Security

What is the session time of session keys through HTTPS communication via TLS?

We do not control the session time of the session keys, these are controlled by Mic


How are the session keys that are exchanged through HTTPS communication via TLS managed?

Platforms are hosted on Windows - https session keys are handled by Microsoft's SChannel (see details TLS/SSL overview here: TLS/SSL overview (Schannel SSP) | Microsoft Learn 


Updates and Releases

Describe your release schedule, including: any upcoming product release, frequency and nature of regular product releases  (e.g. major / minor / patch) and any requirement for down time / how you determine down time is required.


Avantus do not adhere to a pre-determined release cycle. Changes are batched into manageable releases and defined in release note, available to the administrator. Each release is initially tested before publishing to a QA environment for each platform. Platform owners are notified and advised to test where appropriate. 


See Operational processes and proceduresRelease Notes: 2021-2024


Does your product have multiple software components with separate release cadence? Please provide details at component level.

Each new release of MyWorkPal potentially comprises a package of updates (bug fixes, optimisations, new features, feature enhancements etc). Patches can be "hot fixed" where deemed appropriate, essential and non disruptive.


What are your lead times for notification of release?

Release to QA is notified when available. Release to live is agreed by the platform owner once they have reviewed the release, and performed out of business hours. We generally see a down time of no more than five minutes on a new update. 


Is there any option to defer taking a Release?

Release to live can be deferred but will be required if the delay impacts future releases or where an urgent fix is required. NOTE: each release is platform wide and cannot be limited to one tenant.


Can a Web Application Firewall be configured to to ensure that the platform has protection in place for cyber attack?

We do not recommend a WAF, as it can be problematic with false positives, automatic updates causing outages, and other issues.

Our development process follows OWASP principles. OWASP refer to WAF as follows: "Web Application Firewalls - These look for known attack strings and block them. WAF’s are unreliable and new bypass techniques are being discovered regularly. WAFs also don’t address the root cause of an XSS vulnerability. In addition, WAFs also miss a class of XSS vulnerabilities that operate exclusively client-side. WAFs are not recommended for preventing XSS, especially DOM-Based XSS. "

We use Microsoft Azure Defender tools for security against cyber attacks. As the platform uses Entity Framework, it is protected from SQL Injection.

We currently use HTML encoding and Content Security Policies to mitigate against XSS attacks.  Please note that the nature of the application could allow XSS attacks (for example: an administrator could put malicious script into a page template which could load for an employee). 

However, if a WAF is mandatory for your client, then they can set up their own, using tools such as CloudFlare (https://www.cloudflare.com/), then point the traffic to your platform. This would be the responsibility of the platform owner. 



Capacity Planning


What metrics are be available for the client to view?

An extensive reporting system is available to the administrator to extract user and system activity. Server and network based metrics are monitored by Avantus and are not shared with platform owners. 


Does the solution haves an API to enable capacity utilisation and performance data to be exported into the Client’s strategic toolset.

The MyWorkPal platform provides a RESTful API which can enable external applications to interface with the platform.  A RESTful API is built on HTTP, providing methods such as GET, POST and DELETE to retrieve and/or manipulate data.  Avantus provide support to platform owners for the API. 


See API Reference


Describe how the solution will meet an acceptable performance throughput and latency tolerance along with SLAs you provide for end user response times. 

Avantus agree service levels with the platform owner as part of the initial contract. 


See Hosting and Production environment 


Please provide your latest performance benchmark report. 

Avantus do not provide performance benchmarks or reports. Capacity and throughput is monitored on an ongoing basis via Azure control panel metrics reports across the whole portfolio of Avantus clients. This includes monitoring of many tenants with many users and provides a view of capacity at a a significant scale. 

Please include production performance examples from other clients if not referenced in the benchmark report.

Client information is confidential and would not be shared with other clients. Avantus can support platform owners running their own performance and volume testing with sufficient notice. To date, performance and load tests commissioned by other clients have reported favourable results. 

Batch Processing

How do you schedule batch jobs?

There are certain system scheduled tasks that run a set times outside of working hours, usually between midnight and 4am, when there is least traffic on the platform. Where we have imports scheduled for clients, such as described above, then these will run in the order in which they are scheduled. The platform is capable of running three scheduled tasks simultaneously, whilst other tasks waiting to run are queued. 


See Scheduled Tasks for more details


How does your solution monitor batch processing, including from a performance perspective (e.g. Batch transaction per second processed successfully, CPU utilisation by batch, etc.)?

CPU utilisation monitoring is available to Avantus via the Azure portal. This is not shared with platform owners. Scheduled tasks run on each platform are tracked and monitored on platform admin portal and are available in configuration > monitoring > scheduled tasks. 


See Scheduled Tasks for more details


How does your solution handle batch failures, including individual record failures within a batch file?

Data transfer failures are reported back to the administrator on screen and via email. Each data transfer is associated with a scheduled task, recording the outcome and file notes where appropriate. Data transfer via SFTP allows admin to select users to notify. 


See Data Transfer Templates and Automatic Upload / Downloads as an example 


How does your solution allow for prioritisation of batch processing?

Scheduled tasks are categorised and run in a fixed priority order. Tasks created by an administrator such as recalculating benefits, scheduled reports etc can be set to run at specific times and frequencies appropriate to their need, but fall within the categorisation priority order for the overall system


See Do scheduled tasks run in order of priority?


How does your solution handle a partial batch re-run (potential duplication)?

Data transfer failures due to errant data types or duplication of unique fields are evaluated before the transfer takes place and halted / reported before they run. In this case the data transfer does not update partial records. 


See Why has my benefit data transfer upload failed?


How does your solution notify of failed batch/failed items?

See How does your solution handle batch failures, including individual record failures within a batch file? above