— CDE Sync Technical —

Technical & Security

System Flow

  • The front-end application utilizes Microsoft Authentication Library (MSAL) for secure authentication, managing user logins and token acquisition for accessing the portal.

  • The portal backend is secured behind Azure API Management (APIM), which serves as a gateway. Incoming requests are validated by APIM to ensure authentication tokens are valid and that the user has appropriate access permissions.

  • All backend infrastructure, including databases, services, and function apps, resides within a private network. Strict network policies regulate inbound and outbound connections, ensuring only authorized access.

  • Through the portal backend, authenticated users can input client credentials, allowing the system to securely connect to their Common Data Environments (CDEs). These credentials are encrypted and stored in Azure Key Vault, which is itself isolated within the VNet.

  • Function apps leverage Managed Identities to securely retrieve credentials from Key Vault and execute synchronization jobs between CDEs based on user-defined rules. The sync process runs in real-time over HTTPS, ensuring data security without persistent storage of CDE model data.

Security Components

  • All infrastructure is deployed on our Azure tenancy.

  • Manages authentication, token handling, and secure user sign-ins.

  • Acts as a secure gateway, handling token validation and access control.

  • Isolates backend resources, including function apps, ensuring restricted access.

  • Enforces strict inbound and outbound connection controls for enhanced security.

  • Provides encrypted storage for CDE credentials and secrets.

  • Enables secure, password-less authentication for function apps and services.

Azure Infrastructure

  • We have built-in SQL database backups for data perseverance.

  • Data that is transferred between CDEs via function apps.

  • No CDE model data is stored at any point in the sync process, maintaining strict data privacy.

  • Files/folder IDs are stored securely in an SQL database for audit and traceability.

Virtual Network Segmentation

  • The VNet is structured into dedicated subnets, each serving a specific role with internal DNS resolution for optimized communication:

  • Hosts Azure API Management (APIM) for secure API access.

  • Houses the portal backend, managing user interactions and data requests.

  • Runs sync functions, executing real-time data synchronization jobs.

  • Contains the SQL database, securely storing metadata logs.

  • Isolates Azure Key Vault, ensuring secure credential storage.

GDPR Compliance

  • The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union to safeguard personal data and ensure transparency in its processing. It applies to any organization handling the personal data of EU residents. Compliance with GDPR not only protects customer data but also ensures trust and accountability.

  • CDE Sync incorporates multiple features and practices to ensure compliance with GDPR requirements and enable built-in data protection:

    a.      CDE Sync is designed with privacy and security in mind, featuring:

    b.      Role-Based Access Control: Restricts sensitive data access to authorized users only.

    c.      Data Encryption: Secures data during transfers and while stored.

    d.      Metadata Validation: Ensures data accuracy and consistency across synchronized platforms.

  • CDE Sync supports compliance by helping organizations uphold user rights, including:

    a.      Access to Personal Data: Users can view their data upon request.

    b.      Data Correction: Organizations can easily update inaccurate information.

    c.      Erasure Requests: CDE Sync accommodates the "right to be forgotten" by facilitating data deletion.

    d.      Data Portability: Supports the seamless transfer of user data to other platforms.

  • CDE Sync safeguards personal data through:

    a.      Encryption to protect data integrity.

    b.      Regular security audits to identify and resolve vulnerabilities.

    c.      An incident management system to handle any data breaches swiftly and effectively.

  • CDE Sync provides GDPR-compliant options for data residency, allowing organizations to request where data is stored and processed, both locally and internationally.

  • Detailed activity logs are maintained for all synchronization processes, ensuring transparency and traceability. These logs are enabled for audit purposes and demonstrating compliance.

  • Data Protection: Ensures the safety and privacy of personal data.

    a.      Risk Mitigation: Reduces the likelihood of penalties associated with non-compliance.

    b.      Enhanced Trust: Builds confidence with clients and stakeholders through demonstrated accountability.

  • Features supporting GDPR in CDE Sync:

    a.      Customizable Synchronization: Schedule updates to fit project workflows while maintaining data integrity.

    b.      Error Logs and Notifications: Resolve synchronization issues promptly with detailed logs.

    c.      Feedback Integration: Incorporate user feedback to continually improve compliance features.