Security Overview

Explo prioritizes the security of your data and privacy for your customers

Compliance Certifications

Overview

Database tables that are used for embedded reporting have many user groups' data in them. User groups should only ever be able to see their own data via logical separation. Robust logging of usage will also provide additional auditing to ensure this guarantee.

Term

Description

Customer

This is Explo's customer that is embedding our product into theirs

User

This is one of our customer's users that is using a report set up by the customer

User Group

This is a grouping of users that all see the same report when they go to an embedded Explo report. For example, a user group might be a customer's client company with 5 users that have an account.

Keeping Tokens in Sync

This solution keeps Explo's backend and the customer's backend in sync on tokens that are associated with user groups. We'll call these tokens, synced tokens.

How it works

For each user group, Explo's backend will generate a corresponding token that validates them. This token will need to be stored in the customer backend as well. We suggest adding it as a field to the user group (or team) table. Alternatively, there is a stateless solution explained below.

Figure 1: Communicating with the Explo backend when user groups are created or deleted

Whenever a user group is created in the customer backend, an API call will be made to the Explo backend to generate the synced token for the customer to then store on their end. Similarly, there will be endpoints for deleting tokens when a user group gets deleted and for refreshing tokens in case they get compromised.

Figure 2: Authenticating the request with the synced token

Whenever the customer frontend loads, in addition to the data that is currently pulled from the customer backend, this synced token will be pulled as well. This synced token associated with the logged-in user group will be passed into the embedded web component and authenticated in Explo's backend. Explo's backend will verify the token for the said user group, and send back the appropriate response.

Keeping track of synced tokens

There are two options to handle this — a stateful and a stateless option.

[Stateful] Adding Tokens to the User Group's Table

This requires a small migration on the user group (or team) table. The Explo team will help with the backfilling of tokens for existing user groups.

name

plan

token

Pied Piper

enterprise

ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

Hooli

trial

3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d

Raviga

trial

2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6

[Stateless] Querying for Tokens on Demand

Explo exposes APIs for creating, deleting, and refreshing tokens for user groups. The customer will need to integrate these corresponding APIs into their backend for when user groups are created and deleted or when tokens need to be refreshed.

A stateless way to query for tokens is to call the create user group endpoint, which can function as a "get or create" endpoint. The API will create the user group and return the corresponding token if the group doesn't exist or just return the token if it exists. This means the customer does not need to hold any state about each user group's token.