Introduction
This document will outline the different security efforts made on the Software as a Service (SaaS) TimeXtender Portal, with a brief description of each item.
Authorization
The Portal uses Auth0 as a third-party vendor to provide OAuth2 based authorization. As described by Auth0, “OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user's credentials.”
HTTPS Only
The Portal has enabled HTTPS Only, meaning all unsecured HTTP requests will be redirected as HTTPS requests, making sure all communications between the Portal and the User is encrypted.
Minimum TLS v. 1.2
The portal requires a minimum of TLS version 1.2, meaning end-of-life TLS 1.0 and 1.1 are no longer supported.
Firewall Whitelists
Some of our backend services are protected by a firewall with a whitelist rule. The whitelist rule is that only approved apps and services can access those backend services.
Service Connections
For communications between the various services we use custom Authentication through Client secrets.
Database Connections
For Databases we use connection strings with username and password.
Database Encryption
All connection credentials and other sensitive data is protected with 256 bit AES encryption
