Under the Hood
Under the Hood
We’re a bunch of badass Scala, Lift and Angular developers who create scalable, secure engines that power online frameworks.
Collaboration Engines are the software services that enable you to collaborate with others online—doing things like adding apples to a tree in a Prune the Product Tree forum or making bids in a Buy a Feature forum.
The Weave platform comprises the Idea Engine and the Decision Engine.
Idea Engine uses the power of visual metaphors and visual thinking (vizthink) to structure collaboration. If you’ve got an image that helps you solve a problem you can make it a framework in Idea Engine.
Decision Engine supports Participatory Budgeting, a process in which participants (employees, customers and other stakeholders) decide how to allocate budgets. The process supports feature prioritization, resource allocation, portfolio management and our philanthropic work at Every Voice Engaged Foundation.
Knowledge workers around the world constantly create new frameworks (See, for example, Navigating the Dozens of Different Strategy Options from Harvard Business Review).
When the existing Weave engines can’t support a framework we create a new engine. We offer these new engines as services to fine-tune their use. Then we integrate them into the Weave platform.
Here are two engines that Conteneo has created that support different kinds of problem solving frameworks. They are presently available through consulting engagements. Contact us if you’d like more information.
Alignment Engine (Knowsy®)
Alignment Engine helps teams identify and understand their individual priorities and find alignment—all though the power of collaboration.
Strategy Engine (Common Ground for Action)
Created in partnership with The Kettering Foundation, Strategy Engine enables teams to tackle complex, multi-faceted problems by asking them to consider the actions and drawbacks of potential courses of action and building an interactive visualization of where the team has a foundation for action.
While we’re proud that we’ve earned approvals from companies like Adobe, bwin.party, Cisco, RELX Group and Transamerica, we’re also humble and know that security practices are a moving target. Accordingly, we strive to be vigilant and update our systems to follow industry best practices in security.
Here is an FAQ of several of our most common questions / topic areas. Please contact us if you have any additional questions.
Hosting and Operations
|Risk Management Policies||Conteneo has formally defined HR and risk management policies designed to promote enterprise security practices. Enterprise customers may review these policies to ensure they comply with their guidelines.|
|Insurance||Conteneo maintains Commercial General Liability, Cyber-Liability and other forms of insurance.|
|Hosting||We host at secure facilities at Rackspace. Access to our servers are monitored and audited.|
|System Admins||Conteneo System Administrators manage the operations of the system (e.g., updating the software). System Administration access is tightly managed and controlled. Conteneo System Administrators also provision the domain names associated with Enterprise accounts.|
|Enterprise Admins||We define at least one Enterprise Administrator for every enterprise account. These people manage the public custom registration pages of each customer, enterprise frameworks (frameworks defined for the enterprise) and users. Additional roles are described below.|
Frameworks, Forums, Users and User Data
|Frameworks||A framework is a tool that enables knowledge workers to perform their jobs – e.g, Prune the Product Tree is a framework to help teams build roadmaps. Frameworks are the starting conditions of a forum. Public frameworks are visible to all users. Private frameworks are visible only to the Producer, Facilitators and Participants of the framework.|
|Forums||A forum is a specific instance or use of a framework by one or more people. Forums are initiated by a Producer who may facilitate the forum directly, specify another user to act as facilitator, or allow the participants to self-facilitate. Forum results are stored privately in the account of the Producer who determines who may access the results when the forum is complete.|
|Forum Data||Forum data includes the participants, data added by Participants during a forum and other meta-data we capture and analyze to improve the operations of our platform. Producers are responsible for providing guidance to participants on sharing data within a forum.|
|Facilitators and Participants||Our system defines the following high-level roles:
Facilitators manage the frameworks and forums that are used by Participants. Facilitators must have accounts in our system and are authenticated on every session. Facilitators define and manage the participants of their forums through a guest list. The guest list policy can include requiring the authentication of participants – see slide 37 of this Slideshare.
Participants join a forum using their email address and a name. Participants are not required to have an account but may be subjected to authentication based on how a facilitator has configured their forum.
|Personally Identifiable Information (PII)||The only PII information we capture and manage are the email addresses of Facilitators and Participants. The name (or “handle”) a Participant uses to join a forum is shared with all forum Participants.
Note: Participants in a forum may reveal Personally Identifiable Information within a forum. We do not control for this.
System Architecture and Data Management
|OWASP Top 10 Vulnerabilities||As far as we know, Conteneo was the first enterprise application vendor to write all of our platforms in Scala/Lift, and indeed, we were and remain a major benefactor/support of David Pollak and the Lift team.
Lift is a “secure by design” user interface framework, with built-in safeguards to combat many of the OWASP Top 10 vulnerabilities. See: http://seventhings.liftweb.net/security.
For the remaining OWASP Top 10 vulnerabilities not explicitly managed by Lift:
A6: Conteneo has strict policies in place to prevent security misconfiguration, including maintaining currency on all aspects of our application stack.
A7: Passwords are stored using proper encryption. We do not store any credit card data but instead use Stripe.
A9: We use https and maintain proper certificates.
A10: We do not forward or redirect users to any page outside of our control. Facilitators can configure an “Exit URL” that takes participants to a specified URL after a forum is completed – but this Exit URL is under your control, not ours.
|Multi-Tenant||Our present architecture is multi-tenant. We are exploring single-tenant architectures in which individual customers could establish their own data management policies. If you require single-tenant support contact us and we’ll explore how we can help you accomplish this goal.|
|Backups||Because our present architecture is multi-tenant, our data management and backup policies are designed to support a balance between (a) normal users who delete something and might want it recovered AND (b) users who want confidence that deletions are securely erased through the backup process.
At present, our operational system is backed up by automatic Rackspace processes every few hours. These backups are stored in circular queue lasting 30 days. Thus, for a period of 30 days, (a) normal users who delete something and would like it recovered can be serviced. After 30 days, (b) users who want confidence that deletions are securely erased through the backup process are now confident that their data has been permanently erased.
This is a uniform data management policy which we believe is suitable for a multi-tenant architecture and has been deemed acceptable by our customers.
Note that we encourage customers to retain information in our system for as long as they deem valuable.
Conteneo has created an API for Decision Engine. We intend to leverage our learning’s and release an entirely redesigned REST API to Weave later in this year. Contact us if you’d like to get involved in shaping this API.