When accessing Prescience either via the API or via the web and mobile clients, all users are required to authenticate using a username (typically an email address) and password.
To establish a high level of password strength, Prescience enforces the following minimum password requirements:
All passwords are stored in a hashed format and will never be sent via email. Upon account creation or for password recovery purposes Prescience will send an email to the email address associated with the user account. The email includes a link to allow the user to create a new password.
Account owners and administrators can create, edit, pause and delete users and manage the roles of individual users within the admin panel. Account owners can assign account ownership to other users, with the strict requirement that there must always be least one account owner. Similarly, administrators can assign and remove administrator rights to regular users. However, administrators cannot manage account ownership.
All access to account data and content (either via the API or using the web and mobile clients) passes through the API which enforces strict authentication and authorization. As a result, it is not possible to access any user data or content stored in Prescience directly, without first passing through the API.
In select cases, Prescience may share information with a third party service that acts as an agent on behalf of Prescience (e.g. passing a users email address on to our email delivery service). However, Prescience will only share the minimum required information with our agents, and never for any other purpose than delivering the Prescience service.
Actions that manipulate data are logged and stored in Prescience with reference to the account, user account, and timestamp. Some of the logging data is available for users within the application by browsing to the activities tab of objects that display logging. Note that log messages are irrevocably lost when objects are permanently deleted within the service.
All API calls to Prescience and outbound webhooks are logged and stored for a minimum of 30 days. In some cases, an overview of the in- and outbound traffic may be available from within the Prescience application. This data may be accessed by authorized members of the technical team as required by their role for troubleshooting and monitoring the overall performance and reliability of the service.
Analytical information about user operating system, browser version, geolocation based on IP, and timestamp along with generic and cleansed event information (e.g. entity created, cleansed of user content such as serial number, item number, etc.) is collected and used for analysis purposes. Such application logs are centrally collected, stored and analyzed using Microsoft Application Insights and Google Analytics.
Prescience production services are hosted by Microsoft Azure cloud services. The physical servers are located inside secure Microsoft Azure data centers.
Please refer to the official Microsoft Azure security documentation for more detailed information about data center security: Microsoft Azure security
All content is stored in Microsoft Azure’s secure data centers. Currently, Prescience is storing data in the following physical data centers:
|Hosting Provider||Region||Physical Location||Type|
|Microsoft Azure||West Europe||Amsterdam, NL||Read/Write|
Prescience does not offer customers to host services on a private server, on-premise or otherwise use Prescience on separate infrastructure.
Production data of customers is never to be copied from or stored outside of the production environment, save any backup files governed by the backup policy.
Upon account termination or upon customer request Prescience shall completely remove customer data and content from the production environment. The customer data and content will remain in an encrypted format in Prescience’s historical backups for the period specified in the backup policy.
Prescience uses industry-standard Secure Sockets Layer (“SSL”) to encrypt all data sent over the Internet using a very strong SHA-256 encryption. This includes any data that is exchanged between Prescience servers and the API, web, and mobile clients.
Prescience uses Always-On-SLL (“AOSSL”) to force encryption of all traffic and as a result, there is no non-SSL way to connect to and exchange data with Prescience servers.
Prescience uses a variety of Microsoft Azure storage technologies. As data security is a primary concern for Prescience all account data and content is encrypted at-rest using a 256-bit AES encryption.
For data stored in SQL databases, Prescience uses the standard built-in Transparent Data Encryption (TDE) to safely encrypt all SQL databases containing user data, including associated database backups and logs. Please visit the official Microsoft Azure documentation to read more about Transparent Data Encryption.
For data stored in document databases (CosmosDB) all account data and content is stored in encrypted databases as part of the regular CosmosDB database service that is managed by Microsoft. Please visit the official Microsoft Azure CosmosDB documentationto read more about at-rest encryption for document-based data.
Finally, for data stored in Microsoft Azure Storage Services (such as files, attachments, event data, and log entries) data is encrypted at-rest using Storage Service Encryption (SSE). For more information about SSE please visit Microsoft Azure’s official Storage Service Encryption documentation.
Cached or temporary user content may be stored in a non-encrypted form on the user’s device. Should the operating system of a device be compromised any attempt to encrypt data can be circumvented.
Revision: 1.0 (Updated 03-01-2018)
03-01-2018 – Document created.
Book a Free Demo