Data transmission
As can be seen in the following diagram, the iCL System consists of a number of components that communicate with each other.
In the following, the data flow between the individual components is described in more detail.
1. Incoming data [Mandatory]
The only source of incoming data is either the clients browser, when browsing the iCL Portal web application or the iCL Filler 2.0 app. In any case, the data is transmitted via HTTP via the standard HTTPS port 443.
As you can see later in 2.1b, we usually set up availability tests for our customers. These regularly (every 5 min) try to access the login screen of the iCL Portal web application to verify if the system is up and running. These tests are totally optional, though.
This includes any application data necessary for the application to function such as:
- the user's login data (username, access token, roles and permissions)
- workbooks, tasks, inspections and their images
- content items that are configured to be synchronized along with their images
- the user's settings (e.g. language, theme, etc.)
This connection is mandatory. You can use a VPN (Virtual Private Network) solution to connect your devices to your network, but this is not required and may deterioate the user experience.
2. Outgoing data
The iCL System sends data to the following destinations:
2.1 Application Insights [Optional]
Application Insights is a service provided by Microsoft that allows you to monitor the performance of your application and trace any errors that may occur. For each customer, we create a separate environment in Application Insights, so that the data is strictly separated from each other. Moreover, customers can get direct access to monitor their own environment.
No personal data is transmitted to Application Insights, only user-id and exception detials may be transmitted.
While it is possible to run iCL Portal without Application Insights, we strongly recommend against it. If there is any problem in your system, we will have to go through server logs to find the cause of the problem. This is a very time-consuming process and will result substantial in additional costs for you.
The following table lists the types of data that are transmitted to Application Insights:
| Data type | Description |
|---|---|
| custom events | Allow our system to collect custom data. We use this to trace synchronization issues and metrics (number of rows, conflicts), timings and report creation timings. |
| dependencies | Data about any issues with systems that iCL Portal depends on, such as the SQL Server. This includes the average response time |
| exceptions | Data about any exceptions that occur in the iCL Portal web application. This includes the exception message, the stack trace and, if available, the user-id of the user that caused the exception. |
| requests | Covers metrics about requests, the time it took to process them, their result code (success/error), potentially linked exceptions |
| traces | Logs as they are configured in iCL Portal. By default: All traces with a severity of Warning and higher will be transmitted |
To avoid any performance issues, we highly recommend to keep the minimum severity of traces to Warning.
As of this writing Application Insights is part of "Azure Monitor" and required the following domains to be accessible to send telemetry data via port 443:
| Purpose | URL | Type | IP | Ports | Encrypted |
|---|---|---|---|---|---|
| Telemetry | dc.applicationinsights.azure.com | Global | 443 | Yes | |
| dc.applicationinsights.microsoft.com | Global | Yes | |||
| dc.services.visualstudio.com | Global | Yes | |||
| northeurope.in.applicationinsights.azure.com | Regional | Yes |
By default, we at Opti-Q use north europe as the region for Application Insights.
Because of this, the domain northeurope.in.applicationinsights.azure.com is used.
The remaining options are listed here If you want to use a different region, please let us know.
2.1b Application Insights Availability Tests [Optional]
These optional tests try to access the login page of iCL Portal every 5 minutes from different places on the internet. This allows us to monitor the availability of your system in various regions around the world and to react quickly in case of problems. The following type of data is sent to Application Insights:
| Data type | Description |
|---|---|
| availability testresults | Detailed information of a performed availability tests such as location of the test client, timestamp, success/failure, response time |
2.2 Opti-Q Licensing System [Mandatory]
The Opti-Q Licensing System is a service provided by Opti-Q that is used to manage the licenses of the iCL System. It is used to check the validity of the license and to manage the number of users. Each iCL Portal installation regularly queries this system encrypted via HTTPS on port 443 to validate and/or update existing licenses and to check the number of users.
The following domain needs to be accessible:
| Purpose | URL | Type | IP | Ports | Encrypted |
|---|---|---|---|---|---|
| Licensing | license-q.azurewebsites.net | Global | 443 | Yes |
The licensing information includes only the license data itself (e.g. number of users, expiration date, etc.) and no personal data. The usages identify the user by the domain name of the iCL Portal and its user id.
2.3 Authorization Provider
In case you want to use an external authenticaion provider such as SalesForce or Azure Active Directory, the iCL Portal web application and the app will simply redirect the user to these services (443) to perform the authentication. Once this was successful, they are redirected to iCL Portal. In that regard, no data is ever transmitted to these services - just the data that the user her/himself enters into the login form.
Because the authorization is performed by opening a browser control and redirecting the user to the authorization provider, the iCL System itself cannot read the credentials.