1. Introduction
Security is a top priority at redOrange.ai. This guide outlines the security measures implemented within the application, along with best practices that administrators and users should follow to protect sensitive data and maintain a secure environment.
2. User Authentication and Access Control
Strong Authentication
redOrange.ai requires users to log in with a unique email and password.
Passwords are stored securely using industry-standard hashing algorithms.
Multi-Factor Authentication (MFA)
MFA can be enabled at the organizational level to add an extra layer of security.
Users are encouraged to set up MFA in their profile settings to protect accounts from unauthorized access.
Single Sign-On (SSO) Integration
redOrange.ai supports Single Sign-On using SAML 2.0 with major identity providers, including Google Workspace and Azure Active Directory (Azure AD).
The SAML-based SSO implementation ensures two-way secure communication between redOrange.ai and the identity providers, leveraging encrypted assertions and mutual trust.
We have implemented automated user provisioning for Azure AD, enabling seamless onboarding and offboarding of users by synchronizing user accounts directly from Azure AD to redOrange.ai, ensuring timely and secure access management.
Administrators can configure SSO under Settings > Security > Identity Providers for centralized identity management and enhanced security.
Role-Based Access Control (RBAC)
Access to features and data is governed by predefined or custom roles with specific permissions.
Roles enforce the principle of least privilege, ensuring users have only the access necessary for their responsibilities.
3. Data Protection
Encryption
Data transmitted between users and redOrange.ai is encrypted using TLS (HTTPS).
Sensitive data stored in the backend (e.g., passwords, personal info) is encrypted at rest.
Secure API Access
APIs used internally and externally are secured with authentication tokens and scoped permissions.
API access is logged and monitored to detect suspicious activity.
4. Session Management
User sessions expire after a defined period of inactivity to reduce risk from unattended devices.
Session tokens are securely generated and stored with appropriate protections against theft or reuse.
5. Audit Logging and Monitoring
All critical user actions, such as login attempts, role changes, and data modifications, are logged.
Logs are retained according to compliance and organizational policies.
6. Secure Development Practices
redOrange.ai follows secure coding standards to minimize vulnerabilities.
Regular security testing, including penetration testing and code reviews, is performed.
Dependencies and libraries are regularly updated to patch known security issues.
7. Security Best Practices for Users and Admins
Use strong, unique passwords and change them regularly.
Enable Multi-Factor Authentication (MFA) wherever possible.
Assign roles thoughtfully, applying the principle of least privilege.
Review user access periodically and remove inactive accounts promptly.
Avoid sharing login credentials or session tokens.
8. Incident Response
In case of suspected security incidents (e.g., unauthorized access), contact the redOrange.ai support team immediately at support@redorange.ai
The security team will investigate and assist with containment and recovery.
9. Compliance
redOrange.ai complies with applicable data protection regulations and standards.
Data handling and security practices are regularly reviewed to maintain compliance.
10. Contact Security Team
For any security-related questions or concerns, please reach out to:
Email: security@redorange.ai