Overview
ExorLive is a Software as a Service (SaaS) solution for planning workouts and for related administrative tasks. The solution consists of a load balanced web application driven by AJAX and web services, and a separate set of SOAP enabled web services for external integration.
ExorLive is running on a set of Servers in EU (Dublin, Irland). ExorLive has enabled the "Customer Lockbox for Microsoft Azure" feature, which secures customer data by locking it for ExorLive access only. For further information see link.
Data is stored in an Sql database. The servers are administered by ExorLive Headquarter in Oslo. Only internal technical personnel in ExorLive authorized and located at ExorLive's office in Oslo have access to personal data.
Security
Security in ExorLive is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organizations. Security is role based within the organization and users can be given administrative roles on a per unit/department level. The application is always accessed over SSL, safeguarding the information being exchanged between the client and the server from eavesdropping. ExorLive stores only a hash of the user’s password, and when authenticating through ExorLive’s regular interface, salt, hashing, and a short lived challenge is used to ensure that message replay cannot be used to wrongfully gain access. All data is encrypted. External services are required to use the SSL enabled endpoints to ensure transport security.
The system provides integrity by ensuring that users are not able to insert or edit entities
they are not authorized for. Actions are logged. All data is replicated on multiple servers real-time, and backups are stored on Microsoft Azure Servers, in the EU (Dublin, Ireland). ExorLive is processing and storing data in accordance with Norwegian, Swedish and Danish laws, as well as current EU directives.
ExorLive and storage encryption of data at-rest:
The ExorLive Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
For more info: https://docs.microsoft.com/en-us/azure/mysql/concepts-security
Security measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions. Through Microsoft Azure, we ensure with Microsoft that our services are always up to date on security and latest security patches. I.e. always running the latest version of important software, logging of all attempts at login, performance of manual vulnerability tests.
System structure drawing
Illustration 1:
Illustration 2: Illustration 3:
System Requirements ExorLive
System requirements:
- Internet access
Supported browsers:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge (Old Edge ceases to be supported 09.03.2021, and new Edge is used, link)
- Apple Safari (for Mac or iPad)
No support is given from 1.12.2020:
- Internet Explorer 11 (ceases to be supported by MS from 30.11.2020 link)
Information about ports, domains and IP addresses that must be arranged in relation to firewall will be specified upon request. ExorLive system uses HTTPS and HTTPS certificate.
Roles and rights
ExorLive has a flexible system that is role-based and unit-based. The following roles and privilege levels are:
Instructor (practitioner ex. physiotherapist)
Rights: Can create and open patient (contact), save and sign training program on the basis of existing or new program, as well as create custom templates that can be seen/edited by the specified users. Can monitor patient (contact) activity. Able to create and save program templates that can be saved and made available only to specific users.
Unit Administrator
Rights: Creating new users, deactivate/activate users in their unit/department and the units/departments.
Organizational Administrator
Rights: Manages the entire organization, including licensing, organizational structure and appearance. Adding new users, assign device administrators, activate/deactivate users. Able to delete current training programs.
System administrator in ExorLive Can provide relevant rights and setting the organization and system level.
Contact with login (Client/Patient with account)
Rights: This role entitles the user to see their own training program with video, log their training and see progress through their mobile/tablet/PC. The user only has access to their information. The user have access the program proposals, if this is provided by the administrator / instructor in the organization.
A contact in ExorLive without account. (A Client/Patient)
No rights.
Units
Organized hierarchically. Ex:
AD Integrations and SSO
ExorLive can be integrated with the customer’s AD (Active Directory). This means that access is managed in the AD and the users log in with their AD user to access ExorLive. Another IDP (identity provider) than Microsoft AD is also supported as long as the IDP supports either of the following protocols:
- SAML2.0
- OIDC
API for integration / link with ExorLive
There are different ways a partner application may communicate with ExorLive.
This is described on our developer site: developer.exorlive.com/api/
Personal information:
All personal information is being processed by ExorLive as Personal Data as defined in the Data Protection Legislation, including the European general data protection regulation (GDPR). Security in ExorLive is enforced by a strict security policy (see paragraph “Security”).
An organization determines their own Personal Data policy. Personal data entry is optional, and is not a requirement for ExorLive to work. However, it is common to enter Personal Data in ExorLive, because it is safe and provides the opportunity for following up the client / patient in a better way.
ExorLive can also deliver a solution where person-objects can be saved in ExorLive without personal information, but with a generic unique ID that can not be traced back to the person. The relationship between the anonymous unique ID and the real person does not exist in ExorLive database, but on a local server in the customer's IT environment. In this way, ExorLive adapts so that the ExorLive server only handles impersonal data, while personal information is only stored on the local server in the customer's IT environment. Further information on this solution, Personal Data Security module (PDS module), can be obtained upon request.
Version date: 31.08.2022