Application Security

Access control and authentication
Benify administrators have individual admin accounts. Multi-factor authentication is enabled for all admins and access is only granted when authenticated with at least two factors.

End-users have individual user accounts and must be authenticated with at least password. Password policy can be customized to fit specific customer requirements. 2-step verification for end-users can be enabled via Google Authenticator. For Swedish clients, it’s possible to use multi-factor authentication through BankID.

Access can also be managed through single sign on (SSO) using SAML 2.

All users are automatically logged off after 30 minutes of inactivity.

Separation of customer data
All customer data is logically separated for each customer to ensure confidentiality and integrity between customers. Every customer has a unique company key which is used to separates data.

Sensitive data
All customer’s personal data is according to Benify’s information classification policy classified as Strictly confidential. In addition to this, information such as salary, bonuses etc. are classified as sensitive in the Benify application.

Access to sensitive information is only allocated according to the principle of least privilege.

Sensitive information is by default masked for all Benify administrators. Permissions to view masked information is controlled by the role permissions.

Access to sensitive information is a part of annual role permission review.

Event logs
All activities in the application are logged. Our logs include information about the user, time and dates, user activity and critical security events (such as authentication attempts to violate the rules of authentication).

To protected our logs against tampering the logs are protected by an integrity check mechanism and access rights are strictly limited.

Application time is synchronized using Network Time Protocol (NTP).

Encryption – Data in transit
Communications between end-user computer clients and Benify’s servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks.

Encryption – Data at rest
Production- and backup-data are encrypted at rest using AES 256-bit encryption.

Encryption – Integrations
Benify strongly recommends that all customer integrations and file transfers are protected using SFTP/HTTPS and file encryption such as PGP.

Protection of authentication information
All stored passwords are hashed using SHA512 and a salt.

Web application vulnerability scans
Automated web application vulnerability scans (including OWASP top 10) are conducted against the Benify application each week.

All vulnerabilities are classified and mitigated according to internal policies and procedures.

Third party library vulnerability scans
To identify project dependencies and check for any known, publicly disclosed vulnerabilities in third party libraries, Benify regularly performs OWASP Dependency-Checks.

Penetration testing
Benify uses an independent security company to perform full application penetration tests every quarter. I addition to this all application releases are tested continuously. Penetration tests are performed using automated and manual testing and includes testing towards international benchmarking projects and standards such as OWASP Top Ten and WASC.