Security
- Introduction
- Secure Hosting
- Secure Transmission of Data
- Security Best Practices
- User Authentication
- Data Separation
- Workplace Membership
Introduction
OnePlace takes the matter of securing your data extremely seriously. It is our top priority to ensure your data is secure.
If you ever have any questions regarding the security of your data, we urge you to contact us immediately to speak to us about those concerns.
Secure Hosting
We partner with web-hosting provider Engine Yard to provide secure, reliable and fast access to OnePlace. Engine Yard specializes in providing fully-managed hosting services for web-applications that use the same technology stack as OnePlace. To learn more about what Engine Yard is doing to secure your data, please read their security white paper.
Security Best Practices
The team behind OnePlace stringently follows industry recognized best practices for securing applications that utilize the Internet to transmit data. This includes the following:
- Protecting against SQL Injection attacks.
- Protecting against Cross-Site Scripting attacks.
- Validating parameters of all requests to ensure that the user who is requesting data is authorized to access that data.
- We don't store any credit card information in our database. All credit card information is stored at the payment gateway provider we utilize for processing credit card transactions (Authorize.Net).
- We don't store any sensitive personal information in our server log files, such as user email addresses and passwords.
- Storing user passwords in the database using one-way encryption.
- Strictly limiting direct employee access to our production servers and database.
Secure Transmission of Data
OnePlace utilizes HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) as a way to securely encrypt the transmission of all information between your browser and our servers. All accounts (paid and free) receive this feature at no extra cost, and there is nothing special you need to do to benefit from it. To learn more about HTTPS, click here.
User Authentication
Each time your browser sends a request to OnePlace, your identity is verified. If you haven't yet provided your user credentials (email address and password), OnePlace will automatically send you to the Sign In page first. You can read more about OnePlace's sign in/out process here.
Each user is required to secure their identity with a password that must be at least 4 characters in length. All users passwords are stored in a encrypted format, in a way that cannot be decrypted. As such, if you ever forget your password, the best we can do is allow you to change it. We have no way to send you your password.
We recommend that you sign out of OnePlace each time you are done using it, or you are going to be away from your desk. Doing so minimizes the chances that someone can gain access to your data stored in OnePlace by using your computer without your knowledge.
Data Separation
OnePlace uses a single database to store the data created by its users, in a way that ensures each user sees only what he or she is authorized to see. Each time OnePlace retrieves data from the database, it uses the identity of the current user to determine what data to return. A user is only allowed to see data that belongs to workplaces that he or she is a member of. One account (team or personal) cannot access data in another account.
Workplace Membership
The way you grant someone access to data in OnePlace is by adding them to a workplace. When adding someone to a workplace, you have two decisions to make which will determine that person's rights/permissions within the workplace:
Workplace Admin
The first decision is whether or not to make the person being added to the workplace an administrator of the workplace. A workplace administrator has the following rights that non-administrators do not have:
- Ability to add and remove people from the workplace.
- Ability to edit the properties of the workplace, such as the workplace name, description or icon.
- Ability to archive, trash or delete the workplace.
Note that workplaces can have one or more members designated as administrators.
Access Level
When a user is added to a workplace, they are assigned a permission/access level which determines the information that they will be able to see in the workplace. Likewise, when something is added to a workplace (i.e. a project, task, file, etc.), it is assigned a permission/access level that workplace members are required to have in order to see it.
OnePlace supports the following permission/access levels:
| Permission Level | Description |
|---|---|
| Full Access | Members with full access are able to see all data within a workplace. This is the least restrictive level. |
| Limited Access | Members with limited access are able to see only data designated with limited or portal access. |
| Portal Access | Members with portal access are able to see only data designated with portal access. This is the most restrictive level. |
The Members Tab shows the access level that is assigned to each member of the workplace.
When something is designated with limited or portal access, it is decorated with a small "L" or "P" in front of its name/title. This allows you to quickly identify the things in a workplace that a particular permission/access level is able to see. If something has no permissions decoration, then full access is required to see that item. In the example below, members with portal access can only see the two tasks with portal access (P). Members with limited access can only see the two portal access tasks (P), and the one limited access task (L). Members with full access can see all six tasks.
