All plans support SSO via Google and GitHub. On the enterprise plan Favro offers full support for SAML based authentication. We also support third party authentication services OneLogin and Okta via SAML. Favro automatically provisions and disables SAML accounts through the SCIM protocol. Two factor authentication is available for all Favro password accounts.
Your data is safe. We encrypt all data it in transit with TLS 1.2 or later and we carefully enable only ciphers with the highest security. The database is encrypted at rest on the servers in the cloud.
Many organizations want to gain full control over where their data is physically stored. Sometimes, this is even required under mandatory laws and regulations, where non-compliance might lead to penalties and liability for damages. For this reason, we let all our customers know where their data is stored.
EU was chosen as the lowest common denominator policy for corporations and governments approval globally. Amazon AWS and CityCloud host the cloud servers and are our trusted partners. They are certified for ISO 9001, 14001, 22301, 27001, 27018 and harbour companies like Favro as well as financial institutions. Your data is stored in MongoDB and encrypted at rest. Encrypted backups are performed continuously to at least three locations in the EU with point in time recovery.
In the upcoming Enterprise Plus plan our customers can even select in which part of the world they would like their data to be stored.
Only a limited number of certified staff within Favro have access to the application cloud where Favro is stored. Administration for the application cloud is done on a segmented network with separate physical network equipment and separate management computers used only for secure management.
Favro continuously monitors the health, security and performance of the cloud.
Physical security is one thing, but as a customer you also need to make sure your cloud provider has adopted internal policies and procedures to protect your data. Without such organizational governance in place, physical safeguards can only take you so far. At Favro, we consider it a top priority to maintain the highest level of security for our customers’ data. Our internal security measures include inter alia:
In addition, we are PCI DSS (SAQ A 3.2.1) compliant to ensure the highest standards for all our transactions.
Until we have implemented customer choice for data locality we have committed to keep the customer data within the EU.
All Favro data except uploaded attachments is stored in MongoDB. Uploads are stored in AWS S3 buckets.
Some data such as credit card data is stored by our subcontracts for PCI compliance.
Buckets have no public access. Access is only granted for upload and download with pre-signed URLs.
The users web browser uploads and downloads directly to/from the bucket with pre-signed URLs.
Read access is granted based on the cards a user has access to. If the user has access to the card, it also has access to the attachments on the card. The browser gets access to the pre-signed URLs only if the user has permission to access the card that the attachment is uploaded to.
The pre-signing URLs that grant read access expire after 24 hours.
Point in time backups are stored for at least 1 month back, and monthly backups are stored for at least 6 months
We currently don't support IP whitelisting, but on the Enterprise plan you can enable SAML and use the IP whitelisting support of your SAML identity provider.