Jive Apps Market Security

The Jive Apps Market is a secure marketplace for purchasing third-party enterprise apps, or apps you develop, within the Jive platform.

Jive Software partners with third-party apps developers to provide enterprise apps to users. The Jive Apps Market makes it simple for you and your users to find, install, and launch apps. As a Jive administrator, you can:

Buy apps for individual community users or make them available for every community user.
Develop your own apps for your specific business needs and deploy them in the Apps Market.
Promote the apps you want your users to use.
Disable the App Market for all users.
Disable or enable any specific app in your community.

CAUTION:

The security of an individual App is ultimately the responsibility of the App provider. Apps are offered as-is by Jive Software.

Because third-party Apps are cloud-delivered, users are always accessing the latest version of a given App. Partners can use only our published APIs.

Here's how it works:

App Market Architecture

Jive Software relies on its own Apps-approval and QA process to approve or deny candidate Apps submitted by Apps partners and developers. Third-party apps available from the Jive Apps Market undergo high-level functional validation.

The security of an individual App is ultimately the responsibility of the App provider. Apps are offered as-is by Jive Software.

Apps Communication and Authentication

All communication between the Jive instance and the Apps Market is authenticated with OAuth. The Apps Market uses a secure gateway proxy service to get information into and out of individual apps without transmitting or storing proprietary data. All credit card information is stored separately from the Apps Market by a PCI-compliant vendor.

Communication from a Jive App to the Jive instance is typically done via HTTPS. Jive Software does not guarantee or require that communication from an app to its home server be over HTTPS. Nor do we mandate or guarantee that the request is signed via OAuth.

An app running inside of Jive can create content and communicate directly with Jive via the JavaScript APIs that Jive Software provides. In this scenario, the user is running the app inside of the Jive instance.

An app’s home server uses the Jive Apps Gateway to post activities (and only activities) to a Jive instance as follows:

The app’s home server posts to the Jive Apps Gateway endpoint over HTTPS. This request is signed by the home server using OAuth.
The gateway endpoint queues up the incoming request in a database. The entry is not encrypted in the database.
The Jive instance polls the Jive Apps Gateway, retrieves the request, and posts it to the activity stream of the Jive instance over HTTPS.
The Jive Apps Gateway deletes the request. Note: It is possible for the request to appear in the Jive Apps Gateway log.

Apps Security Checks

Each time a user launches an app from the Apps Market, the Jive instance verifies that user has rights to use the app. The app's definition (app.xml) itself is served from the Jive SaaS infrastructure at runtime.

Data Storage

The Jive Apps Market stores data in Jive Software's data storage center in the United States. The Apps Market does not encrypt Apps, user IDs, and mappings in storage. All credit card and personal identity information for Apps billing is stored outside of Jive with a PCI-compliant provider. Apps data is stored in a database and memecache. Databases are not publicly addressable. Jive stores Apps gadget XML, app IDs, user IDs, and mappings between them for an indefinite period of time. Data is backed up daily.

Data Transmission

All data transmissions in and out of our databases are SSL encrypted, which includes JSON over HTTP for services, JDBC for database, and HTTP. Only app metadata is transmitted. Proprietary data is never transmitted.

Third-party social business applications that integrate with Jive via the Jive Apps Market may use data from the Jive instance in their business logic that allows them to post and work with content and information in the Jive instance. For example, a third-party app could be logically tied to a social group in the Jive instance so that updates to app content are posted in the associated Jive social group. Here are some examples of how that would work:

A project in a project management app.: If someone creates a new project or updates an existing project in the app, the app can post that content change to the Jive social group.
A bug in a bug-tracking app.: If someone creates a bug or updates an existing bug, the app could post that content change to the Jive instance.
An opportunity in a CRM app.: If someone creates an opportunity or updates an existing opportunity, the app could post that content change to the Jive instance.

Data Access

If your Jive community is deployed behind your organization's firewall, only you have access to your Apps data. If your Jive community is hosted by Jive Software, your data will be accessed only as needed to support your instance, and is kept strictly confidential.

Apps Cookies

The Appsmarket App does not use any cookies. However, the following cookies are used by the Dev Console and Admin Console as described:

jamSSO: Cookie maintained between the Dev Center and your Jive community for SSO.
JIVEAPPSMARKETTOKEN: Maintains the user session. This cookie is used by the Dev Center and Admin Console.