Difference between revisions of "Whistleblower"

From TempusServa wiki
Jump to navigation Jump to search
Line 36: Line 36:
* '''Storage encryption (AWS + LUKS)''' Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data.
* '''Storage encryption (AWS + LUKS)''' Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data.
* '''Encryption During Transmission''' Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated.
* '''Encryption During Transmission''' Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated.
* Activity and data logging
* '''Activity and data logging''' Activity and Data Logging is enabled. IP logging on server requests is disabled in order to ensure anonymity of the user.
* Versioning
* Versioning
* '''GDPR Deletion Policies''' In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend.
* '''GDPR Deletion Policies''' In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend.
Line 43: Line 43:




Note that IP logging on server requests is disabled, in order to secure anonomity of the users.
 


See [[Security_setup|Security setup]] for additional information on security and compliance features available on TS No-code Platform.
See [[Security_setup|Security setup]] for additional information on security and compliance features available on TS No-code Platform.

Revision as of 15:52, 16 November 2021

Application

The LES Whistlebloaer Portal is fully managed by Tempus Serva Aps.

The system supports the following roles and usecases

  • Lawyer: Handles whistleblower cases
  • Tenant user: Handles whistleblower cases
  • Whistleblower: Anonoumous users that creates new cases

Whistleblower have the option to return to their case using a randomized code.

Hosting Setup

The LES Whistleblower Portal is hosted by Amazon Webservices EC2 in the data center in Stockholm, which complies with the following standards PCI DSS 3.2 Level 1 Service Provider, FIPS 140-2, ISO 27001. The server is protected by 2 layers of firewalls and utilizes the following supported services:

  • SSL certificates are automatically updated monthly from LetEncrypt
  • UptimeRobot polls the server each minute checking
    • Access to database
    • Sufficient storage and RAM
  • Database is dumped nightly
    • Replicated to encrypted storage in EU
    • Rentention daily 60 days, monthly 2 years
  • Office365 SMTP service for sending emails

Technology Stack

The technological stack consists of:

  • LES Whistleblower Portal
  • TS No-code Platform
  • Apache Tomcat
  • MySQL
  • Amazon Linux 2

Security Setup

The following security and compliance features are enabled and active:

  • Password policy The enabled policy forces users to create passwords based on the following minimum criteria: Minimum 8 characters, Must contain uppercase and lowercase letters, Must contain numbers, Must contain special character(s).
  • Multi-factor authentication Access to case management for attorney/lawyer at LES (ombudsman) and contact persons in the company, respectively, is protected with a username and password, followed by a randomized, session-specific OTP (One-Time-Password) sent to the users mobile phone as either a regular or Flash SMS, to verify the user’s identity.
  • Storage encryption (AWS + LUKS) Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data.
  • Encryption During Transmission Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated.
  • Activity and data logging Activity and Data Logging is enabled. IP logging on server requests is disabled in order to ensure anonymity of the user.
  • Versioning
  • GDPR Deletion Policies In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend.
  • Event and system logging Is enabled to automatically log unsuccessful login attempts, system events, user errors, etc.
  • Scrubbing of files All files uploaded via the portal are cleaned of personally identifiable meta-data such as name, initials, geotags, etc. LES Whistleblower Portal supports all common file formats, including: MS O ce files, PDF, image formats like PNG, JPG, BMP etc., as well as media files MP3 and MP4.



See Security setup for additional information on security and compliance features available on TS No-code Platform.