Security

Ensuring your information is secure is a core tenet of Therefore™ software.

Security is an essential component of any information management system as it ensures that confidential and sensitive information is protected from unauthorized access, modification, or theft. Your organization is responsible for vast amounts of data that can include personal, financial, and proprietary information, making it a valuable target for cyber-attacks. A breach in security can have severe consequences, including legal liabilities, reputational damage, and financial losses. Implementing robust security measures such as access controls, encryption, and regular security audits is critical to ensure the protection of sensitive information. The importance of information security cannot be overstated, and companies must prioritize security to maintain the trust of their customers and stakeholders.

There are many important security measures for safeguarding data, but some of the most crucial ones include:

  • Access Controls

    Access controls limit access to sensitive information to authorized users only. This can include password protection, multi-factor authentication, and role-based access control.

  • Backup and Disaster Recovery

    Backup and disaster recovery processes are essential to protect data from loss or corruption due to hardware failures, natural disasters, or cyber-attacks. Organizations must have a robust backup and disaster recovery plan in place to minimize the impact of any data loss or disruption.

  • Logging and Audit Trail

    Logs and audit trails are essential for maintaining the integrity and security of an information management system as they provide a detailed record of system activity, enabling organizations to detect and investigate potential security breaches or other issues.

  • Regular Security Checkups

    Regular security checkups are essential to ensure that security controls are effective and up-to-date. These audits can identify vulnerabilities and potential threats and enable organizations to take action to address them.

Information security is of paramount importance for our solutions. The principal tools Therefore™ employs to ensure high security include:

  • Role-based access controls
  • Secure authorization frameworks
  • Backup and Recovery
  • Audit Trail and Logging
  • Encryption
  • Anti-tamper controls
  • Retention Policies
  • Version history
  • Virus scanning

Role-based access controls

Role-based access controls are a type of access control system that restricts access to information based on a user’s role within an organization, limiting users to only the information they need to perform their job. Role-based access controls are beneficial as they reduce the risk of data breaches and help to ensure that sensitive information is only accessed by authorized personnel.

With Role-Based Access Control, permissions are set under role-based attributes, which can further be refined to setting conditions to specific roles. A Role can be defined as a group (set) of permissions that are logically put together with a given name and description (e.g. Administrator, Operator, Reader etc). Users are then assigned to a role so there’s no need to configure permissions on an individual level. This allows for granular permission control and ease of management in complex security environments.

Secure authorization framework

Authentication is the process of verifying the identity of a user or device attempting to access an information management system, typically through the use of passwords or multiple factors. A robust authorization framework is important because it helps prevent unauthorized access to sensitive information, ensuring the security and integrity of the system.

Access to Therefore™ can be configured using many different authentication methods. These include:

  • Internal users and groups
  • Active Directory, Windows Local Users, LDAP/SAMBA
  • Active Directory Federation Services
  • OAuth Clients
  • Custom JWT Tokens
  • External user directories such as Azure Active Directory, Okta, OneLogin, and Generic OIDC authentication.

Backup and recovery

Having secure backups of critical information and a disaster recovery strategy in place is an essential risk-planning activity for any organization. This ensures that in the event of a hardware failure, natural disaster, or cyber-attack, they can quickly and efficiently restore data and systems, minimize downtime, and maintain business continuity, reducing the risk of reputational damage and financial losses.

Therefore™ provides native, out-of-the-box capabilities for backing up the information in the system. All Therefore™ systems, regardless of version or deployment method, support primary and backup storage options. Once configured, the system takes care of moving documents from primary to backup storage locations. Documents are never kept in the database, but rather on separately defined storage. While this is all done automatically for Therefore™ Online users, customers with on-premises deployments can configure storage devices easily, and highly customizable storage policies allow administrators to decide exactly which information is stored where.

Therefore™ also integrates with the cloud storage providers OneDrive, Dropbox, Box, and Google Drive. Documents can be uploaded to, or imported from this cloud storage.

Always the latest security.

Therefore™ undergoes regular security audits and penetration tests performed by third-party auditors. Our software development is aligned with industry-accepted security standards such as OWASP, NIST and OSSTMM, so our customers can rest assured that our security measures can stand the test of time.

Audit trail and logging

Logs and audit trails are essential for maintaining the integrity and security of an information management system as they provide a detailed record of system activity, enabling organizations to detect and investigate potential security breaches or other issues. The robust audit trail in Therefore™ records all key events including the date of document creation, modifications, and deletion. Therefore™ also logs information about over 30 different types of events, such as who performed an action, and when it was performed. This ensures all information is easily accessible in the event of an audit, and all actions are transparent and traceable.

 

Encryption

Encryption is the process of converting information into a code to prevent unauthorized access. This is important as it provides a critical layer of protection to sensitive information by making it unreadable without the appropriate decryption key, ensuring confidentiality and data privacy even in the event of theft.

All data transferred between the Therefore™ Online system and a user is protected. System data is fully encrypted. Azure SSE (Storage Service Encryption) is used to encrypt data at rest using 256-bit AES encryption, one of the strongest cyphers available. In transit, data is encrypted using HTTPS and SMB 3.0.

Therefore™ customers with an on-premises deployment can rest assured that Therefore™ supports encryption methods commonly used on storage media to secure the integrity of their data, such as EFS.

Anti-tamper controls

Anti-tamper measures in Therefore™ ensure that information is not modified in a way beyond the allowable parameters.

Therefore™ electronically signs every document immediately after receiving it. When a user retrieves a document, the signature is verified by Therefore™ to guarantee that it is the original. Even the system administrator cannot sign a changed document.

The signature is comprised of numerous data points to guarantee the authenticity and security of the information. The signature is stored within the .thex document and is created using a standard signing algorithm, which computes the SHA 256 Hash and then encrypts this hash value with the RSA algorithm.

 

Retention policies

A retention policy is a set of guidelines that dictate how long different types of data should be retained and when it should be deleted or archived, helping organizations to manage their information in a systematic and compliant way. A well-defined retention policy is important as it helps organizations to ensure regulatory compliance, reduce the risk of litigation, and efficiently manage storage resources, while also promoting good information governance practices.

Setting up retention policies in Therefore™ is easy. Data can be marked for deletion after a predetermined amount of time. Regular users cannot permanently delete documents; only an administrator can do this for security reasons. Therefore’s powerful retention policies help improve your overall information governance.

Version history

Versioning is a feature that allows different versions of the same document to be tracked and managed, enabling users to access and restore earlier versions, view changes, and collaborate effectively. It is important as it ensures that the most up-to-date version of a document is being used, and helps to avoid confusion or errors that may arise from multiple versions of the same document being in circulation. Versioning can help increase security by allowing organizations to track changes made to a document over time, providing a complete audit trail of all actions taken by users, and ensuring that only authorized users have access to specific versions of a document.

In Therefore™, you can keep track of document and case histories. The version history shows: version number, who edited it, when it was edited and any comments that the person made. All versions of older documents are saved. Users with permissions can still view older versions of documents. This ensures that changes can be tracked, and older versions of a document can be accessed. Users can be required to leave check-in comments to ensure others can quickly see what changes were made.

Award-winning security

“Leader” in the SoftwareReviews ECM Data Quadrant Info-Tech Research Group | 2022

SoftwareReviews, a division of Info-Tech Research Group, looked at over 14 different ECM systems on the market today and rigorously collected qualitative and quantitative data points from real end users, business, and IT professionals. SoftwareReviews’ “comprehensive reviews are the most in-depth source of buyer data and insights for the enterprise software market.”

“ASTORS Homeland Security” Award for Best Data Storage Security Solution. American Security Today | 2018, 2019

The ‘ASTORS’ program is specifically designed to honor distinguished government and vendor solutions that deliver enhanced value, benefit and intelligence to end users in a variety of government, homeland security, enterprise and public safety vertical markets.

“Pick Award” for Outstanding Information Governance Solution Keypoint Intelligence | 2018, 2019, 2021

Therefore™ is a four-time recipient of a Buyers Laboratory (BLI) Award, honoring the most impressive solutions evaluated by BLI over a 12-month test cycle.

Successful GDPR Data Protection Audit
Successful GDPR Data Protection Audit Ebner Stolz | 2018

Therefore™ software has passed a rigorous data protection audit by the German consulting firm Ebner Stolz. Therefore™ software solutions have been verified and certified to enable an effective management of data in accordance to GDPR regulations.

 

Learn about Disaster Recovery with Therefore™

View webinar

Learn about Information Security in Therefore™

View webinar