Skip to end of metadata
Go to start of metadata

Purpose

To describe the security controls available within the fluig platform and its execution in internal environments (on-premises) and on the cloud.

Cryptography

Data traffic

All communication between fluig and customers is made through HTTPS/TLS – the most popular and reliable protocol available on the market.

Learn more about HTTPS configuration

The customer must provide a valid certificate to be used by the fluig server, e.g. fluig.empresa.com.br.

If the customer does not have a certificate, we suggest using the following address:

3-month HTTPS certificate

PasswordsSensitive user data are written in a manner so that the original content cannot be discovered.
AuthenticationThe Single Sign On (SSO) process occurs via the SAML Protocol, with a certificate generated internally, with no information being exchanged.

Availability and Continuity

Identity Services

on the Cloud

Minimum availability of the fluig Identity environment is 99.5% per month on the production environment.

All monitoring and notifications about the changes to the service status are available at: http://status.fluigidentity.com

Analytics Services

on the Cloud

Minimum availability of the fluig Analytics environment is 99.5% per month on the production environment.
CLOUD Services

Availability and continuity policies change according to the business proposal. Our plans start with 97.5% availability per month.

Check out the specific use and availability values on our proposal.

High availability

On premises

The on-premises customer is responsible for creating an environment that meets their availability and performance needs.

We have recommendations on how a customer should configure their environment to ensure greater availability.

Learn more about how to create high availability fluig environments

We offer support packages to help customers better manage their environment.


Physical Envirolment

Depending on use and contract, the customer can be allocated in the TOTVS NIMBVS or the Amazon data center. Each of these data centers has different characteristics.

NIMBVS Environment

Certifications

    • ISAE 3402 Type II
    • ISO 9001:2008
    • TIER III Data Center
    • Vulnerability management provided by expert consultants
    • 24/7 monitoring and defense against DDOS attacks
    • SIEM
    • Next-Generation Firewall
    • Backup policy as per business proposal
    • Data delivery policy in case of unrecoverable failure in the TOTVS data center as per business proposal
    • Data integrity guarantee as per contract

Location

Data centers are located in São Paulo, Brazil

Amazon Environment

The following certifications are included for fluig Viewer services and for customers allocated on the Amazon cloud:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

More details about certifications on the Amazon environment

Location

Data centers are in the São Paulo Zone, Brazil

Add-on Services Environment

For the platform operation, based on the fog computing concept, some services run on cloud services. For transparency purposes, here are the services and locations.

Identity Environment

Location

Data centers are located in the São Paulo Zone, Brazil, in the Amazon Web Services (AWS)

Analytics Environment

For more information on the architecture and security for the Analytics Services, see the security guide.

Location

Data centers allocated in the United States, in the Rackspace services

fluig Viewer Environment

Location

Data centers are located in the São Paulo Zone, Brazil, in the Amazon Web Services (AWS)


Integration with External Systems

Fluig can be integrated with various systems in different scenarios. For security reasons, we recommend checking all integrations available.

Legacy systems

One of the fluig’s most used features when creating projects is the integration with the systems that the company already has, whether for query or processing purposes.


Supported integration types:

  • SOAP (HTTP and HTTPS)
  • REST (HTTP and HTTPS)
  • JDBC (encryption depends on the Database supplier)

Supported REST authentications:

  • Basic
  • OAuth 1
  • OAuth 2
  • Custom (written in JavaScript)
  • None

Mandatory components

On-Premises - License Server
The License Server must be installed to check the customer’s contract. The server connects to the cloud to check the contract to which the customer has access. Learn more about the license server.


On-Premises - Database
As per the Portability Matrix, fluig requires the use of a database. Check the supplier’s documentation for more details on this component’s security features.

Optional components

Microsoft Active Directory or OpenLDAP

A directory service can be used for user authentication. Both the platform and fluig Identity have connections and, in fluig Identity’s case, SmartSync is used to make this communication even more secure.

SMTP - E-mailing

We use the SMTP protocol with SSL or TLS to send notification e-mails.

PUSH Notifications

Both the Google® and Apple® infrastructures are used for notifying mobile application users: small messages with no business critical data are sent by the technology partner UrbanAirship, centralizing all messages sent to fluig customers.



Mobile Environment

Fluig may be accessed via mobile devices through fluig Mobile, available for Android and iPhone/iPad.

Data traffic

Communication between fluig Mobile and the fluig server occurs via a network connection, with all data traffic being sent via HTTP.

For access via cellular data network (3G/4G), fluig must have its address published on the internet. HTTPS may be enabled to provide for greater security, using valid certifications for mobile devices.

If the address is not published on the internet, the mobile device on which fluig Mobile is installed must be connected to a network that allows access to the fluig server.

E.g., Company’s Wi-Fi, VPN connection, etc.

AuthenticationAuthentication is provided by OAuth, a secure authorization protocol that does not store the user and password at login, only the authentication key (token).


Network and application security

Followed recommendationIn most security actions, OWASP recommendations are taken into account.
Vulnerability testing

Third parties perform independent Pentests on a regular basis.

Any vulnerability detected is evaluated according to the impact and probability of the failure, and correction tasks are created for the responsible team.

Pentest last performed: March/2017

Security incidents

In the event of an information leak or detected vulnerability, we allocate our technical professionals to remedy the issue.

To ensure this process, customers are advised to open a ticket reporting the situation.


  • No labels