Overview

The Privacy & Security module is responsible for establishing secure system connections, including the implementation of an OTP-based authentication system. It supports both direct access and API interactions with the platform. Key features include password management, ticket-based authentication mechanisms, and the specification of permissible media file types for use by both customers and agents.

Note: 

• The security settings defined for the channel take precedence over those configured in the Privacy & Security module.
• OTP is valid for 10 minutes and allows up to 5 attempts. Upon successful verification, the editing window remains active for one hour.
• Editing of sensitive information is only granted to verified admins and agents with the required permissions.

Module Settings

General  

IP whitelist for management : This list specifies the IP addresses authorized to connect to the system. If no IP addresses are defined, the system will allow connections from any IP address.

When one or more IP addresses are specified (separated by commas), only those addresses will be permitted to connect. Exceptions to this rule may apply if overridden by settings in the 2FA module.

IP whitelist for API access : This setting defines the IP addresses permitted to send API requests to the system. If one or more IP addresses are listed, all other addresses will be blocked and will receive errors when attempting to make requests.

If no IP addresses are specified, all addresses will be authorized to send API requests to the system.

API Authentication mode : This setting is responsible for how you receive the Access Token in API conversations.

The API key is available in the API Key Module on the Settings page. 

Add customer details to mail notifications and when forwarding to a third party : When activated, the customer's details will be included in email notifications and can be redirected to an external third party by clicking the three-dot icon next to the conversation ID.

Block email Addresses (comma separated) : Add the email addresses of the “do-not-reply” messages. 

Allow the agent workspace to be embedded within an iFrame : Enables agents to work within the CRM with the CommBox system embedded in the screen.

Forward Email Addresses (comma separated) : Addresses listed in this field define the external third parties authorized to receive data. If no addresses are specified, data can be transferred to any external party.

Allow simultaneous connection :

This setting controls user access to the platform:

• Do Not Limit:  Users can open multiple web tabs and connect via the mobile app simultaneously. 
• Web Only: Limits access to the web, blocking mobile connections. 
• Web and Mobile Application: Permits one web tab and one mobile app connection per user. 

Inactive agent interval (days): Specifies the number of days of inactivity after which an agent who hasn’t logged in will be marked as 'Inactive'.

Password management

Allow Password Renewal Without OTP: Enables password reset without requiring SMS verification.

Minimum Password Age (in days): Specifies the minimum period before a password can be reset. For example, if set to 5 days, the password can only be reset after 5 days from the date it was last changed.

Maximum Password Age (in days): Defines the maximum duration a password can remain unchanged. For instance, if set to 30 days, the system will require a password change every 30 days at the latest.

Number of Passwords in Password History: Determines the number of previously used passwords saved by the system that cannot be reused. For example, if set to 2, users cannot reuse any of their last three passwords when resetting a password.

Session management

Idle Session Timeout (in minutes): Specifies the duration of user inactivity after which the system automatically logs the user out. To continue using the system, the user must log back in.

Ticket Authentication Expiration Time (in seconds): Relevant for chat-based channels only. This defines the time limit during which end customers can contact you via one of the enabled apps without logging in. This setting is particularly useful for organizations with customer-facing personal account pages, such as a "My Account" section on their website.

 Enforce One-Time Use Ticket Authentication: When enabled, the system overrides API requests for Ticket Authentication tokens and issues tokens for single use only. This setting is off by default.

Click here to learn more about Ticket Authentication.

Use User Login Token Store: A CSRF (Cross-Site Request Forgery) cyber security mechanism that is toggled on by default and should always remain enabled.

User Token Expiry Extension Duration (in hours): Specifies the validity period for login tokens. Token expiry extensions are managed automatically by the system.

Media

Allow Customer to Upload Files: Enables customers to send files to the system.

File Type Options for the Customer: Defines the types of files that customers are permitted to upload to the system.

Allow File Upload (Agent): Enables agents to send files to the system.

File Type Options for the Agent: Specifies the file types that agents are permitted to upload to the system.

Maximum File Size: Sets a limit on the file size for uploads, with a maximum of 20 MB.

Enforcing Media Access: Allows access to any media item in the system via a link. When enforcement of media access is enabled, the link can only be opened from a device that is connected to the system.

Audit Trail Logs

Audit Trail Logs provide a detailed chronological record of the activities within the organization, which plays a critical role in security and compliance events.

Click here for the user guide.