Technical FAQ
We are so glad you're here. Chances are you've read over the services agreement and your IT department might have some final outstanding questions before we get started. We're here to answer them!
Is there a legal agreement to accept prior to signing up?
The legal Master Services Agreement (MSA) is covered by your signature on the Statement of Work we provide you. The MSA and can be found here. Issues of liability between Switchboard and the subscriber are covered therein. Issues of liability from the user standpoint are covered in the terms of service and privacy policy they agree to on signup.
How do you protect user data?
Sensitive user data (e.g. passwords) are encrypted. All data exchanged with Switchboard is always transmitted over SSL (which is why you always get redirected to HTTPS, for instance). We protect user login from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt. Login information is always sent over SSL. Private messages are never stored in plain text. Messages are encrypted using aes-256-gcm.
Are they encrypted in database?
Yes.
Are all web transactions under SSL?
Yes.
Do you have an API? How can we get data?
An API is on our product roadmap. You can download user data as a CSV in the "User Export" section of the administrator dashboard.
How does the verification process work?
All users are entered into the "User Directory" accessible under the administrator dashboard. Customers have a variety of choices when it comes to verifying users, ranging from providing a CSV of pre-approved email addresses, to authorizing only addresses with their domain name and approving other users, to retroactively approving users after sign up. We will work with you to customize your settings.
Any defense against DDoS attack?
Switchboard is hosted across a number of Amazon EC2 instances. This allows us to easily scale horizontally in the case of an attack by spinning up more instances as needed.
What is your failover / disaster recovery plan?
Our EC2 instances are spread across multiple data centers allowing for a robust system in case of any individual node failure. Similarly our primary datastore (postgres running on AWS RDS) is replicated across regions and backed up daily. Those backups are encrypted. We'd be glad to provide you with a copy of our disaster recovery plan document.
Is there any monitoring service for your application?
We don't currently offer public access to our monitoring services, but we can change that if it is something you'd like access to.
Are you aware of the Heartbleed bug?
Yes. We keep OpenSSL up to date.
Is it possible for you to authenticate our users through our authentication service or single sign on?
It is possible but requires a custom build at additional cost. Our customers recognize that a lower barrier to entry using social sign-on or account creation will provide a better user experience, and they value the new and updated email addresses that can be exported into the donor database. Two thirds of user email addresses are new and more current than what customers currently have on file.