Authentication Security

Fenlora strictly enforces a set of password requirements to ensure security standards are met:

• Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
• Multiple logins with the wrong username or password will result in a security notification. Temporary password reset link will be sent to the user’s pre-registered email address if the user clicks the forgot password link. If need be, your account is disabled manually.
• End-user account passwords stored on Fenlora servers are hashed with a random salt.

Two-factor authentication (2FA)

You can activate 2-factor authentication (2FA) for your account to secure it further. Please contact your account manager to activate 2FA. Once you enable SFA, no one will be able to access your account without verifying the action through SMS, Google Authenticator or the Authy app, even if they have your password.

Secure Credential Storage

Credentials are stored in encrypted form and are not in human-readable format. They are one-way-hashed.

API Security & Authentication

By default, Fenlora’s services are served over SSL. Highly sensitive services which require an authentication are only served over HTTPS. As this is a forced action you will not be allowed to use HTTP for these types of services.

Sessions are set to expire upon 30 minutes of inactivity, continuous sessions will timeout after 1 day.

Sign Out

When sign out occurs, all session cookies from the client are deleted and the session identifier is invalidated.

Fenlora provides granular access rights which can be configured to set permission levels for different users such as manage users, collaborate, edit and read.

IP Restrictions

Fenlora can be configured to restrict IP addresses to prevent or limit access to specific users or agents.

IP restrictions are only available for Enterprise Support accounts. Please contact your account manager to enable this feature.

Fenlora utilizes industry-standard communication encryption technologies to ensure all communications are secured. Therefore, all end-user communications with Fenlora are secured with encryption. Fenlora uses Transport Layer Security (TLS) for regular updates and configurations.

Fenlora updates its network architecture continuously. Redundant firewalls, secure HTTPS transport over public networks and the latest router technologies are in place to ensure maximum protection. Fenlora runs in-depth audits on an ongoing basis internally and via 3rd party security consultancies.

Architecture

DMZ is used to add an additional layer of security to the architecture of our local area network. With DMZ, services have different subnets (databases, cache layer or application servers) according to their sensitivity levels. Each zone has specific monitoring and access controls.

DDoS Mitigation

Fenlora partners with Distributed Denial of Service (DDoS) scrubbing providers to mitigate DDoS attacks. Fenlora works with 3rd party security consultancies to simulate DDoS attacks. We also use Cloudflare to prevent DDoS and other security attacks.

Access Logs

Fenlora has comprehensive activity monitoring system that stores logs at all account levels for sign-in/sign-out to user accounts, creating users, setting user permissions and password changes, and creating, deleting, updating, starting and/or pausing scenarios/personalizations.

You can get in touch with your account manager to access your detailed Fenlora log history to view all content changes on your scenarios/personalizations.

Your visitor and account data stored on Fenlora’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. If need be, employees need to use very strong passwords or two-factor authentication to access Fenlora’s servers.

Job Controls

On top of having strict rules and regulations for accessing data on our servers, Fenlora employees are required to sign confidentiality agreements before they are allowed to access our servers. Once a year, all of our engineers are required to participate in secure code trainings covering OWASP top 10 security flaws, common attack cases and Fenlora’s security controls.

Fenlora has a comprehensive set of security policies which are made available to employees and contractors.

Training

Upon onboarding, all Fenlora employees have to complete a Security Awareness Training. The training is repeated once a year. Engineers also receive a secure coding training once a year.
Besides in-depth security tests run by third-party consultancies we partner with, our engineers who are responsible for our security measures regularly test our code base. The team is trained to detect potential security vulnerabilities that may occur.

Under our zero-trust policy, your visitor and account data stored on Fenlora’s servers cannot be accessed by employees or contractors unless they need this information to perform a specific job function, i.e. providing customer support. All employee access to our servers is logged and audited. In case of an abuse, Fenlora employees are subject to disciplinary action, including but not limited to termination. Since April 2012, Fenlora employees are required to complete a background check prior to employments.

Confidentiality Agreements

All new employees go through security screening during our hiring process and they are required to sign confidentiality and non-disclosure agreements.

We run in-depth 3rd party security vulnerability assessments using end-to-end, unit and integration tests and have deployment controls in place (i.e. blue-green deployment, change management etc).

Code Assessments

We build in top-notch security features and run in-depth audits on an ongoing basis to ensure all data and interactions of our customers are fully secure. Building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. Our engineers conduct peer coding and reviews to ensure the highest quality. Our automated code tests are designed to detect and fix common vulnerabilities. We conduct manual tests on sensitive areas of our code base and run periodic security scans semiannually.

Fenlora was built with disaster recovery in mind. We use Amazon Web Services (AWS), a well-known cloud service provider. To mitigate service interruption risks in case of a disaster, we replicate sensitive data and keep them in multiple data centers. Our infrastructure and data are stored across 3 AWS availability zones. In case of a disaster or fail, services will not be interrupted.

We perform, daily, weekly and monthly backups of data. For highly sensitive data we run hourly backups. Headquartered in Singapore, we have 16 offices around the world, providing localized services and support in case of a disaster to ensure business continuity.

Incident Response

Fenlora has an Incident Response team to quickly and systematically respond in case of a security incident. You can write to us at security@fenlora.com.

Each customer account has a unique code snippet (javascript client) for Fenlora. This way your data is logically separated from other customers. If you have multiple domains, by enabling the multi-domain feature, you can use the same JS to provide services. However, you cannot use the same JS on other domains if you do not activate the multi-domain feature and integrate all domains with Fenlora.

Every customer’s data is solely used for that customer and only accessed to provide support to that customer. We never share or sell customer data to 3rd parties. Our policy around data protection is clearly outlined in the Service Agreement and Data Protection Agreement (DPA).

User Roles

Fenlora provides user permission levels for specified roles to help you manage users easily. User roles include managing users, collaborate, edit and read. If you invite multiple people to work on the same scenario/personalization, Fenlora gives you the flexibility to grant different levels of permission to each user.

Fenlora services and data are hosted in Amazon Web Services (AWS) facilities (eu-west 1) in Ireland.

Access to data centers is strictly limited to authorized personnel with verified biometric identity. AWS data centers are physically protected by security guards, video monitoring and other on-premise security measures.

All Fenlora servers are within our virtual private cloud (VPC). We have network access control lists (ACLs) in place to prevent unauthorized requests.

We keep testing and staging environments physically separate from the production environment. Service Data is not used in the development or test environments.

If you have any questions regarding Fenlora’s security measures, please write to us at security@useFenlora.com or contact your account manager. Our security measures are subject to change, as building data security is a continuous process that shapes the foundation of our development processes and outstanding performance of our industry-leading technologies. We may update this page from time to time to reflect changes. Therefore, please check this page often. The use of Fenlora services is subject to the terms, conditions, and disclaimers in our Terms of Service.