Openprise servers run on Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory.

Openprise services are accessible only over HTTPS secured connections. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Openprise uses strong encryption algorithms with a minimum key length of 256 bits.

All network access, both within the data center and between the data center and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.

Openprise servers deny access to all unauthorized ports, except that SSH access (protected by encryption and private key authentication) is enabled for administration. Administrative access is granted only to select Openprise administrators and IP addresses. Openprise administrators do not access customer data without explicit permission from the customer. Permission is requested only for the purpose of assisting the customer with configuration and debugging.

Customer data in Openprise is encrypted both in transit and at rest.

Openprise uses a three-tier data security model to help you control data access for your users, to ensure users are only allowed to access the data they are entitled to see and edit.

By default, all services and all data are available to all users within your company account. The data security policies are subtractive policies. Each policy layer acts as a filter to restrict users’ access to data. You can enable any of these 3 security layers independently.

• Access policy – The first level of security is controlling users’ access to the services. You can choose to restrict access by organization.
• Data ownership policy – Once a user has access to a service, the second level of security controls what subset of data each user is allowed to see. You can set policies to filter data for users from each organization.
• Data redaction policy – Once a user can see data, the third level of security controls how each attribute is presented to users. For example, you can mask social security numbers or scramble employee IDs.

By default, users within your account are allowed to see each other, including each other’s objects. However, you can restrict users’ access and edit privilege to the objects.

Openprise users log in to the system using email address and password. Openprise requires the use of reasonably strong passwords. Passwords are not stored in clear text, but as a secure hash. The hash is used because it is a good counter against common password guessing attacks and attempts to reverse engineer passwords from the hash.

Resetting a password requires access to a user’s registered email and the reset action is time limited.

Excessive failed login attempts will result in an account being automatically locked out.

If a session becomes inactive for a period of time, the user is automatically logged out and is required to authenticate again.

When Openprise connects to a data source like Google Drive using user-supplied credentials, where possible this is done using OAuth 2.0. The advantage of using OAuth is that Openprise does not need to store users’ credentials. Openprise simply stores an OAuth token that grants Openprise limited access to users’ data. Users can easily revoke this token at any time. If the data source does not support OAuth and Openprise is required to store users’ credentials, they are encrypted using a 256-bit key. Connections to data sources are via secure HTTPS connections if supported by the data source. Openprise also supports SAML 2.0 based single sign-on with providers such as Okta and OneLogin.

Openprise engineers have been trained in secure coding practices. Openprise application architecture includes mitigation measures for common security flaws such as those in the OWASP Top 10. The Openprise software uses industry standard, high-strength algorithms such as AES. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.