Data security
- Where is Elqano bot/application running?
- How is handled authentication in Elqano?
- Where does Elqano data comes from?
- Where is stored the application data?
- Where are stored indexed documents?
- How are exposed Sharepoint documents?
- Is Elqano exposing private data over the internet?
- Is Elqano secure?
Where is Elqano bot/application running?
Elqano application servers run the client’s Azure tenant.
A small package is also added into Teams to integrate the ChatBot with the server application.
Nothing is installed on user’s computers
How is handled authentication in Elqano?
SSO Authentication is handled via the SAMLv2 protocol using the Azure Active Directory of the client as an authentication server.
Only users assigned to the SSO application will be allowed to connect to the app.
Note: an Elqano SSO app is present in Azure AD app gallery
On Microsoft Teams side, the authentication is managed by Teams and only users with permissions to add and interact with the Bot app will be allowed to use it.
Where does Elqano data comes from?
Elqano retrieves information from three distincts sources:
- Azure Active Directory (Via SAMLv2 SSO authentication)
- Microsoft Graph API
- Microsoft Teams (Via API and HTTP callbacks)
Where is stored the application data?
The application data is stored into 3 datastores:
- PostgreSQL for the questions, answers, user activities and all app related data
- Elasticsearch for the indexed document content
- Azure blob storage as temporary document store
These systems are managed in the client Azure tenant.
The access to these datastores is secured and limited to the application servers only.
Where users documents come from?
User’s documents are retrieved from Microsoft SharePoint Online via the Graph API.
The application does not scan user’s private documents stored on local computers.
If the options is configured in the application, users might also be able to attach documents from their local computers to the answers posted in the bot or in the web interface. These documents will then be stored on the document storage of the application in the Azure tenant of the client. They will be accessible only via the application.
Where are stored indexed documents?
During the indexing phase, documents are stored temporary into the document store of the application (Azure Blob Storage) only for a short period of time.
Once indexed the documents are removed from the storage.
The document content is indexed into the application databases (Postgres and Elasticsearch) running in the Azure tenant of the client.
How are exposed SharePoint documents?
Elqano will never proactively expose SharePoint documents.
Users will chose themselves to attach (or not) documents indentified as pertinent by the bot to an answer.
SharePoint documents shared via the bot will remain on SharePoint and only a link pointing to the document will be published in Teams messages. The permissions on documents defined in SharePoint will be applied.
Elqano is also able to ignore documents with sensitvity labels enabled.
Is Elqano exposing private data over the internet?
No public data is exposed in Teams and/or in the web interface without secured authentication.
Is Elqano secure?
Elqano is using state of the art security mechanism:
- Full HTTPS
- Delegated SSO authentication via SAML
- XSS/SQL injection enforced protection
- Teams HTTP callbacks signature checks
- Authenticated and filtered database access
- Encrypted sensitive data into application database
Security audits of the app as well as of the installation process and running instances are performed on regular basis (Next planned for fall 2023).