business days to delete all tenant related data.