This article covers our tool's technical information.
General Architecture, Hosting, & Development
RollKall is a Multi-Tenant Cloud based SaaS platform for off-duty jobs.
Where are your servers hosted?
RollKall is a Cloud first application with no physical servers of our own, instead we host all our infrastructure on Microsoft’s Azure platform.
RollKall’s infrastructure is mostly hosted in multiple geo-locations in the continental U.S. Our primary hosting location is in the North Central US service region, located in Illinois.
Which Data Center vendor is hosting our data any any given time?
Is this solution true cloud (SaaS), infrastructure as a service (IaaS) or managed service (PaaS)?
Yes, it is a true SaaS.
What is the largest client implementation you currently support?
City of Detroit
Is there a Software Development Life Cycle policy (SDLC)?
Yes, RollKall follows the Agile Scrum software development process, with a monthly release schedule. This allows for continuous product improvement and flexibility in meeting our users needs.
Authentication, Login, & Passwords
Is your solution compatible with Okta SAML 2.0 or higher for Single Sign on?
What user account controls are enforced by the application?
The application enforces password complexity. At account creation we ensure that the user’s password is not composed of common phrases or password that can be easily guessed by an attacker.
Shortly, we will be implementing two-factor authentication (2FA).
Can application users change their individual password at any time?
Yes, an application user can request a password reset OR change their current password while logged in.
Can the frequency that users are forced to change their password be modified?
Will the user’s account lock after multiple invalid attempts to login?
The application will throttle login attempts and temporarily lock a user account if too many failed attempts are detected.
What happens when a user’s account locks out?
Account lockouts are temporary. After a period of time the user will be able to attempt to login again.
Can an alert be sent if a user account locks out multiple times over a given period?
Can we restrict access from geographical regions, ie, only from the Orlando, Florida area?
Data Security & Storage
What is the process for an emergency termination of a City user’s access to the site?
Both the agency and our customer service team can de-activate a user’s account if needed
What steps are taken to protect the City's data when there are vendor staff terminations?
AD and VPN Access is Revoked. Company equipment is returned and wiped of any sensitive data.
Are file uploads allowed to the site and for format?
File uploads are limited to images for user profiles or PDFs or Images for officer employment verification or invoice attachments
What error checking or security screening is done on any allowed attachments that are uploaded?
The application backend checks for valid file formats during the upload process
How is the City’s environment / data segregated from your other client’s data?
As RollKall is a multi-tenant environment, off-duty shifts and user accounts are in a shared database environment. Client’s data is segregated through the proper implementation of user permissions and roles for each organization.
What access will the City have to audit / review security events on the hosted environment?
RollKall will inform the City if there are security events, but the City will not have direct access to our environment security events or logs.
What data format does the information reside in on the site (SQL, Text, proprietary etc.)?
Azure SQL Server
Does this solution collect and maintain any PII?
We collect minimal PII required to verify that a user is an active law enforcement employee and allowed to use the application.
We also collect payment data but it is not maintained or stored by the RollKall system in order to be PCI compliant. All payment data is stored by our 3rd party payment processor system.
Who owns the data that would be stored on your platform?
Since the data is stored in RollKall’s infrastructure, it is owned by RollKall. Off-Duty data, however, can be exported in CSV format by the users at any moment and for any given date range through RollKall’s reporting system
What formats can the data be exported and delivered to the City at the end of the contract and is it usable?
Off-Duty data can be exported in CSV format by the City at any moment and for any given date range through RollKall’s reporting system.
Can customer data be exported to SQL or Oracle from your system upon termination of the contract?
Off-Duty data can be exported in CSV format by the City at any moment and for any given date range through RollKall’s reporting system. CSV data can then be used to import into any other system as needed.
Will the exported delivered data maintain relational integrity?
Exported Off-Duty data is de-normalized during the exporting process
What Data Loss Prevention (DLP) processes are in place to prevent unauthorized export of data?
Reporting access is limited to admin staff within the application and access monitoring is in place in the production environment databases. Internal DLP policies also govern RollKall’s personnel access to data.
Who besides the Agency will have access to our data?
RollKall L2 Support & L1 Engineering Staff will have access to the production data in order to assist with any support issues.
Does the system comply with the ANSI 1989 standards for SQL? Does it support transaction logging with commit, rollback, and roll forward facilities for restores, referential integrity and table-driven coding structures?
Yes. Microsoft SQL Server complies with ANSI 1989 standards.
Is the data encrypted at rest?
All our databases have data encryption enabled by default.
Is the data encrypted in transit?
Yes. Every single interaction point, included internally is encrypted via SSL.
What is the secure login URL for the solution?
What is the level of encryption on the data?
During transit the data is encrypted using TLS 1.2, the SQL Databases are encrypted using Transparent Data Encryption using an AES algorithm.
Can TLS 1.0 and 1.1 be removed from the system?
Yes, TLS 1.0 and 1.1 are currently disabled. Only TLS 1.2 is enabled.
How are payments processed? Are they processed within RollKall or by a third party?
Payments are processed through Stripe, a third-party certified PCI Service Provider Level 1. Follow this link for more information on Stripe: https://stripe.com/docs/security/stripe
Which security tests / audits have been performed recently for RollKall?
RollKall is PCI-DSS compliant. We perform security audits quarterly to ensure we maintain compliance.
Which compliance standards are you certified for, ie, CJIS, SOC, SSAE?
Is there any PCI documentation?
Yes, RollKall performs quarterly PCI compliance audits, and we can provide our latest certificate of compliance.
Are there audit reports of user’s activity in the application available?
Yes. The application logs user activity like login, logout, as well as all related off-duty activity such as job applications, assignments, clock-in, clock-out as well as modifications to the shifts.
Which browsers versions are NOT supported for connecting to the application?
Internet Explorer 10 or less, Safari 12 or less.