{"id":2720,"date":"2023-04-12T01:27:20","date_gmt":"2023-04-12T01:27:20","guid":{"rendered":"https:\/\/www.vuepilot.com\/support\/?post_type=article&p=2720"},"modified":"2024-11-05T09:50:10","modified_gmt":"2024-11-04T23:50:10","slug":"security","status":"publish","type":"article","link":"https:\/\/www.vuepilot.com\/support\/article\/security\/","title":{"rendered":"VuePilot Security Information"},"content":{"rendered":"

VuePilot provides a number of security mechanisms to help keep your data and machines secure.
\nThis article will outline some of the security controls implemented across the VuePilot platform and aims to clear up some confusion about how parts of the service work from a security perspective.<\/p>\n

Encrypted Communications<\/h2>\n

All communications between the client and our servers performed over TLS \/ SSL encrypted communications.\u00a0 This includes the VuePilot software and communications with our APIs.
\nAll communications between our internal services and our databases are also performed over encrypted connections.<\/p>\n

Data Security<\/h2>\n

Encryption At Rest<\/h3>\n

Our databases are “encrypted at rest<\/em><\/strong>” by default using LUKS\u00a0 disk encryption.<\/p>\n

Password Encryption<\/h3>\n

User passwords are never stored in the database.\u00a0 Passwords are hashed using a strong one way hashing algorithm and stored in an irreversible format. Authentication is performed by re-hashing new passwords and comparing to the stored hash.<\/p>\n

<\/h2>\n

Application Security<\/h2>\n

Two Factor Authentication By Default<\/h3>\n

Two factor authentication is enabled by default for all users unless specifically disabled.\u00a0 If we detect that a different device is attempting to access your account you will be emailed a security code which must be inputted into a form before you can continue to access the dashboard.<\/p>\n

Rotations, Pages & Apps<\/h3>\n

The VuePilot software displays “Rotations” on the screens in your business, a rotation consists of “Pages”, a page can be either a regular website URL or an “App” which is a collection of configuration items with instructions on how to display the content such as positioning, sizing, layouts etc.
\nA rotation is essentially like a playlist, it will contain an ordering of pages and the timing for each.<\/p>\n

The VuePilot player requests the “Rotation” from the API at regular intervals and uses this information to drive what is displayed on screen.\u00a0 The VuePilot player software will simply display what is configured to display within the rotation.
\nThe only information passed back and forwards between the client and server is JSON configuration data over secured HTTPS connections.\u00a0 Apps such as Power BI are only ever loaded locally by the VuePilot player.<\/p>\n

Logging Into Websites & Dashboards<\/h3>\n

When using private dashboards, websites or services like Power BI in your rotation is it neccessary to login to the website by using a method such as the “Rotations > Preview > Login<\/em>” method outlined here Logging Into Websites That Require Authentication<\/strong><\/em><\/a><\/p>\n

It is important to note that this happens on the device connected to your screens running the VuePilot software and that the VuePilot software is running it’s own version of Chromium, hence you are logging into the website just like a normal browser.
\nThe authentication information is stored locally, on that machine and it does not leave that machine.\u00a0 The VuePilot service will never see this authentication information nor is it able to outside of your local machine.<\/p>\n

VuePilot Media Manager \/ Asset Storage<\/h3>\n

All assets stored in the VuePilot media manager are available\u00a0publicly.\u00a0\u00a0<\/strong>All VuePilot media manager assets will have a unique public URL, specific to your account that makes it unlikely to be discovered (ie https:\/\/assets.vuepilot.com\/uploads\/3839\/e8d-myimage.jpg)<\/em> however you should never store any private or highly sensitive information within the media manager as it can be viewed by anyone with the direct link.<\/p>\n

Customers may use their own internal company file storage solutions for sensitive information such as sales figures, internal processes, product data, charts etc.\u00a0 When using internal URLs to sensitive content only the URL is ever sent to our servers in order to sychonize what content is to be displayed across your devices. The actual content will never leave your internal network.<\/p>\n

The VuePilot media manager is intended for usage with standard public web assets, promotional material, images, video, photos etc.<\/p>\n

“Remote Management” Security<\/h3>\n

Customers often mistake this feature for a “Remote Desktop” product like VNC or Windows Remote Desktop. VuePilot does not<\/strong> provide remote desktop functionality or any type of functionality that would allow any individual to control the player machines operating system from a remote location.
\nVuePilot will periodically send requests to the VuePilot API which listens for specific instructions from the API sent by users from the dashboard.\u00a0 These instructions are sent back and forwards to the API over standard HTTPS connections and only include JSON data, not visual information.<\/p>\n

VuePilot cannot see your desktop, nor can it provide functions such as mouse control or any form of manipulation of the operating system outside of the standard VuePilot uses.\u00a0 The “Remote Management” features are merely JSON requests being passed back and forwards between client and server with minimal information, such as “display URL: https:\/\/cnn.com<\/em>“<\/p>\n

Only a small set of remote management instructions can be sent between the client and server, these are to perform basic operation such as<\/p>\n