Data Security & Management
This guide explains how Elqano handles data security and management. It covers where the application runs, authentication methods, data sources, and storage locations to help you understand how your organization’s data is protected.
Data Security
Where is Elqano bot/application running?
On premise: Elqano application servers run in the client’s Azure tenant.
Saas: Elqano application servers run in elqano’s Azure tenant.
A small package is also added into Teams to integrate the ChatBot with the server application and doesn’t require any interaction with documents.
Nothing is installed on user’s computers.
How is handled authentication in Elqano?
Web without SharePoint: SSO Authentication is handled via the SAMLv2 protocol using a Microsoft enterprise SSO application hosted on the Elqano tenant as an authentication server. The client must then provide us with the list of users who will have access to the solution.
Teams / Web with Sharepoint: double authentication:
- SSO Authentication is handled via the SAMLv2 protocol using a Microsoft enterprise SSO application hosted on the Elqano tenant as an authentication server (to access Playground)
- SSO Authentication is handled via the SAMLv2 protocol using the Azure Active Directory of the client as an authentication server. (To connect to SharePoint)
Only users assigned to the SSO application will be allowed to connect to the app.
Note
An Elqano SSO app is present in Azure AD app gallery**
Where does Elqano data come from?
Elqano retrieves information from three distinct sources:
- Microsoft SSO Login (Via SAMLv2 SSO authentication)
- Microsoft Graph API if the client grants the connection to SharePoint. Otherwise, the client can directly send to Elqano the documents to be indexed.
- Microsoft Teams (via API and HTTP callbacks), for apps available in Teams (Connect and Playground)
Where is stored the application data?
The application data is stored into 3 datastores:
- PostgreSQL for the questions, answers, user activities and all app related data
- AzureSearch for the indexed document content
- Azure blob storage as temporary document store
On-premises: These systems are managed by the client Azure tenant.
SaaS: These systems are managed in Elqano Azure tenant.
The access to these datastores is secured and limited to the application servers only.
Where do users’ documents come from?
User’s documents are retrieved from Microsoft SharePoint Online via the Graph API or directly from the sending of the documents by the client.
Important
If the connection to Sharepoint is granted, the application does not scan user’s private documents stored on local computers or OneDrive or in emails and private Teams conversations.
If the options are configured in the application, users might also be able to attach documents from their local computers to the answers posted in the bot or in the web interface. These documents will then be stored on the document storage of the application in the Azure tenant of the client (On-premises) or in the Azure tenant of Elqano (Saas).
They will be accessible only via the application.
Where are the indexed documents stored?
During the indexing phase, documents are stored temporarily into the document store of the application (Azure Blob Storage) only for a short time.
Once indexed the documents are removed from the storage.
The document content is indexed into the application vector store (Azure Search) running in the Azure tenant of the client (On-Premises) or azure tenant of Elqano (Saas).
How are exposed SharePoint documents?
Elqano will never proactively expose SharePoint documents.
SharePoint documents shared via the bot will remain on SharePoint and only a link pointing to the document will be published in Teams messages. The permissions on documents defined in SharePoint will be applied.
Elqano is also able to ignore documents with sensitivity labels enabled.
Elqano’s SaaS architecture is built on a multi-tenant application design with tenant isolation ensured through authentication mechanisms. This approach guarantees secure and isolated access to data, maintaining strict separation and integrity for each tenant while upholding the highest security standards.
Source: Microsoft, Multi-tenant SaaS database tenancy patterns.
Is Elqano exposing private data over the internet?
No public data is exposed in Teams and/or in the web interface without secured authentication.
Is Elqano secure?
Elqano is using state of the art security mechanism:
- Full HTTPS
- Delegated SSO authentication via SAML
- XSS/SQL injection enforced protection
- Teams HTTP callbacks signature checks
- Authenticated and filtered database access
- Encrypted sensitive data into application database
Note
Security audits of the app as well as of the installation process and running instances are performed on regular basis (Next planned for beginning 2025).
Data Management Policy
Elqano needs to gather and use certain information about individuals. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.
This data management Policy ensures Elqano:
- Complies with data protection law and follows good practice
- Protects the rights of customers, staff and partners
- Is transparent about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Important
On-premises: Elqano database and application are installed on customer servers and rely on the customer servers’ security. All customers data (user data, documents, questions, answers…) stays on customer servers.
Once Elqano is installed on the customers server, it crawls platforms identified and selected with the client.
Data Accessibility
To continue to improve Elqano algorithm and keep improving user experience, a part of Elqano team, the support team, will have access to a selected part of customer data.
Those selected members, including customer success managers will have one personal access to customer’s admin Elqano account. They are not allowed to copy, share, or amend any customer data. Each customer success manager will sign an NDA with the customers he/she is in charge of.
Data Protection Officer
Gabriele Barbieri, dpo@elqano.com
Data disposability
Customer can request at any moment the deletion or transfer of data. The deletion or transfer must be done within 2 weeks after request. Users can request at any moment the deletion or transfer of their personal data. The deletion or transfer must be done within 1 week after request.
Robustness
Azure Health Checks
To ensure the reliability and performance of the Elqano application, we utilize Azure Health Checks. These checks continuously monitor the health of our application services, allowing us to proactively address any issues and maintain optimal uptime. This integration ensures that our infrastructure remains robust and responsive to user needs.
Monitoring User Indexation
Elqano implements a system to monitor user indexation to prevent excessive resource usage. By tracking the indexation process, we ensure that the system operates efficiently and that resources are allocated appropriately. This monitoring helps maintain the performance and scalability of the application.
Serverless Dynamic Task Orchestration
To optimize task scheduling and execution, Elqano employs Prefect push work pools. This approach allows us to schedule work on serverless infrastructure without the need to run a dedicated worker. By leveraging serverless capabilities, we enhance the flexibility and scalability of our operations, ensuring that tasks are executed efficiently and cost-effectively.
FAQ
Which types of documents can be analyzed?
How to manage documents with access rights?
Are conversations between 2 persons or emails analyzed?
Does the data leave our environment?
On-premise: the application and the vectorial index are stored and managed from the client environment. All the data remains internal. Regarding the LLM, using an Azure OpenAI subscription, the client can choose which GPT model to use from the required and recommended models, and where the model should be hosted (which country, Europe).
Saas: the application and the vectorial index are stored on Elqano’s tenant. Each client has its own database. Through Elqano’s Azure Open AI subscription, clients benefit from GPT-4o, text-embedding-ada-002, GPT-4o-mini, GPT-4.1, o1, and o3-mini models, all hosted in Sweden, EU.