General Security
Is https used for all web connections?
Yes - HTTPS is forced on for all connections to *.ento.com URL’s. Any time data leaves or our trusted network (AWS) and any time date leaves that network is it across secure protocols. HTTPS, SMTP, SFTP etc
What level of password security is used?
Stored passwords are on hashed via SHA256 using both a static salt and a rolling dynamic salt. Passwords are transmitted over SSL with TLS 1.2.
Does Ento undergo security testing/auditing via an independent third party?
Ento regularly undertakes independent penetration testing via Pure Hacking Pty Ltd. Detailed results are available upon request under non-disclosure agreement. Ento is also a registered Digital Service Provider with the ATO. The requirements for this include aligning ourselves with the standards under OWASP ASVS Level 2 and the Australian Cyber Security Centre Government Information Security Manual.
What are Ento’s security compliance details?
The AWS infrastructure Ento runs on is ISO 27001 and PCI DSS L1 compliant. To learn more about security compliance on the AWS platform, follow this link.
What measures does Ento take to avoid system exploits?
Using AWS' Virtual Private Cloud EC2 platform, All Ento applications are built on security focused frameworks to prevent common web exploits such as SQL injection & XSS.
How are Ento users authenticated and is there a single sign on option?
By default, users are able to login with a username (email address, employee ID, mobile number or other identification token) and/or password. Alternatively, we support an SSO integration using the SAML2 protocol (configuration required at a cost).
What is Ento’s process for reporting security breaches / incidents to customers?
Any security events are immediately escalated to our Head of Engineering on detection. Key personnel are on-call at all times, and relevant teams are rapidly notified and assembled to address the event. Once investigated and resolved, a detailed written retrospective review and root-cause analysis is completed. This is reviewed at an executive level, and any preventative action items/next steps are distributed company-wide. In the case of a security breach where customer data is exposed, Ento will promptly notify all affected clients & users.
Can I request more information?
Complete transparency around our disaster recovery and security processes would in itself represent a security risk. Additional information may be provided on a case by case basis, with a strict non-disclosure agreement in place.
Disaster Recovery & Backups
What disaster recovery procedures are in place?
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which would enable recovery from a major disaster. Customer data and Ento's source code are automatically backed up nightly should live redundancy fail. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.
What is Ento’s Recovery Time Objective (RTO) in a DR event?
Ento’s RTO is 4 hours. A disaster-recovery event can only be initiated by Ento’s Head of Engineering, or an authorised representative.
Data access groups and permissioning
What are Ento access groups, and how do they work?
Ento’s unique configurable access groups define the data a user can access within the system. This is used to facilitate access in line with not only typical corporate structures (eg: national, state, region, store, cost centre) but also non-hierarchical groups such as multi-site franchisees, and divisions that span multiple geographic locations. Using a complex franchise business as an example, Ento can be configured so that a state franchise performance manager can access the relevant state, a franchisee with 3 locations would be able to access all 3 relevant locations (regardless of ABN-split), while a store manager's access is limited to only his/her store. Ento is the only WFM platform with the ability to group a multi-structured tenancy environment in a single client platform. Access groups are effectively unlimited in flexibility and automatically cascade into live reporting, analytics, dashboards and reports.
What are Ento permissions, and how do they work?
Permissions for Managers and Staff in Ento are our way of defining what each user group can do within the Ento platform. Permission profiles are UI-configurable, and allow granular control (at a per-person level - if so desired!) of everything from manager cost visibility and timesheet approval chains, to staff clock-in rounding rules and leave-request limitation. This allows flexibility while maintaining core compliance controls