Skip to main content

Secure Temporary Files

Many of our API endpoints (such as export and import) provide you with ways to interact with Orgvue in an asynchronous manner through Secure Temporary Files, which is where your data will arrive once the request is processed.

Data within the Temporary File Service is encrypted and cannot be accessed without the use of the presigned URLs

Secure Temporary Files generated by the API are created via bearer tokens, secured with a secret URL, and removed automatically after 15 minutes

Temporary files are created within Orgvue's architecture , with access is mitigated by:

  • Users generating presigned URLs must be authorized and satisfy any IP restrictions on the tenant or Bearer Token
  • Only the person running the API request will have access to the secret presigned URL.
  • File creation itself being gated by tenant and bearer token IP restrictions.

Export data locationโ€‹

For security reasons:

  • The presigned url is the only means of accessing your jobTicket and subsequent export data.
  • You must keep track of the presigned url until you are done polling for your result.
  • The presigned url expires after a short period of time (start date and duration are visible in the query parameters).
  • The temporary data object itself has a short expiry as well, and is deleted from our infrastructure entirely.
  • If you lose track of the presigned url Orgvue does not have the capability to reproduce it: you must repeat your request.
  • Orgvue does not have the capability to access your temporary results in the object location.
  • If the above is not acceptable to you provide your own presigned url location by means of the $.exportLocation attribute in the request payload.

Providing your own presigned URL for dataset exportโ€‹

important

Presigned URL must be HTTPS using unique, single use encryption key

  • Ensure our API can perform an http PUT operation to the location provided.
  • Ensure that the presigned url you generated does not specify a port.
  • Provide the presigned url to our API when you make your request.
  • When the jobStatus is "completed" your results have arrived in the infrastructure location you provided us with.
  • The body of our jobTicket will not contain a $._links.result section as we have no way to GET data from your exportLocation.
info

Failing to provide us with a presigned url we can use to export data to will result in a "failed" job. The "errors" array in the jobTicket will contain all the information we have available on what went wrong when we tried to use the presigned url.

Generating secure temporary files using the Orgvue APIโ€‹

To facilitate your interaction with our APIs, we provide you with the capability to produce temporary file locations where you can upload data to be ingested by the API or where your data will be exported by the API.

Access to the temporary file can only be performed by means of two links (secure urls): one for upload purposes, and one for download purposes that are generated when the temporary file is created.

Each secure link is only available once via the original "Create a secure file" request and cannot be regenerated after this

Note that the temporary file itself has a separate lifecycle to the access urls,and is deleted when it is no longer needed (shortly after the access urls expire).

Data in the temporary file is encrypted at rest.

The "Create a secure file" endpoint schema can be seen in our OpenAPI documentation, along with information on how to use the endpoint to:

  • generate a secure file for asynchronously exporting a dataset to it
  • generate a secure file to upload your data to, so it can be ingested by Orgvue