Documents vs Credentials Security Model

Juice HR Documents and Credentials provide a way of sharing documents, files, or text-based information with your employees. However, how we manage this information from a security perspective is different.

Documents are stored on Juice HR's private network via a unique, non-traversable URL, but do not add per-object encryption.  We do this to ensure files can be quickly downloaded, or streamed, by the end-user, as this is particularly efficient for large files such as presentations and video.  Whilst the underlying storage the document is stored on is encrypted, we do not encrypt each individual object in the same way as we do with a credential. The download URL still requires authentication via the unique login URL every time the document is downloaded or viewed on Juice HR.

Credentials are again stored on Juice HR's private network via a unique, non-traversable URL but DO use per-object encryption. The only way to download the credential is via the dashboard using the unique login URL supplied to the employee.  Object-level encryption means each item is encrypted with its own unique encryption key and must be decrypted on every request. This makes the storage of items such as passwords extremely secure, but due to the extra resources required for this extra level of security, credentials currently have a much smaller file size restriction. 

                                                    Credential    Document

Employee must be logged in?      Yes                    Yes

Distributed over a CDN?               No                     No

File size limit                                 2Mb                100Mb

Encryption at storage level?         Yes                    Yes

Encryption at object level?           Yes                     No