Here at Fuse, safeguarding customer data is our highest priority. Our approach to security is based around people, process and product (technology). This paper outlines the ways we protect your data and the security aspects of the Fuse service.
Fuse is a SaaS based multi-tenanted service running on a public cloud infrastructure to ensure access from anywhere, via web or our native Fuse IOS and Android apps.
Each customer will have their own branded and secured Fuse tenant. Each tenant is functionally separate and independent, with no cross-tenant access, user accounts or content sharing.
Fuse is provided as a managed service where customers manage and control their users, access, content and learning and we manage the underlying infrastructure and service. Customers maintain full intellectual property rights to all their content and user data on the platform.
Fuse is committed to the protection of customer data and is fully compliant with EU General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), UK Data Protection Act 2018 and the California Consumer Privacy Act of 2018 (“CCPA”).
In the context of data protection, Fuse operates as the Data Processor and the customer is the Data Controller. Please see our Data Processing Agreement (DPA) for full details of what data is collected, how it is processed, our sub-processors and obligations as a Data Processor.
Fuse is ISO27001 accredited (with additional ISO27017/18 controls). Our ISMS policies are based on ISO27002 best practice and we are audited annually by an external auditing company against these.
Being hosted on AWS, our infrastructure also benefits from the stringent security controls expected of the world’s leading cloud provider. Amazon AWS is SOC2 certified as well as holding numerous other security and compliance certifications including:
(See link for more details: https://aws.amazon.com/compliance/programs/)
Inline with our Access Control policy, all access to Fuse backend systems and infrastructure is strictly controlled on an ‘as needed’ and least privilege basis. Access to infrastructure is via VPN and SSO/MFA.
There is no default requirement for Fuse staff to have direct access to customer instances. However, we ask that we have a named account and login for a Support person in order to triage customer support requests. This account can obviously be managed in line with the customer’s internal policies.
All Fuse staff receive security and privacy training as part of their onboarding and mandatory annual training. All Fuse staff are vetted and sign an NDA on joining as part of their employment agreement. Our leaver process ensures that staff lose all system access and all assets are returned when they leave. Our Access Control policy and other ISMS documentation are available under NDA.
The Fuse service is available in three regions - EU, USA or Australia. Customers can select one of these regions to host their Fuse service in line with their data residency requirements. Each region is completely independent and customer data and content remains within that region.
Fuse provides all the necessary functionality for customers to manage their data and content in line with their own internal data retention policies (as Data Controller). The data retention period for Fuse is the term of the service agreement.
Once notice is given and a termination date has been agreed, Fuse will destroy all customer data, content and instances within 6 weeks of the termination date. This data will not be recoverable once destroyed. Customers have the ability to archive their data from Fuse before the termination date and Fuse can provide an archive of their content.
All customer data is backed up daily with each backup copy being kept for a minimum of 4 weeks before being cycled. Our disaster recovery process is based on several incident scenarios which we test and update annually to ensure the effectiveness of the processes. The current Recovery Point Objective time is 24 hours and Recovery Time Objective is 12 hours
We proactively monitor Fuse via several Application Performance Monitoring (APM) tools and are alerted if any of our key performance metrics exceed thresholds. All Fuse user activity is centrally logged as well as logging every error that a user receives. This allows us to quickly triage issues and forensically investigate events. Please see the Fuse SLA for more information.
Fuse is effectively stateless so users typically see no disruption of service even during product releases and deployments. Product release cycles will vary but are typically every 8 weeks. Customers are notified at least 3 weeks prior to a product release and receive corresponding release notes so they can manage user communications. All new product functionality is disabled by default so customers will not see any changes to their instance.
We typically deploy maintenance updates every other week to ensure we meet our support SLA.
Fuse Universal runs regular security testing (penetration tests). Security tests include Black Box and White Box testing scenarios incorporating application re-engineering, authentication assessment, session management, SQL injection, input manipulation, output manipulation and information leakage tests. Typically, these tests are run before major functionality deployments. We can provide copies of current vulnerability test reports on request (under NDA). We also work with customers who want to run their own vulnerability tests against Fuse and have a procedure in place to support this.
All users must authenticate to Fuse via a named user account. Users can login via a unique username or email address with a password.
User passwords are stored using a one-way hash and salted algorithm (SHA-256) and are never transmitted unencrypted. Admins can only reset passwords and cannot view existing passwords.
Password security can be configured with the following minimum password controls:
Fuse supports all SAML Single Login (SSO) and Single Logout (SLO) flows (IDP-Initiated and SP-Initiated). SSO authentication is supported across both Fuse web and mobile apps. Customers can force SSO authentication for their Fuse instance so that authentication is managed by their Identity Provided (IDP). Fuse supports all SAML 2.0 compatible Identity Providers such as Microsoft Azure, Microsoft ADFS, Okta, Ping, OneLogin etc.
Fuse can support a dual login option for customers who have a mix of SSO and non-SSO users. In this scenario all users land on the Fuse login screen and select the appropriate login option.
All communication to Fuse is forced over HTTPS (TLS1.2) so all data is encrypted in motion. Likewise, all data and content is encrypted at rest (AES256) by default.
Admin User – will have full rights to all communities, content and admin tools on the customer instance. Admins will manage user accounts, create communities, build topics and learning plans as required. They will not have automatic access to all communities but will have the permissions to assign themselves as members.
Community Admin – Each community will have a Community Admin user. These users are effectively moderators of that community and have the ability to delete comments in discussions, delete or update content and assign others as members.
Admin Groups – Customers can create custom admin groups with permissions to perform specific administration tasks such as create/manage users, manage content, create/manage Learning Plans, run reports etc. Most of Fuse’s admin level tasks can be assigned to custom groups which enable customers to delegate admin tasks to specific users.
User - normal users will have minimal permissions and only have access to Open communities by default. They will need to be assigned to other communities.
Fuse content security is based on community membership. All content on Fuse must be assigned to at least one or more Communities. Communities are typically created based around organisational roles, departments, business areas, topics of interest, projects etc. Users can only access content that they have permission to view based on their membership to these communities.
By default there are 3 types of community which define how they can be accessed:
Customers should define guidance around how communities are created and used inline with their internal policies and use case.
Fuse is hosted on Amazon Web Services (AWS) and much of the Fuse service is based on the core AWS services. Fuse runs fully operational ‘stacks’ out of the following AWS regions:
Fuse is architected to leverage the inherent availability of AWS region-based services which operate transparently across multiple Availability Zones (datacentres) within that AWS Region.
Fuse utilises many of the core AWS services such as EC2 (Application Server), S3 (Content Store), RDS Aurora (Database), ELB (Load-balancing), Route53 (DNS).
In addition, Fuse uses several third-party services to provide additional functionality. Please see our Data Processing Agreement (DPA) for the current list of sub-processors and processing details.
Fuse software delivery is based across several environments - Development, Beta, Staging and Production. Each is completely separate and independent of each other with no shared service components or data. Customer data is never used or copied outside of the Production environment. All environments operate within separate VPN and Security Groups. Service components are implemented and hardened based on AWS secure best practice.
As you would expect, AWS data centres offer class leading physical and environmental security. All access is virtualised via API so we do not have physical access to the AWS hosting environment. For more information on AWS controls please see:
Most customers automatically provision and manage users on their Fuse instance via either an integration or daily CSV feed from their HR system. For performance and scalability we would always recommend that customers leverage our REST APIs wherever possible.
Fuse provides a range of REST API endpoints (JSON) around user, content and learning management that enable customers to integrate systems with Fuse. Fuse APIs are free to use for customers. Our API uses the standard HTTP Request methods/operations:
Each instance of Fuse has an interactive API Wiki (Swagger) available to Admin users. The Wiki will list all the user profile options for that instance:
In addition to the typical profile fields such as Username, Email, First Name, Last Name, Fuse supports customer-defined profile fields. Customers can build out their user profiles to support their reporting, analytics and integration requirements.
Customers are reminded that they are the Data Controller for their instance and are responsible for managing their user data within Fuse in line with their own privacy policies.
The Fuse Manage Users API Endpoint supports all the usual HRIS user lifecycle flows that you would expect: Create user/s, Update user/s, Deactivate user/s, Reactivate user/s, Wipe user personal data.
Integration projects with customer HR systems should always start by defining what HR data is available and what data needs to be pushed to Fuse to populate the user profile fields. Our Support Team will be available to provide guidance and support for customer integrations as part of their Fuse implementation and in life.