Security is the cornerstone of our online services. Here we want to stand out some of the main security features of the service and its permit system.
All data and files on the server are encrypted, so that they can only be viewed and managed by authorized users once their ID has been successfully verified.
Communications between server and user's browser are encrypted under SSL protocols (Security Socket Layer).
Users are identified by their "Usernames" and "Passwords". "Username" identifies the user, the "password" verifies that there is no impersonation.
"Username" is unique, it can't be repeated, because it determines the boundaries of what each user can view and manage on the server. The user can change his "username" and "Password" at any moment using the old ones which will be then cancelled.
If the user don't remember his "password", he can request a new one at the server, which will be sent to his currently registered email address. This procedure may be the security's weakest point of the system, especially if email address is wrong, but we have decided that the advantages overcome disadvantages. In any case, as email isn't safe by itself, user must change his "password" immediately after reception of this provisional one.
The user who registers himself as "carrier" chooses his own "username" and "password". This is the one for the administrator, who can create other "usernames" and "passwords" for employees. These other users can also manage the whole data and files of the "carrier". Though many users can use the same "username" and "password" simultaneously, it's recommendable that each employee has and uses his own ones, so server's log can record his activity as user.
The user who registers himself as "agent", besides the foregoing, can register "carriers" and assign "usernames" and passwords" to them. The "carrier" afterwards can change the "username and must change the "password" for security reasons. Both, the "carrier" and "agent" can view and manage the whole data and files of the "carrier" on the server. The "agent "can also reassign new "password" to the "carrier".
The "passwords" aren't sent to server anytime, but only the result of applying a "hash" function with a SALT on them which is performed at user's browser (the reverse "hash" operation unfeasable). So nobody can ascertain which is the true "password" of any of the actor. Therefore, security lies in maintaining "password" secret.
Finally we must point out that the service complies with Directive 95/46/EC about protection of individual data. In accordance with it, the existence of the files on the server has been declared to compentent Authorities, mentioning who are accountable on them. The "Customers" at any time can access, rectify, and cancel their data and documents.