Tech Brief

Technology

Frontend (Desktop): .NET Framework, WPF 

Frontend (Web): React, TypeScript 

Frontend (Mac):  SwiftUI, React, TypeScript 

Backend: .NET 6, .NET Framework, Traefik, Consul 

Hosting: Azure (utilizing Azure VMs, Azure SQL, etc.) 

Monitoring: Azure Monitor, Prometheus, Grafana

Browser support

Chrome: Latest ✔

Safari: Latest

Microsoft Edge: Latest

Mozilla: Latest ✔

Internet Explorer: Not supported 

Cloud platform,
security and scaling

Backend and web apps are hosted on Microsoft Azure Resources (Azure VMs, Azure SQL, etc.). 

Data is stored inside the Azure Platform (PaaS). 

Microsoft Azure is certified with ISO 27001 and PCI DSS among other. 

For more information on Microsoft Azure security and compliance: 
http://azure.microsoft.com/en-us/support/trust-center/ 

Microsoft Azure provides SLA of 99,95% (website and API) and 99,99% for data storage. 

For info on Microsoft SLA:
http://azure.microsoft.com/en-us/support/legal/sla/

Scaling

The empower® backend is built and hosted with scalability in mind. 

Geofencing

empower® can be hosted in all available public Azure regions. During the setup process, we work with our customers to determine the optimal region to use. 

Azure ensures Backups will not leave the geographical region of the tenant by employing paired data centers within the same geography: 
https://docs.microsoft.com/en-us/azure/availability-zones/cross-region-replication-azure#azure-cross-region-replication-pairings-for-all-geographies 

This also means tenants hosted in the EU will have their backups stored in a different region also inside the EU. 

Data storage

All data is stored in SQL Azure with regular backups enabling point-in-time restore if necessary. 

Temporary cache data is stored on Azure VMs. 

Guest and
data isolation

Isolation from other Microsoft Azure customers is managed by the Azure backend. 

With the exception of empower®  Express, empower®  uses single-tenant databases and application servers for each customer, preventing any user from accessing data from other tenants. Fine-grained access control at the level of library folders ensures that users can only perform tasks they have been authorized to. 

For empower®  Express, a multi-tenant environment, that same robust access-control system is used to isolate customer data. 

Encryption

All communication between backend and clients (both desktop and web apps as well as third-party integrations) is SSL encrypted (TLS version 1.2/1.3). 

All data at rest (both databases and VMs / disks) is encrypted by Azure platform-managed encryption at rest (AES-256 Bit). 

Open Source components

A selection of secure and qualified Open Source components are used and are constantly monitored for patches and security vulnerabilities.

Data Processing Agreement

Our general data processing agreement can be found here:

General DPA

For the empower® Express platform the data processing agreement can be found here:
https://www.rightaligned.com/terms-and-conditions

Authentication

Open ID Connect is supported out of the box with Microsoft Entra ID and Okta.

For on-premises installations, Windows Authentication (Active Directory) using Kerberos and NTLM is also supported. 

SCIM/User Provisioning

empower®  supports SCIM for provisioning user accounts. 

In addition to SCIM, active synchronization of users (pulling users from the identity provider) is supported for on-premises AD, Microsoft Entra ID and Okta. 
Single Sign-On

Microsoft Entra ID via App in Microsoft Entra ID (using Open ID Connect). 

Okta via App in Okta (using Open ID Connect). 

On-premises installations can also use Windows Authentication (Kerberos / NTLM) for SSO.
IT security certificates of empower® as an organization

We possess an ISO 27001 certification.

View certificate

Logging

Successful and failed log-ins are captured by the identity provider (AD, Microsoft Entra ID, Okta, etc.) used by the customer. 

Last login date for individual users is also logged at the database level. 

Privileged administrative operations by the empower®  operations team are logged within Azure and our external monitoring system. 
Ports used for communication between device and application

HTTPS (443) port only

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.