Browsealoud Security Document

How does Browsealoud work technically when it comes to encryption and physical security?

 

On HTTP Sites

When a speech request is made on a non HTTPS site the text is sent unencrypted to texthelp servers and converted into audio.  The text is converted into MP3 and Data files containing numeric timing information.  This data is never stored or cached.  The resulting data files are streamed back to the client unencrypted.

 

On HTTPS Sites

When the toolbar is launched for the first time on a secure website we notify the user that their content is about to be sent, encrypted, to Texthelp servers to be converted into audio. If the user accepts this notification, the acceptance is stored in a cookie, and from that point:

  1. Any text to be converted to speech is encrypted and posted to the Texthelp speech servers using Texthelp’s RSA SHA(256)  SSL certificate.
  2. The servers convert the text to audio in a private texthelp cloud in Amazon located in North America.
  3. The text is converted into MP3 and Timecode data as before, and streamed encrypted back to the client using the same certificate.
  4. No data is cached or stored at any time.

 

Who can access the information from the web page?

No-one can access the information - it is not stored.

 

What end user information DOES Browsealoud actually store?

 

Browsealoud stores:

  • User preferences such as favourite highlight colours. (as a cookie)

User preferences data is not encrypted, and is stored in plain text.



What Customer (website owner) information DOES Browsealoud actually store?

 
In the Portal Database & CRM System

All customer data is stored in accordance with our Data Security Policy.

It is encrypted in transit and at rest.

  • The name and address of the company.
  • The name and email address of a number of staff members at the company who have access to the Browsealoud Portal.  An MD5 Hashed password is also stored for each user’s Portal Account.
  • Any historic technical support details related to the Customer.
  • For each URL that is licenced:
    • The URL e.g. www.mysite.com
    • The expiry date of the licence
    • The Customers preferred voice for the URL, and specific sub-folders on the website.
    • The Customers preferred pronunciation rules for the URL
    • Basic usage analytics for the site including the number of times the toolbar is used, and the OS/Device/Browser segmentation for the site.  This is stored securely in Google Analytics using an account  with 2 factor authentication.  Access to this information is covered by the company data security policy.  This information is used by the engineering team to help deliver uptime.

 

This data is visible to the Browsealoud Sales, Admin and Technical team to assist them in the delivery of our service.

 

Public Unencrypted Information

Some data is necessarily public in order for it to work on the customer’s public website.

This data is stored in plain unencrypted text based configuration files.  This data includes:

  • The Voice to be used on the URL
  • Site preferences (voice/language settings, pronunciations)

 

What is involved in the handling?

No website content is stored or cached at any time.

Any end user information stored for settings or preferences is not used for any other purposes.

 

Are other subcontractors used? If so, what contractual agreements do you have with them?

 

Subcontractors:

1. Amazon
Web hosting of:
Audio Generation Services
Data Storage and Retrieval

2. Google
Translation of text - text is sent to Google for translation into the end users target language.