Difference between revisions of "Whistleblower"
Jump to navigation
Jump to search
| Line 36: | Line 36: | ||
* '''Storage encryption (AWS + LUKS)''' Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data. | * '''Storage encryption (AWS + LUKS)''' Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data. | ||
* '''Encryption During Transmission''' Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated. | * '''Encryption During Transmission''' Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated. | ||
* '''Activity and data logging''' Activity and Data Logging is enabled. IP logging on server requests is disabled | * '''Activity and data logging''' Activity and Data Logging is enabled. However, IP logging on server requests is deliberately disabled to ensure the anonymity of external users. | ||
* Versioning | * Versioning | ||
* '''GDPR Deletion Policies''' In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend. | * '''GDPR Deletion Policies''' In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend. | ||
Revision as of 16:54, 16 November 2021
Application
The LES Whistlebloaer Portal is fully managed by Tempus Serva Aps.
The system supports the following roles and usecases
- Lawyer: Handles whistleblower cases
- Tenant user: Handles whistleblower cases
- Whistleblower: Anonoumous users that creates new cases
Whistleblower have the option to return to their case using a randomized code.
Hosting Setup
The LES Whistleblower Portal is hosted by Amazon Webservices EC2 in the data center in Stockholm, which complies with the following standards PCI DSS 3.2 Level 1 Service Provider, FIPS 140-2, ISO 27001. The server is protected by 2 layers of firewalls and utilizes the following supported services:
- SSL certificates are automatically updated monthly from LetEncrypt
- UptimeRobot polls the server each minute checking
- Access to database
- Sufficient storage and RAM
- Database is dumped nightly
- Replicated to encrypted storage in EU
- Rentention daily 60 days, monthly 2 years
- Office365 SMTP service for sending emails
Technology Stack
The technological stack consists of:
- LES Whistleblower Portal
- TS No-code Platform
- Apache Tomcat
- MySQL
- Amazon Linux 2
Security Setup
The following security and compliance features are enabled and active:
- Password policy The enabled policy forces users to create passwords based on the following minimum criteria: Minimum 8 characters, Must contain uppercase and lowercase letters, Must contain numbers, Must contain special character(s).
- Multi-factor authentication Access to case management for attorney/lawyer at LES (ombudsman) and contact persons in the company, respectively, is protected with a username and password, followed by a randomized, session-specific OTP (One-Time-Password) sent to the users mobile phone as either a regular or Flash SMS, to verify the user’s identity.
- Storage encryption (AWS + LUKS) Storage is encrypted with LUKS (Linux Unified Key Setup – 256-bit AES disk encryption). Thus, persons with physical access to hardware cannot access stored data.
- Encryption During Transmission Communication is protected with SSL certificates and HTTPS (TLS). Numeric suites for HTTPS are continuously updated.
- Activity and data logging Activity and Data Logging is enabled. However, IP logging on server requests is deliberately disabled to ensure the anonymity of external users.
- Versioning
- GDPR Deletion Policies In accordance with applicable data protection rules, archived data is automatically anonymized after 60 days. In order to ensure an independent fourth party, a written agreement has been entered into that the sub-data processor may not give LES users access to the server and backend.
- Event and system logging Is enabled to automatically log unsuccessful login attempts, system events, user errors, etc.
- Scrubbing of files All files uploaded via the portal are cleaned of personally identifiable meta-data such as name, initials, geotags, etc. LES Whistleblower Portal supports all common file formats, including: MS O ce files, PDF, image formats like PNG, JPG, BMP etc., as well as media files MP3 and MP4.
See Security setup for additional information on security and compliance features available on TS No-code Platform.