Data Security at Assima

Security Features of the Assima Platform

The Assima platform is a cloud-enabled solution, composed of both proprietary and third-party components, which can integrate within a client infrastructure.

Identity Management

Integrated Identity Management

Integrated Identity Management

Assima's integrated identity management solution (via the Assima Security Token Service (STS)) includes : 

  • Email authentication
  • Unique ID authentication

Chained Identity Management

Chained Identity Management

Assima's STS may rely on third-party systems to validate user credentials.

Third party providers include:

  • Active Directory (AD)
  • Active Directory Forms

Claims-based authentication systems (using WS-Federation or SAML 2.0)

Authentication Tokens and Cookies

Authentication Tokens and Cookies

The lifetime of Assima's STS authentication tokens is configurable.

Assima's STS tokens are provided to Assima client applications (website or others) which in turn create their own Cookie including a reference to the STS token.

End User Password Management

End-User Password Management

End-user passwords are only stored (hashed, in the database) when using Email and Unique ID authentication. 

In this case a valid SMTP is required for password management.


Licenses define the product capabilities available to a user account. 

Each end-user is assigned a content consumption license from the pool of available licenses. With this they can log into the site, access a dashboard of content, search content and consume content.

Licenses can also control additional features such as who is able to create/upload/edit/publish content, access or create content in-application (Assima Assist), access usage statistics (including platform usage, content access, and user activity).

Administration licenses are used for platform maintenance, and Super Administration privileges for site setup and configuration.

User Data within the Assima Platform

The platform stores three categories of user data in the system:

  • Personally Identifiable Information (PII)
  • End-user activity tracking
  • End-user reviews (optional)

All Personally Identifiable Information (PII) such as the user’s name, surname, email, unique ID, windows logon is encrypted in the Assima database.


The Assima platform is only delivered over a Strict Hypertext Transfer Protocol Secure (HTTPS) protocol.

Encryption in Transit

Encryption in Transit

Assima uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128­bit Advanced Encryption Standard (“AES”) encryption.

This includes all data sent between the web, iOS, and Android apps and the Assima servers.

Encryption at Rest

Encryption at Rest

When hosted on an Assima Cloud, data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server.

Mobile Devices

Mobile Devices

As part of the ability to download content for offline preview, downloaded content data may be stored in an unencrypted form on the phones of users who are using the Assima iOS and Android apps. 

Assima Security

Assima follows industry standard best practices such as OWSAP and CWE/SANS regarding security. 

Vulnerability Detection and Penetration Tests

Assima conducts deep automated and manual Penetration Tests with market-leading test solutions at each major release.

All changes are peer reviewed and vulnerability and security lists are actively monitored with appropriate actions taken. We follow OWSAP recommendations and our practices are reviewed twice yearly.

Data Centres

Assima production services are generally hosted on IBM SoftLayer. However, Assima works closely with clients in certain industries such as Banking and Healthcare, to enable them to host their own instance of the Assima platform on their infrastructure. 

Access Control

Client Access

All customer data is considered highly sensitive and is therefore protected using the combination of permissions and licensing.

Support Access

Only authorised and trained members of the Assima team have direct access to production systems and user data. Those who do have direct access to data are only permitted to view it for troubleshooting purposes where consent has been expressly provided ahead of time. 

Trained members of the Assima customer support team have limited access to user data through restricted-access customer support tools. Customer support team members cannot review user-generated content unless consent has been expressly provided ahead of time. 

Dealing with Incidents

Assima follows standards and recommendations issued by National Institute of Standards and Technology (NIST) 800-53.

Support Center

Assima’s Support Center handles client issues and queries and is available online 24x7 throughout the year (subject to scheduled downtime for maintenance).

Need more information?

The information on this page is subject to change from time to time, and Assima reserves the right to update it at short notice, to keep it aligned with more recent product architecture updates, performance improvements, or other process changes.