Skip to main content
Sign in

RollKall Technical Information & FAQs

Linda Laggos
  • Updated

 

Click a link below to jump to a specific section.

 

General Architecture & Hosting & Development

Authentication, Login & Passwords

Data Security & Storage

Encryption

Payments

Compliance

Supported Browsers

 

 

 

General Architecture, Hosting, & Development

RollKall is a Multi-Tenant Cloud based SaaS platform for off-duty jobs. 

 

Where are your servers hosted?

RollKall is a Cloud first application with no physical servers of our own, instead we host all our infrastructure on Microsoft’s Azure platform.

RollKall’s infrastructure is mostly hosted in multiple geo-locations in the continental U.S. Our primary hosting location is in the North Central US service region, located in Illinois.

 

Which Data Center vendor is hosting our data any any given time?

Microsoft Azure.

 

Is this solution true cloud (SaaS), infrastructure as a service (IaaS) or managed service (PaaS)?

Yes, it is a true SaaS.

 

What is the largest client implementation you currently support?

City of Detroit

 

Is there a Software Development Life Cycle policy (SDLC)?

Yes, RollKall follows the Agile Scrum software development process, with a monthly release schedule. This allows for continuous product improvement and flexibility in meeting our users needs.

 

Authentication, Login, & Passwords

Is your solution compatible with Okta SAML 2.0 or higher for Single Sign on?

No.

What user account controls are enforced by the application?
The application enforces password complexity. At account creation we ensure that the user’s password is not composed of common phrases or password that can be easily guessed by an attacker.

Can application users change their individual password at any time?

Yes, an application user can request a password reset OR change their current password while logged in.

Can the frequency that users are forced to change their password be modified?

No.

Will the user’s account lock after multiple invalid attempts to login?

The application will throttle login attempts and temporarily lock a user account if too many failed attempts are detected.

What happens when a user’s account locks out?

Account lockouts are temporary. After a period of time the user will be able to attempt to login again.

Can an alert be sent if a user account locks out multiple times over a given period?

Not currently.

Can we restrict access from geographical regions, ie, only from the Orlando, Florida area?

No.

 

 

Data Security & Storage

What is the process for an emergency termination of a City user’s access to the site?

Both the agency and our customer service team can de-activate a user’s account if needed

 

What steps are taken to protect the City's data when there are vendor staff terminations?

AD and VPN Access is Revoked. Company equipment is returned and wiped of any sensitive data. 

 

Are file uploads allowed to the site and for format?

File uploads are limited to images for user profiles or PDFs or Images for officer employment verification or invoice attachments

 

What error checking or security screening is done on any allowed attachments that are uploaded?

The application backend checks for valid file formats during the upload process

 

How is the City’s environment / data segregated from your other client’s data?

As RollKall is a multi-tenant environment, off-duty shifts and user accounts are in a shared database environment. Client’s data is segregated through the proper implementation of user permissions and roles for each organization.

 

What access will the City have to audit / review security events on the hosted environment?

RollKall will inform the City if there are security events, but the City will not have direct access to our environment security events or logs. 

 

What data format does the information reside in on the site (SQL, Text, proprietary etc.)?

Azure SQL Server

 

Does this solution collect and maintain any PII?

We collect minimal PII required to verify that a user is an active law enforcement employee and allowed to use the application.

We also collect payment data but it is not maintained or stored by the RollKall system in order to be PCI compliant. All payment data is stored by our 3rd party payment processor system. 

 

Who owns the data that would be stored on your platform?

Since the data is stored in RollKall’s infrastructure, it is owned by RollKall. Off-Duty data, however, can be exported in CSV format by the users at any moment and for any given date range through RollKall’s reporting system

 

What formats can the data be exported and delivered to the City at the end of the contract and is it usable?

Off-Duty data can be exported in CSV format by the City at any moment and for any given date range through RollKall’s reporting system.

 

Can customer data be exported to  SQL or Oracle from your system upon  termination of the contract?

Off-Duty data can be exported in CSV format by the City at any moment and for any given date range through RollKall’s reporting system. CSV data can then be used to import into any other system as needed. 

 

Will the exported delivered data maintain relational integrity?

Exported Off-Duty data is de-normalized during the exporting process

 

What Data Loss Prevention (DLP) processes are in place to prevent unauthorized export of data?

Reporting access is limited to admin staff within the application and access monitoring is in place in the production environment databases. Internal DLP policies also govern RollKall’s personnel access to data. 

 

Who besides the Agency will have access to our data?

RollKall L2 Support & L1 Engineering Staff will have access to the production data in order to assist with any support issues. 

 

Does the system comply with the  ANSI 1989 standards for SQL? Does it support transaction logging with  commit, rollback, and roll forward  facilities for restores, referential  integrity and table-driven coding  structures?

Yes. Microsoft SQL Server complies with ANSI 1989 standards.

 

 

Encryption

Is the data encrypted at rest?

All our databases have data encryption enabled by default.

 

Is the data encrypted in transit?

Yes. Every single interaction point, included internally is encrypted via SSL.

 

What is the secure login URL for the solution?

https://agency.rollkall.com/login

 

What is the level of encryption on the data?

During transit the data is encrypted using TLS 1.2, the SQL Databases are encrypted using Transparent Data Encryption using an AES algorithm.

 

Can TLS 1.0 and 1.1 be removed from the system?

Yes, TLS 1.0 and 1.1 are currently disabled. Only TLS 1.2 is enabled.

 

 

Payments

How are payments processed? Are they processed within RollKall or by a third party?

Payments are processed through Stripe, a third party certified PCI Service Provider Level 1. Follow this link for more information on Stripe: https://stripe.com/docs/security/stripe

 

 

Compliance

Which security tests / audits have been performed recently for RollKall?

RollKall is PCI-DSS compliant. We perform security audits quarterly to ensure we maintain compliance. 

 

Which compliance standards are you certified for, ie, CJIS, SOC, SSAE?

PCI-DSS.

 

Is there any PCI documentation?

Yes, RollKall performs quarterly PCI compliance audits, and we can provide our latest certificate of compliance.

 

Are there audit reports of user’s activity in the application available?

Yes. The application logs user activity like login, logout, as well as all related off-duty activity such as job applications, assignments, clock-in, clock-out as well as modifications to the shifts. 

 

 

Supported Browsers

Which browsers versions are NOT supported for connecting to the application?

Internet Explorer 10 or less, Safari 12 or less.

Related articles

Comments

0 comments

Please sign in to leave a comment.