ExorLive is a Software as a Service (SaaS) solution for planning workouts and for related administrative tasks. The solution consists of a load balanced web application driven by AJAX and web services, and a separate set of SOAP enabled web services for external integration.
ExorLive is running on a set of Microsoft Azure Servers by Microsoft. Data is stored in an Sql database. The servers are administered by ExorLive Headquarter in Oslo. Only internal technical personnel in ExorLive authorized and located at ExorLive's office in Oslo have access to personal data.
Security in ExorLive is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organizations. Security is role based within the organization and users can be given administrative roles on a per unit/department level. The application is always accessed over SSL, safeguarding the information being exchanged between the client and the server from eavesdropping. ExorLive stores only a hash of the user’s password, and when authenticating through ExorLive’s regular interface, salt, hashing, and a short lived challenge is used to ensure that message replay cannot be used to wrongfully gain access. All data is encrypted. External services are required to use the SSL enabled endpoints to ensure transport security.
The system provides integrity by ensuring that users are not able to insert or edit entities
they are not authorized for. Actions are logged. All data is replicated on multiple servers real-time, and backups are stored on Microsoft Azure Servers. ExorLive is processing and store data in accordance with Norwegian, Swedish and Danish laws, as well as current EU directives.
ExorLive and storage encryption of data at-rest:
The ExorLive Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
For more info: https://docs.microsoft.com/en-us/azure/mysql/concepts-security
Security measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions. Through Microsoft Azure, we ensure with Microsoft that our services are always up to date on security and latest security patches. I.e. always running the latest version of important software, logging of all attempts at login, performance of manual vulnerability tests.
System structure drawing
Illustration 2: Illustration 3:
System Requirements ExorLive
- As for Internet Explorer 11 or later versions.
- Internet access
Information about ports, domains and IP addresses that must be arranged in relation to firewall will be specified upon request. ExorLive system uses HTTPS and HTTPS certificate.
Roles and rights
ExorLive has a flexible system that is role-based and unit-based. The following roles and privilege levels are:
Instructor (practitioner ex. physiotherapist)
Rights: Can create and open patient (contact), save and sign training program on the basis of existing or new program, as well as create custom templates that can be seen/edited by the specified users. Can monitor patient (contact) activity. Able to create and save program templates that can be saved and made available only to specific users.
Rights: Creating new users, deactivate/activate users in their unit/department and the units/departments.
Rights: Manages the entire organization, including licensing, organizational structure and appearance. Adding new users, assign device administrators, activate/deactivate users. Able to delete current training programs.
System administrator in ExorLive Can provide relevant rights and setting the organization and system level.
Contact with login (Client/Patient with account)
Rights: This role entitles the user to see their own training program with video, log their training and see progress through their mobile/tablet/PC. The user only has access to their information. The user have access the program proposals, if this is provided by the administrator / instructor in the organization.
A contact in ExorLive without account. (A Client/Patient)
Organized hierarchically. Ex:
AD, ADFS and SSO
ExorLive supports AD (Active Directory) by ADFS (Active Directory Federation Services): Microsoft ADFS version 2016 OpenConnect and 2012 WsFederated. ExorLive uses OAUTH 2.0 & OPEN ID for authentication and Authorization. SSO is supported by ADFS and OAUTH 2.0.
API for integration / link with ExorLive
There are different ways a partner application may communicate with ExorLive.
This is described on our developer site: developer.exorlive.com/api/
All personal information is being processed by ExorLive as Personal Data as defined in the Data Protection Legislation, including the European general data protection regulation (GDPR). Security in ExorLive is enforced by a strict security policy (see paragraph “Security”).
An organization determines their own Personal Data policy. Personal data entry is optional, and is not a requirement for ExorLive to work. However, it is common to enter Personal Data in ExorLive, because it is safe and provides the opportunity for following up the client / patient in a better way.
ExorLive can also deliver a solution where person-objects can be saved in ExorLive without personal information, but with a generic unique ID that can not be traced back to the person. The relationship between the anonymous unique ID and the real person does not exist in ExorLive database, but on a local server in the customer's IT environment. In this way, ExorLive adapts so that the ExorLive server only handles impersonal data, while personal information is only stored on the local server in the customer's IT environment. Further information on this solution, Personal Data Security module (PDS module), can be obtained upon request.
Version date: 21.08.2020