Data Security

iBE.net ensures that client data stored in our Database is secure and protected, and will not be shared outside of authorized users in the same client’s organization. Specifically:

• Each client of iBE.net gets its own transactional database in mongoDB (our underlying database technology). Transactional client data is not stored in a common database like many other cloud systems. Database access is used/password controlled in our servers.
• Our database and back-end servers are not open to the Internet, only our web-servers (nginx) are open to the internet. This three layer multi-tiered architecture (web server, Java server, database server) increases the number of servers required but ensures the highest possible security and integrity as well as boosting performance
• Access to iBE.net’s databases uses Verisign certified Secure Sockets Layer (SSL) encryption of all communications between browser and server. Client users must use an SSL-enabled browser to access iBE.net and an https URL
• Communications to our APIs* from user browsers using a secure encrypted token key passed with API calls to unlock access to our client’s data for authorized users. This token contains not only the client ID (= database) but also the userID to control authorization access and is only provided after user/password authentication. Authorization controls are checked in both the browser and server to prevent unauthorized access
• All user access to iBE.net is user/password protected. Clients can set their own rules for password strength, password expiry, session activity (due to inactivity) and options to access iBE.net using OpenID via GMAIL, LinkedIn or Quickbooks user accounts. iBE.net’s login screen supports most single-sign on (password wallet) applications
• We host our servers in Amazon data-centers in Northern Virginia and West Oregon. AWS provides robust firewalls to protect against denial of service attacks, in-transit encryption, and private connection options (which iBE.net uses for back-end servers). AWS is ISO 27018, ISO 27001 and SOC1, 2 & 3 compliant and certified, as well as being AICPA (formerly SAS70) certified
• Authorizations to apps/menus as well as specific tabs and fields can be controlled by user or user group via the job-role in iBE.net. In this way, for example, access to compensation data can be restricted from screens, lists and reports for unauthorized users. This also applied to IT admin and even iBE support users
• iBE.net employees only get access to client data on a “need to know” basis and access by iBE to client’s data uses the same user/password mechanism as client users. Clients can revoke iBE support user access at any time. Database level access is controlled within iBE.net’s support team
• Any changes to database fields are logged in a timeline database reporting on which is easy by clicking on the “history” tab available in the majority of iBE.net’s apps.

Data Integrity

iBE.net ensures that client data stored in our database is always available and cannot get easily lost or destroyed. We have not in our company history had any incidents of losing client data. Specifically:

• Client transactional data is stored and automatically replicated to the separate databases on three servers, two in Northern Virginia and one server in West Oregon to ensure physical separation. API requests are automatically routed to the most available server so there is no need to fail-over or switch over in case one of our three database servers goes down or becomes inaccessible
• West Oregon also acts as a disaster-recovery stack and is capable of being switched to the primary server stack in minutes if required. Fail-over is automatic as mentioned in the first point
• Dashboards and reports are running off a separate database with two database servers using monetDB to ensure that heavy reporting loads do not slow down access to our transactional data
• Clients can take a copy of their data at any time either by running and download reports to excel, by running export queries to xls, csv, xml or tab delimited files, or by invokes a utility to download the entire databas in raw (json) format
• We take great care to ensure our clients’ data and respect the fact that ownership of client data is with the client. We do not give or sell our client’s data to third parties.

More Information

Intro to AWS Security | Privacy Policy

Note * a small number of APIs such as sign up, login and console accesses are special custom APIs which are not using an encrypted token only accessible after successfully logging in.