ovos play is a web-based hybrid app for the purpose of knowledge transfer. ovos play is offered as a SaaS solution. Once purchased, customers take over the creation, management and analysis of learning content via their own backend, the "Admin Dashboard".
ovos play is developed in an agile manner with a 3-week release cycle. Unscheduled patch and hotfix releases are possible.
The technical structure of ovos play can be represented as follows:
Security measures of ovos as a SaaS provider
ovos play is distributed by ovos media gmbh as a SaaS solution.
ovos media gmbh
Security organization measures
ovos provides the contact of the CISO. Employees receive training on agreed security guidelines every two years.
ISO:27001 in the area of software service and development. An annual audit is conducted for certification.
Ensuring system security
ovos play as a web and native app can only be accessed via encrypted HTTPS using an HTTP Strict-Transport-Security (HSTS) header with expireTime set.
OWASP top ten recommendations are targeted. Measures against cross-site scripting are implemented and tested in the ongoing development. All file uploads in the admin dashboard and in the app are type restricted.
To protect against brute force attacks, rate limiting is used for a certain number of failed login attempts. Users have to wait for a new login attempt, the duration increases with further failed login attempts. The hosting provider also uses network traffic monitoring and activates IP restrictions if necessary.
The available authentication of ovos play is based on a nickname or e-mail and password. The password policy for the internal authentication concept is fixed with a minimum of 4 characters. The password policy can be set via a configured SSO connection.
SSO bindings can be implemented on request. Supported are among others:
Individual connections on request
Roles and permissions can be used to regulate access to the Admin Dashboard and, if required, access to the Admin Dashboard can be disabled altogether.
Security measures of Internex as hosting provider
The data center is operated by Interxion Austria at the following location:
Measures for the fail-safe operation of the data center
Gas-based fire extinguishing system
Early fire detection system (VESDA) Fire protection walls (F90)
Temperature between 18°C and 23°C
Humidity between 40% and 60%
Redundant system (N+1)
Contactless key cards & biometric access system
Personal separation systems
24x7 security personnel on site
Only authorized personnel and customers have access to the data center
Server housing access available 24x7
CCTV camera surveillance and intrusion detection system
Power is supplied by two different power grids
Redundant generator backup (2N)
230V/400V AC and 48V DC available
UPS supported A+B feed
"Clean-Earth" and overvoltage protection
Organizational security measures
Automatic access control system
Biometric access barriers
Smart cards / transonder systems
Manual locking system
Protection of the building shafts
Bell system with camera
Video surveillance of the entrances
Technical security measures
Login with username + password
Login with biometric data
VPN for remote access
Locking of external interfaces (USB)
Physical deletion of data media
Logging of accesses
Use of authorization concepts
Firewall, anti-virus system, IDS, DDoS protection are implemented. OS updates are carried out every 6 months as standard.
Data is stored in separate databases for each customer.
Data is transferred via the web service using SSL/TLS and is encrypted with HTTPS.
ISO:27001, ISO 22301, SOC 2
IT Security Assessments
For internal systems there are periodic system tests.
Customer systems can be tested at any time after signing a Permission to Attack at the customer's own expense.