Data Processing

Owned by Adam Voakes
Last updated: Aug 02, 2023
9 min read

To help our partners and customers a comprehensive insight into how we manage and process data across the Panintelligence products and services, we have created this page to act as a single reference point. This is done in strict adherence to industry best practice standards such as ISO 27001.

When we look at data management and processing we consider there to be four key areas where this can occur;

To help contextualise each of these areas further, the diagram below provides an overview of the solution we will explore in more detail.

 

piDashboard Software

Our origins stem from the heavily regulated, demanding requirements of financial services, with a key focus on data security and compliance. 

That’s why pi is aligned with your security model, and why pi never moves your data, ensuring full data integrity and governance. Unlike other solutions, pi uses an in-database analytics approach, which means that it connects directly to the data source and accesses the data in real-time, without having to move or extract the data. This approach offers several advantages, such as faster processing, reduced risk of data duplication or loss, and increased data security. 

Panintelligence only processes customer personal data on behalf of the customer as a Data Processor in the course of providing the Panintelligence offerings. 

Here are the typical steps involved in the data processing approach of Panintelligence: 

  1. Data Connection: Panintelligence connects directly to the data source, which can be a database or other data storage system. The software supports a wide range of data sources, including relational databases, flat files, and APIs.  https://panintelligence.com/data-connectors/  

  1. Data Connection Parameters: The "Chart Cache Minutes" setting controls the caching behaviour of chart data in piDashboard. By default, this value is set to 0, which means that chart data is not cached. However, if this value is set to a non-zero number, such as 60, then the results of a given SQL query will be cached for the specified amount of time, in this case, 59 minutes and 59 seconds. During this caching period, any user who views the same chart will see the cached results and the SQL query will not be executed again. After the specified caching period has elapsed, the SQL query will be re-executed, and the caching clock will reset for another cycle.  The cache is held in memory only, and not physically replicated on the server. 

  1. Data Querying: When a user interacts with the pi platform, the system generates an SQL query using metadata to retrieve data from the relevant database. The query includes various functions and data type casting to filter data based on specific criteria. Once executed by the database, the query results are converted into a JSON package and transmitted to the user's browser for rendering as charts, tables, or visualizations. For external visualizations such as maps, the browser renders the data as a layer rather than transmitting it to the external provider. It is important to note that the query result set is not saved or recorded. 

  1. Real-Time Analytics: The in-database analytics approach used by Panintelligence allows users to analyse data in real-time. This means that the data is always up-to-date, and users can access the latest information without having to wait for data to be extracted, transformed, and loaded into a separate data warehouse 

  1. Data Visualization: Panintelligence provides a range of data visualization tools, including charts, graphs, and dashboards. The software allows users to create custom dashboards that display real-time data in an easily digestible format. 

  1. Data Sharing: Panintelligence allows users to share insights and reports with others in the organization through dashboards, reports, and exports. The software also provides role-based access control to ensure that sensitive data is only accessible to authorized users. 

 

Credentials 

  1. Login Credentials: Access to Panintelligence (pi) is controlled by customers. Your pi administrator will provide you with the login details. These details should be kept confidential and not shared with anyone. 

  1. Database Connections: To connect pi to your database, your database administrator will provide a restricted read-only account for the database instance. These details should not be shared with any Panintelligence employee. When entering the database details through the pi interface, make sure to limit the account only to the required tables and columns. You may also choose to exclude any personally identifiable data. 

  1. Database Credentials: Your database credentials are stored and encrypted within the PI repository. Password fields are never decrypted within the pi frontend, ensuring maximum security. 

 

Solution Configuration & Access Control

Customers can configure Panintelligence at a role and user level using the role-based access controls (RBAC) feature. RBAC allows administrators to define different roles within the organization, and assign specific permissions to each role. Users are then assigned to one or more roles, and inherit the permissions associated with those roles. 

Here's how customers can configure Panintelligence at a role and user level: 

  1. Define Roles: First, administrators must define the roles within the organization that require access to the Panintelligence software. Examples of roles might include executives, managers, analysts, or salespeople. 

  1. Assign Permissions: Next, administrators must define the specific permissions that each role requires. For example, executives may require access to high-level dashboards and reports, while analysts may require access to more detailed data and advanced analytics capabilities. 

  1. Assign Users to Roles: Once the roles and permissions have been defined, administrators can assign users to the appropriate roles. This can be done manually, by adding users to each role individually, or automatically, using rules or criteria that determine which users should be assigned to which roles. 

  1. Review and Adjust: After roles and permissions have been defined and users have been assigned to roles, administrators should review and adjust the configuration as necessary. This may include adding or removing roles, adjusting permissions, or re-assigning users to different roles. 

Configuring Panintelligence at a role and user level involves defining roles and permissions, assigning users to roles, and reviewing and adjusting the configuration as necessary. With role-based access controls, customers can ensure that users have the appropriate level of access to the Panintelligence software, based on their role and responsibilities within the organization. 

 

 

piSaaS Hosted Solution

Panintelligence offers a secure Software as a Service (SaaS) solution that ensures the safety of customer data. Here are the key security features that ensure the safety of customer data: 

  1. Data Privacy: The Panintelligence SaaS solution ensures that data is not moved or extracted from its source, which means that data stays secure within the customer's environment. This reduces the risk of data loss or theft during transit. 

  1. Secure Access: Access to pi software is only provisioned by a System Administrator, who is a customer employee. This ensures that only authorized individuals have access to the software. 

  1. Restricted Access for Panintelligence Staff: Panintelligence staff that administer the cloud service do not have access to the customer data or the software. This ensures that data is only accessed by authorized customer personnel, and that Panintelligence staff only access the cloud infrastructure, and their access is strictly monitored and audited.  

  1. Report / Scheduler downloads.  To ensure the security of data, it may be essential for customers to restrict user access to data downloads within reports or scheduler jobs. In cases where downloading is permitted, we offer users an option in the scheduler to encrypt their attachments and reports. Additionally, to maintain security, a temporary file is created when the scheduler job starts, stored on the server, and promptly deleted upon completion of the job. 

 

PiSaaS Administrator Password Reset  

If you happen to forget your Admin account login details, you can regain access by submitting a service request to our support team at support@panintelligence.com. To reset the admin password, our cloud team will execute a script against the database, and the new password will be shared with the Administrator. However, for security reasons, it is important that the Administrator changes their password immediately upon logging in. 

The Panintelligence SaaS solution includes several security features that ensure the safety of customer data. With data privacy, secure access, role-based access controls, and restricted access for Panintelligence staff, customers can trust that their data is protected and only accessed by authorized individuals. 

 

Data Held In The Pi Repository

The pi repository holds various types of data, including information about users, categories, charts/reports, data connections, backups, and logs.  

  1. The user data includes a user code (which may or may not be a business email address), optional forename/surname/email, and variables (text values that can be encrypted and are used to default users' filter criteria, such as department name).  

  1. User restrictions are also stored as text values and are applied to limit the data returned for users' queries (e.g., UUIDs of user accounts in the snowflake instance). 

  1. Categories in the repository contain default values for text-based category objects, which are used to default users' filter criteria (e.g., department name).  

  1. The charts/reports section includes filter values that are also used to default users' filter criteria. These may contain user-sensitive data, such as name and gender, depending on the data accessed by the dashboard. 

  1. Metadata on data connections is also stored in the pi repository, including lists of tables/columns and calculations used to generate queries.  

  1. Daily backups of the repository are held in a secure S3 container, accessible only by the pi cloud team. Support and professional services may also access the backups as instructed by the customer. 

  1. Finally, logs are created and maintained by the application. Access to these logs is limited to Cloud, Support, and Professional Services teams to maintain confidentiality.   

 

Automated Licence Manager

Panintelligence provisions licenses and aggregates customer usage data through its Automated License Manager (ALM) system. When a customer purchases a license, they receive a license key that is used to activate the software. With the ALM system in place, the license key is automatically provisioned to the customer's account and is managed remotely. 

The ALM system also provides aggregated usage data from all customers who have opted in to share their usage data. When enabled, the ALM collects usage data from the customer's installation of the Panintelligence dashboard, including: 

  • The licence currently in use 

  • Software version 

  • The OS the dashboard is running on, e.g. Windows, Linux or Docker 

  • The number of enabled users in the dashboard 

  • The number of categories in the dashboard 

  • The number of data connections in the dashboard 

  • The number of charts in the dashboard 

  • The number of reports in the dashboard 

  • The IP address of the server that sent the request 

This data is anonymized and aggregated to provide insight into how customers are using the software, which can be used to improve the product and deliver better customer service. 

Access to the usage logs is limited to the Support Services and Customer Success teams to ensure confidentiality. 

 

Controlling access to the Pi software is crucial to maintaining security and preventing unauthorized access to the software or customer data. However, there may be instances where customers need to provide access to Panintelligence in order to receive support services. In such cases, it's important for customers to consider additional security measures to protect their data. 

Customers should ensure that they meet their own data processing and security standards, which may go beyond the following recommendations. Some of the additional security considerations include: 

  1. Test environments: Where possible, Panintelligence staff should work in test environments using test data. This ensures that customer data is not exposed during the support activity. 

  1. Temporary access: Customers should only grant access to Panintelligence for the duration of the support activity. Once the activity is complete, access should be revoked.  Time sensitive logins can be used for this purpose. 

  1. Role-based access control: Customers should ensure that Panintelligence is only granted the minimum level of access required to complete the support activity. This can be achieved by using role-based access controls to restrict the scope of access. 

  1. Access logs: Customers may wish to keep a log of all access granted to Panintelligence staff. This log should include the date, time, and duration of the access, as well as the specific actions taken during the support activity. 

  1. Data processing: Panintelligence will only process data under customer instruction. This ensures that customer data is only processed for the specific purpose of the support activity. 

  1. Data access: Customers should limit data access by Panintelligence staff to only the data necessary for the support activity. This can be achieved by using role-based access controls or other data access controls. 

  1. Data deletion: After the support activity is complete, customers should ensure that any data accessed by Panintelligence staff is deleted or returned to the customer. This ensures that customer data is not retained by Panintelligence beyond the support activity. 

  1. Security protocols: Customers should ensure that Panintelligence staff are informed of and then follow appropriate security protocols while accessing the software. This may include requirements for encryption, multi-factor authentication, or other security measures. 

 

By following these security considerations, customers can ensure that the security of their data is not compromised during the support activity. Limiting data access, using test environments and test data, and ensuring data is deleted or returned after the support activity are all important measures to protect the confidentiality and integrity of customer data.