Data Security Policy

Learn how we handle your business and customer data

1. Authentication

Authentication is accomplished primarily by a login and password mechanism. Logins and passwords are only issued after verifying a registered user’s credentials. Users are required to change their password upon initial login and periodically thereafter. Strong passwords are enforced ensuring a minimal length that includes characters, digits and special characters. Passwords are stored encrypted in the database. rapidBizApps may identify and authenticate users to the system using two-factor authentication. When a user is authenticated to the rapidBizApps system with two-factor authentication, s/he provides a unique username and password, as well as a one-time access code generated by the e-identity Security System. The e-identity Security System utilizes a card that generates an access code that is unique to the token. The access code can be used only once to access the rapidBizApps system; different access code is generated each time the card is used. The card can be taken away or disabled to prevent access to the rapidBizApps system. Each authenticated user session has an inactivity time out. User inactivity for a specific amount of time will require the user to re-authenticate to the rapidBizApps system.

Users of the rapidBizApps system also have to trust that they are connecting to rapidBizApps and not a rogue machine that may be set up to look and act like rapidBizApps. Server authentication is provided by the use of a server certificate. When a browser connects to the rapidBizApps system, the browser automatically uses the certificate to verify that it is connecting with the legitimate rapidBizApps site.

2. Authorization

Authorization is the process of granting or denying access to a resource based on the identity of a user. In the rapidBizApps system, the authorization model defines what actions individual users and parties can perform within the scope of a rapidBizApps transaction. rapidBizApps defines authorization via the configuration of access control lists, user and company roles and business workflow rules within the system.

Access to the documents in a rapidBizApps transaction is configured by a member organization’s system administrator who controls what individual users are allowed to see and do within the rapidBizApps system. The business rules interact with the workflow system to control which parties can act on a transaction at any time.

3. Confidentiality

The SSL (Secure Socket Layer) protocol provides a secure mechanism for exchanging data on the rapidBizApps system. rapidBizApps’s Server Certificate enables strong (128-bit) encryption on all communications between a user’s browser and rapidBizApps’ servers.

4. Integrity

The integrity of data in a transaction is extremely important to parties involved in it. There needs to be some level of assurance that an unauthorized individual has not altered the information in a transaction. The data must remain exactly as was entered and approved by the different parties involved in the transaction.

Digital signatures help protect the integrity of documents in the rapidBizApps system. When a user first accesses the rapidBizApps system s/he automatically generates a Public/Private key pair. The private key is encrypted with a password that is known only by the user and stored with the unencrypted public key. To apply a digital signature a user must present his/her password to decrypt the private key. The private key is then utilized to create the digital signature on the document data. The rapidBizApps system can prove the integrity of document data at a later date by passing the document data and public key into the digital signature verification algorithm. If the document data has been altered in any way the verification process will fail.

User passwords are never stored in the rapidBizApps system; instead, only hashed values of the password are persisted. No one with access to the rapidBizApps system database will be able to find out a user’s password for the purpose of accessing the system.

5. Non-Repudiation

Non-Repudiation is the ability of a party involved in a transaction to enforce the terms of the transaction against the other party. rapidBizApps seeks to achieve non-repudiation through the use of the four previous tenets of security. Strong non-repudiation means that no party involved in a transaction can successfully deny that it had involvement in the completion of the transaction.

Non-Repudiation in the rapidBizApps system is ensured with the addition of auditing to all the above security tenets. The ability to authenticate users, authorize user access, provide for confidentiality, prove the integrity and the auditing of transactions provides a means for proving a user’s involvement in a transaction and enforceability of the transaction terms. Every action a user makes is logged along with the data involved in the action to an audit facility in the rapidBizApps Network the moment that they are performed. This data is captured for auditing purposes only and there is no system access provided to the audited information.