WOZTELL Security Overview
WOZTELL Infrastructure Overview
Identity Management
WOZTELL makes sure the right people gets the right access to different functions and information. We starts with a strong security foundation on user account creation using 2FA & strong password, down to assigning roles & permissions to address identify security challenges.
- Two-factor authentication
- Strong password requirement
- Session management
- WOZTELL app provisioning
- Role-based user access control
Data Protection
WOZTELL's backend encrypts Data-at-rest using AES-256 and Data-in-transit using TLS v1.2. Apart from that, there are a variety of tools to provide further control on data protection.
- Enterprise Backend Key Management (Enterprise & Dedicated Cloud only)
- Audit trail
- Developer backend log
- Channel & integration management
- API & bot access token management
Information governance
Each company governs their data differently. WOZTELL offers the flexibility for enterprise to devise their own governance & risk management strategy, without compromising the bot building experience.
- Global data retention policies
- Data exports
- Custom terms of service (Enterprise & Dedicated Cloud only)
Webhooks
WOZTELL webhook receiver requires valid HTTPS/TLS certificate.
For webhook validation, all the webhook event would come with a signature ("X-Woztell-Signature") in the header for validation purposes. Each webhook event could be validated using the following method.
Using the HMAC-SHA256 algorithm with the channel secret as the secret key, compute the digest for the request body.
Confirm that the Base64-encoded digest matches the signature in the X-Woztell-Signature request header.
Open API
In order to make use of the WOZTELL's Open API, scoped access token is required. The obtained token cannot gain access to data of another app.
Please refer to access token for the procedures.
Bot API
Valid HTTPS/TLS certificate is provided for calling WOZTELL's Bot API.