Security Statement
1. Statement Purpose
Yesflow understands that in today’s environment customers are concerned about how their data is accessed, processed and secured. Customers must be able to trust that their data is safe and that it will only be used in a way that is consistent with their expectations.
This statement has been created to provide an overview of connectivity, security and data usage related topics pertaining to the Yesflow solution.
2. Solution Overview
2.1 Functionality
The Yesflow Digital Assistant is designed to deliver information proactively to your mobile device on adaptive cards that summarize key information for team members. Based on individual responsibilities and preferences, Yesflow algorithms deliver cards exactly when they are needed, so no one has to hunt for information across the enterprise. Cards can be delivered across multiple channels where people happen to be working – email, text, in a mobile app or Teams. Users can easily request new cards within the same channels using voice or text. The solution consists of 3 primary components:
Adaptive Cards – high quality targeted information delivered to your teams, so they do not have to go looking for it. The information on each card can come from multiple systems and include the details you deem the most important.
Dialogues – The Yesflow Digital Assistant is always on hand to answer your questions and help you find the information you need. The Assistant expertly guides you through your most important processes so that best practice becomes common practice.
Connectors – Yesflow connects to all your most important enterprise systems, everything from CRM, BI, ERP and other back-office systems to collaborative work tools and mission-critical information management systems like policy admin, claims management and others.
2.2 Connectivity
In order to leverage the Yesflow Digital Assistant, the Yesflow platform must be able to communicate with your enterprise systems (CRM, ERP, BI, policy admin, etc.).
The Yesflow Digital Assistant will be provisioned in Yesflow’s Azure environment. Security and privacy are embedded into the development of Azure. Microsoft makes security and privacy a priority at every step, from code development through incident response.
Please refer to the Microsoft Azure Trust Center for more in-depth security details related to Azure.
Yesflow requires connectivity from Yesflow’s API endpoint to the Client’s systems. If the Client’s system is on premise Yesflow can leverage a VPN connection to the appropriate endpoint. All connections to the Client’s systems are SSL leveraging TLS 1.2 or greater. Yesflow is built on a Service Oriented Architecture primarily utilizing Web API, REST, OData and Oauth2 as part of the solution.
Client connectivity requires users to authenticate through Active Directory or other SAML compatible OAuth token providers. Yesflow leverages Oauth2 appflow to facilitate client logins. The Yesflow client application communication is through the secure MS bot channel endpoint (diagram below).
2.3 Security and Device Management
Yesflow connectivity to any data source is based on a user’s security role and ID. Any data that is returned is on behalf of the user based their security credentials (Reference on MSFT Server to Server authentication). For CRM connectivity, Yesflow requires a service-based account that allows for impersonation. App registration is required for Azure Active Directory and Server to Server authentication. Role based security in CRM is used to secure the service based account.
Yesflow client access will support Multi-factor authentication and will support device management solutions like Microsoft Intune. The Yesflow Digital Assistant can be deployed through the App Store or an Enterprise App Store. Policies like remote wiping can be handled via MDM. App updates are handled on a defined schedule and pushed out through the App store and in App updates.
Apple and Android notification services are used for sending notification to devices. Azure notification hub is used to send notifications to devices.
2.4 Data Management
Each client deployment will have their own Natural Language Understanding (NLU) for resolving entities. All data is secured within Azure (Microsoft Azure Trust Center) and encrypted with LUIS AI (LUIS Authoring and Runtime Keys and LUIS Reference). All data in transit is encrypted and all keys and sensitive data is stored in an Azure key vault.