1. Data Security
  • Overview
  • Application Guides
    • Frontend
      • Get Started - React App
      • Get Started - HTML and JS
      • Get Started - Angular JS
      • Get Started - Next JS App
    • Backend
      • Get Started - Node JS
      • Get Started - Golang
      • Get Started - ASP.NET
      • Get Started - JAVA
  • Dashboard
    • API Credentials
    • Organization
    • Social Login
    • Customize Email Template
    • Configure Custom Domain
    • IT Admin Portal
  • Authentication
    • Login Widget
    • Magic Link
    • Google Social Login
    • Multi-Factor Authentication
    • Single Sign-On Overview
    • Setup SSO Connection
  • Security
    • Overview
    • Authentication
      • Password Hashing and Storage
      • Multi-Factor Authentication Methods and Implementation
      • Session Management
    • Attack Protection
      • Bot Detection
      • Breached Password Detection
      • Brute Force Protection
      • Log Events
      • Secure JSON Web Tokens (JWT)
      • Secure OpenID Connect (OIDC)
      • Suspicious IP Throttling
    • Data Security
      • Data Encryption At Rest and In Transit
      • Secure Storage of Secrets (Keys, Credentials)
      • Sensitive Data Handling
    • Infrastructure
      • Security Considerations for Cloud Provider or Deployment Model
      • Threat Modeling
  • API References
    • Authentication
      • MagicLink
        • Email a Magic Link
        • Resend Email Magic Link
        • Verify Magic Link
        • Ping Status
      • Magic Auth Code
        • Email a Magic Auth Code
        • Resend Magic Auth Code
        • Verify Magic Auth Code
      • Phone Authentication
        • Send Magic Auth Code via SMS
        • Resend Magic Auth Code via SMS
        • Phone Magic Auth Verify
      • PassKey
        • Initiate Passkey Login
        • Passkey Registration Initialize
        • Finish Passkey Authentication
        • Complete Passkey Registration
        • Check User Passkey Authentication Status
        • List User PassKey Credentials
        • Update Passkey Name
        • Delete Associated Passkey
      • GET Auth Status
    • Token
      • Refresh Token
      • Access Token By Auth Code
    • Mutli-Factor Authentication (MFA)
      • MFA Access Token
      • List of Authenticators
      • MFA Enroll TOTP
      • Initiate MFA
      • QR Code Image API
      • Validate MFA Token
      • Get Backup Code
    • Role And Permission
      • List All Roles
      • List All Permission
      • Create New Role
      • Update Existing Role
      • Update Permission By Permission Id
      • Remove Organization Role By Role Id
      • Remove Organization Permission By Permission Id
    • User Management
      • List All Users
      • GET User By User Id
      • GET User by User Email Address
      • Create a User
      • Update User by User Id
      • Verify User Status By User Id
      • Delete User By User Id
      • Manage User Roles
      • GET Users Organizations
      • GET User Login Logs
    • Organization
      • Add New Organization
      • Get Organization
      • Get All Organization
      • Update Organization
      • Delete Organization
      • GET Configuration By Client Id
      • GET Configuration By Custom Domain
  1. Data Security

Sensitive Data Handling

Introduction
Single Sign-On (SSO) solutions manage a vast amount of user data, including potentially sensitive information. SSOJet prioritizes user privacy and information security by adhering to strict practices for handling sensitive data. This document provides a detailed overview of SSOJet's approach to sensitive data handling, ensuring its confidentiality, integrity, and minimal exposure.
Scope
This document covers the following aspects of sensitive data handling in SSOJet:
Identifying sensitive data
Data minimization practices
Secure storage and access controls
User data deletion procedures
Best practices for ongoing security
Identifying Sensitive Data
SSOJet recognizes various types of user data as sensitive and deserving of heightened protection:
Personally Identifiable Information (PII): Data that can be used to identify an individual, such as name, address, phone number, email address, and national identification numbers.
Authentication Credentials: Usernames, passwords, and other credentials used for authentication purposes.
Security Questions and Answers: Information used for account recovery, which can be exploited for social engineering attacks.
Financial Data: If applicable, any financial information collected or processed by SSOJet, such as credit card details.
Data Minimization Practices
SSOJet follows the principle of data minimization to limit the collection and storage of sensitive data:
Collect Only What's Necessary: SSOJet collects only the minimum amount of user data essential for SSO functionality.
Attribute-Based Access Control (ABAC): Granting access to user data on a need-to-know basis, based on user roles and attributes.
Data Anonymization: When possible, anonymize or pseudonymize sensitive data to reduce the risk of identification.
Secure Storage and Access Controls
SSOJet implements robust security measures to protect sensitive data at rest:
Encryption: Encrypting sensitive data at rest using strong encryption algorithms (refer to the document on Data Encryption at Rest and In Transit for SSOJet for details).
Access Controls: Implementing granular access controls to restrict access to sensitive data only to authorized personnel.
Regular Access Reviews: Periodically reviewing and auditing user access privileges to ensure they remain appropriate.
User Data Deletion Procedures
SSOJet offers mechanisms for users to control their data and provides clear procedures for data deletion:
User Self-Service Deletion: Enabling users to delete their accounts and associated data upon request, subject to regulatory limitations.
Data Retention Policies: Establishing data retention policies that comply with regulations and define timelines for deleting outdated user data.
Data Deletion Procedures: Providing well-defined procedures for secure deletion of user data to prevent unauthorized recovery.
Best Practices for Ongoing Security
SSOJet adheres to best practices to continuously improve its sensitive data handling practices:
Security Awareness Training: Regularly training employees on data security best practices to minimize human error.
Penetration Testing and Vulnerability Assessments: Conducting periodic penetration testing and vulnerability assessments to identify and address security weaknesses.
Security Incident and Breach Response: Having a documented plan for responding to security incidents and data breaches to minimize damage and ensure user notification.
Conclusion
SSOJet takes user privacy and data security seriously. By following strict guidelines for identifying sensitive data, minimizing data collection, implementing robust storage and access controls, and offering user data deletion options, SSOJet ensures the confidentiality, integrity, and responsible handling of user information. Ongoing security practices further strengthen SSOJet's commitment to protecting sensitive data entrusted to its platform.
For any security-related inquiries or to report a security incident, please contact our security team at:
Email: support@ssojet.com
This document provides a comprehensive overview of sensitive data handling for SSOJet. Organizations can further customize this document to include specific details about their data classification schemes, data retention policies, and user data deletion procedures.
Previous
Secure Storage of Secrets (Keys, Credentials)
Next
Security Considerations for Cloud Provider or Deployment Model
Built with