Hosted and built on Microsoft Azure™ we use their proven technologies to guarantee high level security, speed and productivity. With the ultimately flexibility in choice where your data is hosted, we offer hosting locations throughout the world for you to choose from when signing up.

Our suite can communicate with any database system you have available in your organization. Easy scheduling importing information into our suite back office, as well as reporting information back to connected databases including defined business logic at no additional cost!

ID card management and enrollment solutions are know to be expensive and complex. Our suite works with the unique Active ID approach that offers you perfect control of your cost, the less you need, the less you pay but still have access to all enterprise features.

Our powerful REST-API offers you the opportunity to develop your own integrations and connectors towards our suite back office. This unique product, the Bridge, is easy to integrate and follows the latest standards. Of course we are also happy to assist with specific integrations needed for your situation. We are constantly developing new integrations for our cloud product based on our REST-API.

Following the highest standards in data protection, our suite solution is based on GDPR, currently known as the highest protection in regard to personal data. Our hosting options are enclosed instances, no data travels to other hosting locations.

To offer the highest user authentification but at the same time flexibility for your users, our suite uses authentication based in IdentityServer4 for managing access to all our applications and offers authentication with your Microsoft, Google, Facebook, or any Open ID Connect supporting system.

CardExchange® Cloud Suite is hosted on Microsoft Azure™ and is based on the structure as you can see in the presented diagram. The processes of authentication and data are running at your hosting location of your choice and all these services are offered via a single point of access called the Application Gateway.

The Application Gateway receives the client request and directs them through the Web Application Firewall (WAF) to the correct service on Azure™. The Web Application Firewall analyzes the content and takes care that suspicious requests are being blocked, to avoid attaches that could compromise the system.

Transparant Data Encryption (TDE) is used to encrypt SQL Server, Azure™ SQL Database, and Azure SQL Data Warehouse data files in real time, using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery. TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES) encryption algorithms. Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and are decrypted when they’re read into memory.

Microsoft® uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

CardExchange® Cloud Suite only supports Https connections using TLS1.2 or higher.

One of the most important aspects of an ID enrollment is the communication with the back offices inside your organization. Think about HR systems or Student Registration system that contain valid information needed for the enrollment. The business logic will determine when an ID can be enrolled to a employee or student, but when it is enrolled, the back offices need to be informed when the ID becomes active. Connectors are a key element in this as they inform the back offices about the status of the ID. Is it active, cancelled, lost, or stolen, etc. In any of these situations, back offices like access control, vending, library, etc., need to be properly informed.

Our cloud connectors are also generally a .NET Core web API that will run in Azure, although these can run locally as well if needed using IIS or as a Windows service for example. We have available Hangfire for scheduling, queueing jobs and monitoring. CardExchange® Cloud Suite offers two types of connectors: Incoming and Outgoing connectors. New connectors are constantly being developed and made available via our CardExchange® Cloud Portal.

The incoming connector can communicate directly with other systems using their API, preferably this would be a REST API made available by the system vendor. Incoming connectors can also communicate directly with a database hosted in the cloud, or local databases.

The incoming connector initiates the communication and reads from the source system, it then adds or updates the records in Controller based on the business logic defined.

All communication with the incoming connector goes through the Web Application Firewall.

Azure™ Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use.

Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services. Permissions to access keys can be assigned to services or to users through Azure™ Active Directory accounts.

Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and applications don’t have direct access to them. You can also import or generate keys in HSMs.

To be able to respond quickly to specific customer needs and offer high speed, secure applications, the development platforms for CardExchange® Cloud Suite have been specifically choosen to do the job.

If it comes the front end development, the Controller CMS and The Stand are built in Angular. As Angular is a JavaScript framework and Controller CMS and The Stand are single-page applications, the client computer downloads the front-end code to the browser when initially accessing Controller CMS or Stand. From then on, the browser communicates directly with the back end.

The CardExchange® Cloud Suite back end The back end is a .NET Core web API. It translates requests from the client into SQL queries and sends them to the database, after which the results are sent back to the client in an appropriate format.

Our outgoing connectors are connections between the back end and external systems that send data to those systems in reaction on actions performed by the end user.

Outgoing connectors should preferably use web hooks, these can be configured based on a change to the persons ID card status in Controller CMS. This means that the webhook can be sent, for example, when a ID or card is activated or blocked. The connector can then send a request via the API to get the full data for that specific record or action which greatly reduces network traffic and offers a real-time experience.