Security

Trusted Partners

Public House integrates with the leading CRM (Salesforce) and cloud storage (Google Drive for Teams, Dropbox, AWS) tools that are recognized for their data security. Public House does not store any applicant data. Application data goes directly into Salesforce and all uploaded documents go directly to cloud storage.

Integration security practices are viewable at the following links. 

• Salesforce Security
• Heroku Security
• Google G Suite Security
• Dropbox Security

Annual Penetration Testing

Public House utilizes ProStructure Consulting to perform annual Penetration Tests against our website and applications. These penetration tests also include a Vulnerability Analysis of our websites and applications. Public House reviews the penetration tests and immediately rectifies any issues that allow unauthorized access or entry. Prostructure assists in prioritizing tasks to address any critical, high, or medium vulnerabilities.

Integrated Services

All integration services are widely regarded as global leaders in security. Their security practices are viewable at the following links. 

• Salesforce Security
• Heroku Security
• Google G Suite Security
• Dropbox Security

Email & SMS Authentication

Public House requires Applicants to authenticate both their email and & SMS to access their applications. All authentication links are single-use and expire after one hour.

If the applicant loses access to either of these, they can use their security questions to access the system via access recovery tools and update the new email or phone number. All email addresses and phone numbers are verified before saving.

Communications with your Salesforce Instance

Authorization

Organizations authorize Public House’s communications with Salesforce and cloud storage through PH setup tools inside Salesforce. After details are configured, these tools initiate the Oauth2 authorization process.

The session tokens for PH communication are encrypted and stored in PH’s Salesforce.

Cloud storage providers require additional procedures for creating developer apps and cloud storage access credentials (documented in our support site). The session tokens for communicating with cloud storage are stored in the organization’s Salesforce.

Unique Salesforce Rest API

Each organization has a unique Rest API endpoint. The organization’s Salesforce instance only responds to API requests that: 

• Made over HTTPS (prevents Spoofing)
• To the custom REST API endpoint address created in the organization’s Salesforce instance 
• Originating from the organization’s application portal sub-domain (Whitelisted Cross-Origin Resource Sharing prevents impersonation) 
• Including the correct encrypted session token and organization ID
• In the correct custom JSON format  

Cloud Storage API (Google Team Drive, Dropbox, AWS)

After the applicant has authenticated their identity to access their application, the Application Portal requests the cloud storage credentials via the Unique Rest API. The cloud storage credentials are then used in accordance with the cloud storage provider’s API to store the applicant’s uploaded documents directly and solely to the client’s cloud storage.

Google Drive and Dropbox have tokens that expire hourly. Public House updates the periodic request for refreshed access tokens.

Application Processing Fees

Public House integrates with Stripe (PCI-DSS compliant) for application fee processing. Organizations configure their secret keys in PH Setup. PH facilitates the secure credit card transaction between the applicant and Stripe. Stripe transfers the money directly to the organization’s account. Opportunity records are created in Salesforce. No cardholder details are stored. Go to Application Fee Processing for additional details.