Data is the most important asset for all applications on the platform. Therefore, protecting data from unintended use or destruction is the first and foremost concern. Policies, procedures and practices used to protect data are described on this page.
A. Data Classification
For the purposes of defining and monitoring data security principles, all data that the application deals with is classified into one of the following categories.
|Public||Accessible to everyone, including users who have not signed in to authenticate themselves.||Only public content managed and published through the content management system.|
|General||Accessible to all signed in users.||User profile information, account names and addresses, protected content managed through the content management system, parts of application Help.|
|Sensitive||Accessible on a delegation basis with access controlled by the data owner.||Products and services, pricing and other commercials, orders and invoices, private content managed through the content management system, majority of application Help.|
|Confidential||Accessible only to the data owner.||User passwords.|
Note: Pricing, other commercials and order information are classified as sensitive, instead of confidential, because such information is not exclusively accessible by a single party. For instance, an order is accessible at a minimum to the buyer and the supplier, and optionally to other parties like transporter and warehousing provider. Neither party can claim that it has an exclusive right to the order, since the shared network advantage is dependent upon this shared view of common data.
B. Data on the Client
Users access the platform using regular web browsers. In order to maintain the security of application data when it is loaded within a user's web browser, the following practices are followed:
- All users must authenticate themselves with the platform in order to access any data that is not classified as public.
- In order to access sensitive or confidential data, users must additionally have specific roles that allow access to the data of interest. See role-based access control for details on how user authorization is performed and enforced.
C. Data in Transit
Users exchange their data with the platform over the Internet, which is a public network of inter-connected computers. To ensure privacy of the data while it is in transit from the user's web browser to the servers hosting the platform, or the other way around, all communication to and from the servers is encrypted using industry-standard technologies.
Applications use strong 2048-bit public-key cryptography (external link) using SSL certificates. This ensures integrity and privacy of the data while in transit.
D. Data at Rest
When confidential data is stored on physical storage media such as hard disks, it is obfuscated using a FIPS 140-2 (external link) compliant algorithm. Obfuscation refers to the act of obscuring the true meaning of data so as to make it unintelligible to chance intrusion. We use strong encryption algorithms like AES and hash algorithms like SHA-2 for obfuscating data. For example, user passwords are obfuscated using a strong hash function.
Note: Since user passwords are hashed before being stored, there is no way for us to see, recover, reset or reissue passwords to users who have forgotten their current password.
Whenever we use an encryption algorithm (as opposed to a hash algorithm), we always assign unique keys to each data owner. For example, if we were to store bank details for a legal entity, each legal entity would get a unique key that will be used to encrypt the bank details (and any other confidential data) for that legal entity (and that legal entity only). This scheme adds several layers of security for confidential data in the following ways:
- The use of encryption ensures that confidential data is never stored on our systems as plain text. Therefore, even our own data and system administrators who may have access to confidential customer data are unable to glean the true content of stored data.
- The use of FIPS 140-2 compliant encryption ensures that no one can decrypt confidential data without access to the encryption keys.
- The use of separate keys for each data owner ensures that should the key for a single user leak, there is no effect on the rest of the users.
- All encryption keys are auto-generated by the platform without any user intervention, using cryptographically strong mechanisms. Further, keys are never revealed to the data owners. Therefore, there is no possibility of keys leaking due to human errors such as someone writing down the key on a piece of paper.
- Encryption keys are never stored alongside the data. In fact the keys are never stored anywhere; rather, they are generated dynamically whenever an encryption or decryption operation is required. This arrangement ensures that someone with access to confidential data does not also have access to the key required to decrypt it.