Organizational security
Enterprise Key Management (EKM)
Enterprise Key Management (EKM) is a feature that helps better protect your organization's data. If you use EKM, the channels, direct message channels, and projects will be encrypted using your own GCP Key Management Service (KMS) keys. Swit has no control over these keys, ensuring the security of your organization's data.
Types of data encrypted
The types of data encrypted by EKM are as follows:
- Messages and comments in chat
- Messages, ideas, and comments in channels
- Tasks and comments in projects
- Files attached
NOTE
Members may not be able to view, access, or download some data in your organization if decryption fails.
Audit logs
The audit logs track the activities of organization members when they access, upload, or download information. The audit logs record the time of action, user information, action type, etc., and the organization's audit managers and auditors can view the audit logs for security purposes. The audit logs can be filtered by period, member, and event and can be exported with the filters applied.
Audit logs manager and auditors
The audit logs manager is the highest level auditor that has the privilege of assigning other auditors. The audit logs manager is assigned by the organization master. Auditors are given access to the audit logs and multiple people can be assigned auditors.
Add auditors
The audit manager can assign auditors by searching for members in the Auditors tab. The audit manager is a single person designated by the organization master, but auditors can be more than one person.
Access control
You can restrict access to your organization only to registered IP addresses on desktop. Registered IP addresses will be granted access 5-10 minutes after they are activated. When the access control option is turned off, your organization becomes accessible from all IP addresses and the IP registration in progress is canceled.
Register an IP address
You can register IP addresses to grant access to by clicking Register IP address. Choose whether to enter an IP address or a CIDR block, and after the IP address is approved, you can activate or deactivate it. You can also edit or delete the address by clicking on ⋮ at the right.
IP address status
After the IP address is addressed, the status can be In progress, Approved, Rejected, Active, or Inactive. After the IP address is registered, it is displayed as In progress. Click the status to see the activity log for the IP address. IP addresses not eligible for registration can be rejected, and they can be edited and registered again.
Restrict screen capture
You can restrict your organization members from taking a screenshot or screen recording of the Swit app. Note that this measure applies differently to Android and iOS devices. If this toggle is on, it will prevent screen capture and recording on Android devices. On iOS devices, members can still take screenshots, and the copies of those screenshots will be collected in the audit logs.
Require PIN on mobile
You can require the use of PIN code within the organization. When this feature is activated, members are required to set their own PIN in the Swit mobile app, and enter the PIN every time they open the app on their mobile devices.
Block file download
You can manage separate settings for each role to prevent them from downloading attached files in Swit on desktops or mobile devices. Even when the download is blocked, the files can be viewed and uploaded, allowing users to collaborate using previews of PDF, Microsoft 365, and HWP files.
File preview
You can manage the file preview settings to keep the documents shared within the organization secure. Adding a watermark or setting the preview format can help prevent data leaks, misuse, or unauthorized sharing of sensitive document content. Note that these settings will apply to all documents uploaded across the organization.
Add watermark
Switch this toggle on to insert a watermark into the previews of all documents uploaded in the organization. The watermark style options are as follows:
- Organization name: Choosing this option will create a watermark with your organization name.
- Custom: You can also customize the watermark text to your needs. Type in the text you want to use as a watermark and click Apply.
- Viewer's name: Choosing this option will show the name of the user signed in as a watermark.
Preview format
You can also choose the format the document previews are generated. You have two options to choose from:
-
HTML: When the previews are provided in an HTML format, viewers are able to copy or edit text from the previews.
NOTE
Adding a watermark will disable this option. -
Image: When the previews are provided in an image format, the preview content is available for viewing only.
Malware and virus check
All files uploaded to Swit are scanned for malware to protect your organization members' devices from security threats. If any viruses are detected when uploaded, the thumbnail and preview of the file will not be provided. Only approved files will be available for download.
Two-factor authentication (2FA)
Two-factor authentication (2FA) involves an additional authentication process when your members sign in to Swit in order to strengthen the security of their accounts and the organization as a whole. 2FA requires members to enter a one-time code in addition to the basic sign-in method using email and password.
Enable 2FA
You can enable 2FA in your organization as follows:
- Admin console > Enter Security > Two-factor authentication.
- Select Enable 2FA.
- Set 2FA as mandatory or optional.
- Set up 2FA for your account.
- 2FA will be enabled for your organization and your organization members will receive an email informing them to set up 2FA.
Mandatory use of 2FA
Even when this option is selected, the 2FA setup may not be required for everyone depending on the SSO settings for each organization. See below for different cases of when 2FA setup is required and not required.
- When your organization requires SSO: 2FA setup is not required for both members and guests.
- When your organization requires SSO for members and basic sign-in for guests: 2FA setup is required only for guests.
- When your organization allows either SSO or basic sign-in: 2FA setup is required for both members and guests.
- When your organization disables SSO: 2FA setup is required for both members and guests.
NOTE
Those required to set up 2FA will be signed out of Swit if they don't complete their 2FA setup seven days after the organization admins enable 2FA in the organization.
Manage 2FA for members
You can manage the 2FA settings for your members in the Members & teams tab in the Admin console.
- View members' 2FA status: At the top right of the member list, you can filter the list of members in your organization and view only those for whom 2FA is active or inactive.
- Reset members' 2FA: You can also reset 2FA settings for members according to the organization's needs. All members will be signed out of Swit from all their devices, and they will have to set up 2FA again. Either click on the ⋮ icon at the right of each member to reset 2FA for that member, or enter the member details page by clicking on the member to reset 2FA in the Account info section.
Session duration
You can manage the session duration time for the members in your organization to minimize security risks. Session duration defines the amount of time that a member can stay signed in to Swit before they are signed out automatically. Note that a session's duration concerns the time period that begins when a member signs in with their email and password. When the session duration expires, the member will not be signed out immediately, but will be required to sign in the next time they attempt to access the organization. When the session duration expires, their 2FA session will expire as well. Also, if you change the session duration, members will not be signed out automatically, but the set session duration will be applied when signing in the next time.
Admin session
When admin verification is enabled, admins have to enter a code each time they access the Admin console. Also, session duration for admins can be set so that they are required to re-authenticate for access to the Admin console once the session duration expires.