Solar Workplace | Security

Platform Overview
Innovation & Benefits
Reporting & Analytics
Integrations
Security

Solar Workplace Security Policy

Introduction

Solar Workplace is a framework that allows clients to have their own hosted Software as a Service (SaaS) product platform and has been designed with information security as the highest priority. The very nature of the modern network architecture that we use is designed to be robust and secure as a web host.

This policy outlines the specific application security that is built into the Solar Workplace product.  

Data Centre Security 

Solar Workplace sites and applications are hosted with our Infrastructure Partner vBridge – specialist providers of high security & performance & hosted compute infrastructure, based in New Zealand.

vBridge recognise the importance of data integrity & security and with this in mind have adopted a multi-node, multi-datacentre approach.  All vBridge staff have passed the Ministry of Justice vetting process and have signed a confidentiality agreement. 

The vBridge platform has been designed with a minimum of N+1 resiliency across all components. The hosting platform provides separation of all customers’ data and network traffic. vBridge control physical security and stability using Tier 3 and Tier 2+ New Zealand Department of Internal Affairs approved Datacentres. These provide robust entry and access control along with high levels of physical protection against unplanned event

ISO 27001

vBridge is an ISO27001 certified organisation. This standard is widely recognised as the gold standard for information security. Their certification is maintained through ongoing auditing by an external ISO accredited provider along with their own regular internal audit processes.

vBridge maintains an Information Classification Matrix along with a Classified Information Handling Policy. All information stored by customers has a RESTRICTED classification. 

Firewall Security

vBridge Firewall as a Service (FWaaS) is a next generation firewall (NGFW) service enabling organisations to achieve best practice network security. This service is delivered from N+1 Fortigate Firewall Clusters.  These next generation firewalls provide Full L4 to L7 configurable security policies along with industry leading IPS, SSL inspection and advanced threat protection. 

Backups

Information is routinely retained in the format of Database Backups.

A full backup is taken daily, with incremental backups taking place hourly through the working day.

Backup Databases are stored on a secure server distinct from the Production (“Live”) Server, with periodic transport to “off-site” Data Centres to aid in the event of Disaster Recovery. Backups are also routinely restored and tested to ensure a robust recovery plan is in place.

Backup Schedule

Backup Type

Retention Period

DailyFull, taken every morning

 2 Days

DifferentialHourly between 6am to 6pm NZST, 2 hourly outside of this time

 2 Days

MonthlyFull, taken 1am on the 1st of each month

 45 Days

WeeklyFull, taken on Sunday Night

 14 Days

Schema

 90 Days
Folders (e.g. FTP, PS Scripts, Website Files)

2 Days

Notes:

Differential – this saves the changes between the previous snapshot and the current state. This means that over the course of any given day we can roll-back to any given point within an hourly timeframe. The net effect of this is that the amount of potentially lost data is a maximum of 1 hr should a restore be necessary.

Folders – This refers to all a client’s individual files that make up their own Solar Workplace site – e.g. interfaces, file uploads, ftp data.

VM Backup – In addition to data and website backups, out entire server infrastructure is also separately backed up in event of any need for disaster recovery (e.g. Earthquakes). This gives us an extra level of protection and the resulting tapes are stored in a vBridge offsite facility but still within New Zealand.

Application Security

The application and the web server technology have been specifically configured and designed to withstand the most prominent forms of attack. These include:

  • URL interpretation
  • Input validation
  • SQL injection
  • Buffer overflow attacks
  • All passwords are encrypted using BCrypt (SHA-512), an algorithm designed to be strong even if the user chooses a simple password. It can also significantly delay attempts at brute force attacks.
  • Passwords are never stored or transmitted in plain text.
  • Users are automatically locked out after a failed login attempts – configurable to suit your business needs – making brute force attacks near impossible.
  • Solar Workplace uses SSL certificates – web traffic between the user and the server is encrypted at all times using SSL (SHA-256 With RSA Encryption).
  • All key user actions are logged along with their IP address. In the event of a breach (for example a user has their password on a sticky note attached to their monitor), the problem can be traced and mitigated. Logs can be produced, detailing information that may have been accessed or altered.
  • Each client instance is also a separate web application with its own application pool and SQL database, this ensures complete segregation of client data for further protection.
  • Solar Workplace has been developed as a full-stack Web Application leveraging the Microsoft .NET Framework, and deployed onto securely hosted servers.
  • Solar Workplace is a single product that is deployed across multiple servers to give clients reassurance that no breaches of their data will occur. Each site is hosted within its own secure environment as a separate web application with data access to its own secured Sql Server Database.
  • Monitoring is in place to track all external and internal access or attempted access.

Personnel & Training

All Brighter Days staff are recruited via trusted partners and services, including direct referrals.

Background checks are performed on all staff validating identity, references, experience, and education. Additionally, and where legally permissible, this also includes police background checks.

As part of the on-boarding process, all staff are required to read and acknowledge understanding and adherence to internal policies and standards.

All staff are subject to a Terms of Employment contract, that clearly lays out requirements and expectations around privacy and confidentiality terms.

Data Access

As part of routine maintenance, members of the Brighter Days teams may directly access the production (“Live”) server to perform tasks including, but not limited to:

  • Server Updates (software of configuration),
  • Manual Database backups and transfers,
  • Housekeeping tasks including archiving and optimisation.

No direct data access that might expose personal information is undertaken at any point during the above tasks.

Data Transfer

On occasions – and at the client’s request – data is required to be transferred between the client and the Solar Workplace servers, typically during the initial project phase (e.g., loading of employee profiles).

All data transfers take place over secure FTPS channel, with access permissions routinely reviewed.

Site Security 

Client-facing access to the Solar Workplace web application has multiple layers, ensuring security at multiple points. From the initial login, users will only have access to view, modify, create, or delete what they have been granted access to.

Access to specific process, entity, or user records, can only be applied by designated Super Users.

Initial User Access – Logging In
  • Only those with an active, non-expired user account can log on to the Solar Workplace web application. From the initial login page, the user is prompted for their username and password.
  • By default, there is a configurable three-strike lockout in place. If a user fails to enter their password correctly three times their account will be locked out and an email notification sent with password reset information.
  • For additional security these is also a Single Sign-On (SSO) option to allow access only to users on your network.
  • A user account can be expired by a designated super user. Users cannot be deleted from the client facing application.
  • Requests to delete users can be done through our Support Portal.
  • The password policy can be set to enforce complex passwords being a mix of upper-case, lower-case and numbers.
  • The Solar Workplace application allows for the setting of cookie time-out intervals. If enabled, after a predefined period of inactivity the user will have to re-enter their username and password to continue using the software.
User Access Lists
  • User access lists govern access to confidential and non-confidential records in the Solar Workplace application.
  • A user access list can be in the form of ‘Groups’ or ‘Roles’.
Roles
  • Users can switch to a Role if they have been granted the required security access.
  • Roles have customised access to specific records, such as certain processes and a certain area of employee records.
  • When assigning security access, the Role can be given varying levels of view, modify, create, or delete.
  • When a user switches to a Role, any access granted to the user at a user or group level becomes redundant.
  • When in a Role, the Role security supersedes all other access.
Groups
  • Groups are access lists given to specific types of users or a set list of users.
  • An example of a user Group would be New Zealand Managers or All Active Employees. Groups are useful for granting access to processes and entities without having to switch Roles.
  • When given access via a group, users will have access as soon as they log in.
  • When assigning security access to Groups, varying levels of view, modify, create, or delete can be granted.
Processes, Entities and User Records
    • Processes, entities, and user records are granted specific access requirements through Roles and Groups.
    • The same access rights can be applied at the user level, to ensure that security is as granular as needed.
    • When assigning security access, varying levels of view, modify, create, or delete can be granted to specific Users, Roles or Groups to a detailed level.
    • For example, at a specific step or part of a process flow the user may only have view and edit access when the user is assigned to or required to participate in the process (such as make comments and approve).
Download Security Policy
Privacy Policy
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save