An intranet you can trust

Sensitive data is only accessible to the right people within your organization. You can set “view” and “edit” permissions at the section, page, and file levels. Pages that users don’t have access to are completely hidden while browsing and searching.

ThoughtFarmer was designed with role-based access controls with prescribed privilege levels for users. These rules ensure that only explicitly assigned users have access to specific pages/data. Any actions within ThoughtFarmer are automatically checked against existing access controls which defend the data assets; if the user does not have access privileges, the data is unavailable until the user is granted such privileges by the customer.

Control outside-the-office security privileges with IP Filtering. Allow employees to access the intranet from home, while restricting access to secure content for users accessing via on-premise IP ranges.

Following coding and quality assurance best practices, as well as the utilization of SAST DAST tools, ThoughtFarmer is security hardened against a wide variety of common web application vulnerabilities, including the top 10 defined by OWASP.

ThoughtFarmer’s development staff are trained in a secure software development lifecycle. Automated testing is used to ensure regressions do not appear, and static code analysis is performed to ensure the software is as secure as possible. ThoughtFarmer also participates in a peer view process, a critical review of code to ensure it is understandable, well-documented and efficiently written.

Only the members of the ThoughtFarmer development team have permission to retrieve and submit changes to the source code. All access to the source control system is encrypted, access-controlled, and subject to regular internal audit.

ThoughtFarmer is configured by default to keep the user’s sessions private and secure. Once a user successfully authenticates to the ThoughtFarmer application, a session is established on the server. Sessions are invalidated when a user closes their web browser, or if they explicitly log out of the application.

Our software runs fully in the browser and no plugins are required. If you’d like to use our optional direct document editing feature, users will need to install the ThoughtFarmer Desktop Connector, a helper utility that runs on Windows and MacOS computers.

ThoughtFarmer works best with modern, evergreen browsers like Chrome, Firefox, Safari and Microsoft Edge.

Having an intranet emergency? We provide round-the-clock telephone support for critical tickets. Learn more about our support.

Leverage your investment in your existing cloud-based authentication service with ThoughtFarmer. We integrate with every major SAML provider, including Azure AD, G Suite, OneLogin, OKTA and Ping Identity. We support native multi-factor authentication and third party providers. ThoughtFarmer can be configured to use more than one provider for complex deployments. Are you working with a different authentication provider? If it’s SAML based, chances are good that it will work with ThoughtFarmer.

ThoughtFarmer can integrate with your on-premises Active Directory via our Employee Directory Connector (EDC). It supports multiple AD domains, and can be configured to use Windows Integrated Authentication for automatic login.

ThoughtFarmer’s bi-directional directory synchronization keeps groups, profile pictures, security profiles, and employee contact information up to date across systems. Simplify user provisioning and deprovisioning with on-demand and scheduled sync that includes user profile fields as well as group and security membership.

If you use password expiry policies with Active Directory, your users can change their password directly from the intranet – perfect for Mac and remote users. We also support ThoughtFarmer only accounts. For account credentials stored in ThoughtFarmer, ThoughtFarmer requires strong passwords by enforcing a secure password policy. Passwords are stored using a secure one-way hash algorithm and stored in the database.

ThoughtFarmer Cloud is protected by a web application firewall that monitors and blocks malicious requests based on heuristics. The only inbound ports open to the Internet are TCP 80 and 443 for http and https communication with the web server, respectively. All requests to TCP 80 are redirected programmatically to TCP 443; unencrypted sessions are never allowed. The firewall and WAF rules are reviewed regularly and updated as threats and risks evolve.

ThoughtFarmer is committed to ensuring privacy, and security through the managed use of encryption technologies for data in transport and at rest. Weak cipher suites and ciphers with known cryptographic vulnerabilities are prohibited, with all key sizes enforced at a minimum of 2048 bits. Signature algorithms must be SHA256 or stronger (or equivalent strength hashing algorithm).

All data transferred between a user’s machine and application servers uses an encrypted connection. ThoughtFarmer network encryption is based on a 2048-bit SSL certificate and 256-bit encryption with TLSv1.2 & TLSv1.3 protocols allowed with the “MEDIUM” and “HIGH” class of cipher suites. If a user tries to visit a non-encrypted (“http://”) URL, they are redirected to the “https://” equivalent to force the encrypted connection at all times.

All data stored is encrypted and protected by secure 256 bit AES, in-line encryption. Database backups and volume snapshots are also encrypted at rest while in transit.

ThoughtFarmer deploys a Web Application Firewall in front of the ThoughtFarmer application which protects the ThoughtFarmer Cloud instances from common web exploits that could affect application availability, compromise security, or consume excessive resources. Multiple rules are in place to prevent common web exploits such as OWASP top 10 , SQL code injection attacks, known bad inputs such as Log4J, and IP reputation list to block bots and other known malicious sources.

The production web application server and database server application processes run under low-privilege user accounts rather than the administrator account. Authentication into the production environment requires a VPN with two factor authentication and is limited to the technical support and systems administration teams.

ThoughtFarmer deploys and manages a log aggregation and analysis platform to monitor the production environment for deviations from baseline behaviour and detect security risks before they can activate and propagate. “High” and “Critical” alerts are reviewed and actioned immediately, while “Medium” alerts are reviewed through regular review meetings.

ThoughtFarmer uses a standard hardened server image in the hosting environment. The image includes a strong security configuration by default. In addition, standard industry best practices are employed to harden this server image, including, but not limited to, the following:

• Only the minimum required software packages are installed.
• Web server and database server processes run under non-root, low-privilege accounts.
• File permissions are restricted for files/folders containing database data files, log files, and any other files with sensitive data.

Additionally, Defense Information Systems Agency (DISA) has a set of security regulations to provide a baseline standard for Department of Defense (DoD) networks, systems, and applications. We follow the DISA STIGs where possible. These STIGs (Security Technical Implementation Guides) help guide our network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and physical security.

ThoughtFarmer updates its server images to apply the latest security and hotfixes for the operating system and application software. Patching is scheduled by issue criticality, with “Critical”, “High”, and “Medium” patches seeing fixes within industry-standard mitigation times. Occasionally a reboot is required, which is done during the scheduled maintenance window.

ThoughtFarmer Cloud operates in AWS data centers located in Canada, USA, and Ireland based AWS regions. AWS regions are composed of three or more availability zones which allow for higher reliability and resilience in case of datacenter failure. AWS data centers are built with the highest standards for security and reliability, more information about their data center controls is available on their compliance site.
When a customer organization is first set up in ThoughtFarmer, we assign them to the region of their choice. Once selected, all processing including backup storage for that organization will occur within that region.

ThoughtFarmer uses both internal and external monitoring solutions to check the health of its systems. When monitoring agents identify a suspicious event, appropriate security team members are notified in real-time via email, secure chat, or text notifications.

ThoughtFarmer business resiliency program covers security incident response, operational incident response, disaster recovery, and business continuity. These plans are tested semi-annually, with full review and update cycles occurring annually.

ThoughtFarmer performs nightly backups and hourly snapshots of client databases. These are stored for hot-retention for two weeks, allowing us to recover to any hour in the last 24 hours, any day in the last 14 days and any week in the last 12 weeks within 4 hours. For long term restore, we keep 3 months of backups and can restore to any day within 8 hours.

ThoughtFarmer has a robust and configurable error logging system that logs both internally to the application, database, file and external network logger on the server.

ThoughtFarmer fully complies with all relevant data privacy requirements under EU General Data Protection Regulation (GDPR) regulations.

ThoughtFarmer fully complies with all relevant data privacy requirements under California Consumer Privacy Act (CCPA) regulations.