Disclaimer | Synigo Pulse

Disclaimer

1.1      How is specific data of Synigo Pulse accessed?

We store 2 kinds of information:

  1. Personalization settings: These are stored in a SQL database (behind a Firewall) and can only be accessed by the UPN, given by Microsoft.
  2. CMS Content: This information is stored in Umbraco and is accessed by 2 methods:
  1. Editorial Environment:
    • When an editor signs into the editorial environment (By using the sign in process described above) Umbraco’s default security mechanism is used (RBAC) where users can only access the information which is available to them.
    • We have provided mechanisms in Umbraco where content has (hidden) metadata, such as the ID of the tenant (We’ve embedded this in the core of the system).
  2. CMS Content within the portal (Displaying information)
    • Our CMS is used as a REST service, we use Bearer authentication to identify the user and tenant (from the users claim, given by Microsoft). Also we use an application secret (password)
      • If some  are not present or wrong, the access is denied.
      • We use Lucene to extract the information. We’ve constructed this in such a manner, that it is impossible to retrieve any information, other than your tenants. This is done by hardwiring the access of Lucene with TenantId constraints.

 

1.2      Umbraco Security

Every six months Umbraco penetration is tested by a security firm. Recommended fixes are implemented and shared what is fixed. Internal code reviews are done consulting the OWASP site for best practices when any code affecting security is update.

 

1.3      Our security

We use industry standard tools, protocols (such as OAuth 2.0) and best practices to ensure the protection of our clients data. We use internal code reviews to ensure both quality and security of our product. Deloitte advices us regarding how to implement security, governance and compliance.

 

It is impossible to temper with both the UPN and TenantId, as they are given to us by Microsoft, when signing in. This process takes place on the server side, so users cannot manipulate these values. It is impossible to retrieve any document from the CMS without a tenant id and which does not belong to your tenant.

 

1.4      Where is the data stored?

Geographical location of the data-center:

  • Office 365: based on the client’s own Office 365 subscription;
  • Pulse: The Netherlands (Azure region West Europe). (Netherlands)