Print Cloud
User’s Guide
Copyright © 2011 Ricoh Americas Corporation
It is the reader's responsibility when discussing the information contained this
document to maintain a level of confidentiality that is in the best interest of
Ricoh Americas Corporation and its member companies.
NO PART OF THIS DOCUMENT MAY BE REPRODUCED IN ANY FASHION
AND/OR DISTRIBUTED WITHOUT THE PRIOR PERMISSION OF RICOH
AMERICAS CORPORATION.
All product names, partner’s brands and their products, domain names or
product illustrations, including desktop images used in this document are
trademarks, registered trademarks or the property of their respective holders
and should be noted as such.
Any trademark or registered trademark found in this support manual is used in
an informational or editorial fashion only and for the benefit of such
companies. No such use, or the use of any trade name, or web site is intended
to convey endorsement or other affiliation with Ricoh products.
Table of Contents
1 Introduction ... 3 2 Web Interface for Print Cloud ... 4 2.1 Log in Screen ... 4 2.2 Dashboard ... 5 2.3 Computer ... 7 2.4 Projects ... 10 2.5 Actions ... 11 2.6 Search ... 13 2.7 Versioning ... 13 2.8 Restore ... 14 2.9 Print Cloud Log ... 14 3 Printing ... 15 3.1 Printing from the service ... 15 3.2 Cloud printing through email submission ... 16 4 Mobile Application and Mobile Phone Interfaces ... 17 5 Desktop Agent Interface ... 19 6 User Notifications ... 22 6.1 Email messages ... 22 6.2 Desktop Agent notifications ... 23 6.3 SMS notifications ... 23 7 Printing from the iPad using the Print Cloud Application ... 24 8 Printing from an iPhone with the Print Cloud Application ... 36 9 Printing from an Android Phone with the Print Cloud Application ... 38 10 System Compatibility ... 47 11 Print Cloud Security White Paper ... 50 11.1 Part 1 ‐ About the Soonr Service ... 51 11.2 Part 2 ‐ About the Soonr Datacenter ... 55 11.3 Part 3 ‐ About Devices and How They Interact With Soonr ... 56 11.4 Part 4 ‐ About User Data and Personally Identifiable Information ... 57 11.5 Part 5 ‐ HIPAA Compliance ... 59 11.6 Part 6 ‐ Soonr’s Published Policies ... 60 12 Notes: ... 61
This page intentionally left blank to allow for duplex printing.
1 Introduction
This document describes how to use the Print Cloud Web application and the related mobile
device applications.
Print Cloud has following key components:
• Web Interface for Print Cloud
• Desktop Sync Program
• Android Mobile Application
• iPad Mobile Application
• iPhone Mobile Application.
2 Web Interface for Print Cloud
The Print Cloud website can be access via the following URL:
https://www.iceprintcloud.com
.2.1 Log in Screen
2.2 Dashboard
The dashboard instantly presents the latest important updates and information for the user to
view. The dashboard also shows recent events. To simplify sorting, filters are provided allowing
the user to select files with certain key attributes to view.
The dashboard allows “one click” access to all available commands for any item. Clicking on the
action menu causes a drop down menu to display; from here the user can initiate several
actions.
In the above example, clicking the “details” link launches the details page where the user can
preview the file, see its attributes (like size, last modified date, etc.); clicking “view” launches a
document or slideshow viewer, etc.
The dashboard also offers the ability to create ‘favorites’. Any file or folder can be marked as a
favorite by simply clicking on the star icon. Being a favorite means that the file or folder shows
up in the favorites list in both the web and mobile interfaces.
2.3 Computer
The Computer tab enables users to navigate through all the content they have backed up on
their computers. At each level (computer view, folder view, document view) different
command options are available (described in the section, “actions”).
The top level view presents each computer from which the user has backed up data, along with
a list of the user‐selected top level folders backed up by the system.
Clicking on the computer name displays more details about the backup status and version
history. A given computer can be in the following states:
‐ Enabled – computer is backed up.
‐ Disabled – agents are disabled and can’t login. Typically relevant when a computer is
lost or stolen.
‐ Recycled ‐ Computer will be permantly deleted from the cloud, including the files that
are backed up. The computer will stay in the recycle bin for 14 days before it is deleted,
unless the user manually deletes the computer before.
The folder view displays folders and documents within the folder, and allows various folder
level actions as shown in the screen shot below.
Selecting any document in the
folder view displays the details
view, which shows previews of
the item and provides access to
available actions, as shown here.
Documents and images are displayed in a size customized to match the display device being
used at the time (monitor, laptop, mobile device). Print Cloud’s conversion technology allows
easy reading of documents, through a web browser, as shown below.
Web Browser Display:
2.4 Projects
The Projects tab enables users to access projects they own or are members.
A “project” is a collection of items. Users create a new project by clicking the “+ Create New
Project” button as shown by the “red circle” above. Once selected the screen displays as shown
below.
Once the user clicks “Create Project”, the desktop agent will alert the user that it is sync’ing the
new project to the user’s desktop (see details about agent management of projects in the
Desktop Agent section).
Users can allow team members to join the project by selecting “share” from the action menu.
From any file or folder in the desktop or computers tab, Users can choose the command “add
to project” to tag files that should be associated with the project. These files will then be listed
in the view of the project.
2.5 Actions
Actions are available from the dashboard’s action menu and from action commands throughout
the system.
Shown on the next page, is a chart detailing these Actions and their function.
Available actions include:
Command name
Action
Details
Display file information view
View
Display document viewer or photo slideshow
viewer (automatic based on file type)
Previous versions
Enables user to access or restore a previous
version of a stored file.
Copy to project
Copies the file to a project specified by the
user
Comment
Enables the user to attach a comment
Download
Allows user to save the file to the viewing
device
Upload
Enables user to upload a new version of the
file
Send
Sends an email with the file attached
Enables the user to remotely print, via either
the Ricoh Print Cloud feature or to a shared
printer.
Fax
Enables users who have eFax accounts to send
faxes from their content stored on the Print
Cloud system.
Restore
Select current or previous versions of content
to restore to the computer. In addition, files
can be restored to alternative locations on
different or the same computer
Create/Send Public links
Create a web link to a file or folder that can be
sent to other users.
Action commands such as “restore” will help guide users through a simple workflow to
complete the task.
2.6 Search
In the Search tab, users can search across all backed up files.
Options allow the user to filter the search results by document types, source, modified date,
etc.
The action menu for any result provides action options, such as ‘details’ and ‘previous versions’.
2.7 Versioning
The system will keep track of old versions of files for up to 180 days (6 months). The version
history is accessible from the Computer view, the file/folder details view. In addition, deleted
files will also be tracked and the user can choose to see these with the ‘show deleted’
command.
2.8 Restore
The system will allow the user to restore folders back to any computer that has a desktop agent
installed. When restoring files the following options are available.
Feature / action
Description
Use original or automatic folder
Restore into appropriate folder, for ‘My
documents’ have changed location under
different versions of Windows.
Use Desktop folder
Restore under Desktop folder
User defined
The user can specify the location where the
content will be restored
2.9 Print Cloud Log
A new tab will be added to the top row of the interface to enable users to easily find the Print
Cloud log. A design sample is shown below.
3 Printing
Users have various options for printing, but the primary option is the Ricoh Print Cloud feature.
3.1 Printing from the service
Users access the print command from the action menu from any file. Once “print” is selected,
the print dialog appears, as shown below. Note that improvements to the layout of the dialog
have been made so that “Ricoh Print Cloud” is the default selection, and is more prominent on
the screen.
An example is shown below.
Once the user selects “Ricoh Print Cloud” and clicks the continue button, the step 2 dialog
appears. Choices in the “Expire period” drop down are:
• 1 day
• 2 days
• 3 days
• 4 days
• 5 days
• 6 days
• 1 week
The user can choose to receive the print job’s release code via SMS if desired. The release code
is also displayed on the confirmation screen. While the actual customer’s screen may differ
slightly, an example is shown below.
3.2 Cloud printing through email submission
Users may separately choose to email their print job to the Ricoh Print Cloud service.
Email Address: [email protected]
The Print Cloud service will print the content of the email following an analysis of the email
content. On receipt of the email into the service the email is taken apart and depending on the
content different print actions are taken as follow:
• If the mail starts with a URL that points to a supported document type the document is
downloaded, converted and printed. An example could be
http://www.company.com/abc/directions.doc
• If the mail starts with a URL pointing to a webpage, the web page is rendered and
printed. An example could be
http://www.cnn.com
• If the mail contains an attachment which is a supported document type the document is
rendered and printed.
• If the mail does not fall into any of the above categories the body of the mail is rendered
and printed. An example is the typical add style mail that contains nice layout with
embedded images, text etc.
Once the mail is received by the Ricoh Print Cloud service a release code is generated and
mailed back to the user. The user can then use the code to print the job on printer enabled for
Ricoh Print Cloud. Through the mail the user will also be able to view a preview of the print job.
The reply mail from the Ricoh Print Cloud service will be sent to the:
FROM:
Print Cloud Dashboard [email protected]
4 Mobile Application and Mobile Phone Interfaces
In general, all features available on the web interface are also available on the iPhone, Android,
Blackberry and mobile phone web‐interfaces. The exceptions are “Restore” and “Settings”. A
general summary of capabilities on the mobile interfaces includes:
• Basic listing of Favorites, Recent, Computer and Projects + viewing of converted
contents
• Actions: View, Comment, Public Link, Send, Print, Fax, Copy
• Simple Search
• Audio/video playback of native supported video formats
• Document viewing
• Offline Saving of Favorites
• Advanced Search with filters
• FFMPEG Video playback (using video conversion on server)
• The Print Cloud feature will be enabled on all mobile devices.
From one OS to another, there may be variations in the control mechanisms available to the
user in navigating the system (e.g.: a back “button” versus a back “swipe”). These OS
variations, however, do not change the functionality generally available from the Print Cloud
system, merely the manner in which the user controls the device, and thus these OS
mechanisms are not described in this spec. Several iPhone screenshots are displayed below; a
similar interface is used for other mobile platforms.
Welcome screen:
Login:
Computer:
Projects:
Folder and files view:
Actions:
5 Desktop Agent Interface
The Desktop Agent communicates information to the system about the user’s computer,
folders and files using a secure SSL‐encrypted connection. Using the Desktop Agent, the user
can control settings such as backup folder selection and backup speed controls. The Desktop
Agent will backup files marked for backup as changes to the files are detected. If the agent is
not connected to the internet, backup will not happen until next time the agent is connected to
the internet.
In the main window, users get a snapshot of their online status, current activity and backup
space usage.
Windows Desktop Agent:
Macintosh Desktop Agent:
Selecting the Settings button (PC) or any of
the menu buttons (Macintosh) enables the
user to fine‐tune backup and application
controls, as described below.
Selecting the “Backups” tab (as shown right) allows
users to change folders and file types they wish to
back up, as shown in the Backup screen, below.
Clicking the Manage Backups button displays a
dialog where users can change their folder
selections. A real‐time storage space calculation
helps users monitor how their choices will affect
their storage quota.
The Projects tab (as shown left) allows users to
manage settings for project synchronization.
The Connections tab enables users to manage each connection independently, ensuring that
connections can be used or not used for backup, and at what speed (bandwidth) the backup
uses.
As files are being synchronized or backed up, users view their progress by selecting “Progress”
in the main Desktop Agent window.
Similarly, when the user needs to restore backed up data to their computer, the Desktop Agent
provides progress information. Restore actions are initiated in the web interface, from any
folder stored by the user or from the dashboard.
As content starts restoring to the computer, a “Restore Status” button is displayed by the
Desktop Agent.
6 User Notifications
The Print Cloud system uses three primary mechanisms to notify users of key activities:
• Email messages
• Agent notifications
• SMS notifications
6.1 Email messages
Email messages are sent to provide status of restores and so on. Alerts are emailed for events
such as storage quota overruns and similar key system feedback.
Welcome emails are also available for first time users. These provide basic start‐up information
and other partner‐specified messages.
6.2 Desktop Agent notifications
The Desktop Agent provides notifications as it completes tasks such as restore. Notifications
also appear for system messages such as software updates.
6.3 SMS notifications
Users can request that an SMS be sent to provide notification of an event or task completion.
For example, the Ricoh Print Cloud feature includes the ability to send the user an SMS with the
release code for the print job.
A complete list of system notifications is available upon request.
7 Printing from the iPad using the Print Cloud Application
1. Install ‘Print Cloud’ application from ‘App Store’on your iPad and install.
2. Confirm/locate Print Cloud apps.
3. Obtain a Print Cloud account.
If you subscribe to the Integrated Cloud Environment “Gold” or “Platinum” package, you will be
notified via e‐mail once the account is created by the administrator.
Go to or click the link in the welcome email
Once you access the account set up login name & password (change initial password).
4. On you iPad, open Print Cloud application.
5.
Login with your credentials.With Print Cloud, you can:
1) Download and install PC/MAC agent, so you can sync specified folders
with the Print Cloud storage.
2) PC/Mac agent will take care of the synchronization.
3) Then you will see these folders you specified for backup & sync. On your
Print Cloud account either browser base on your PC/Mac, or iPad, iPhone,
Android application.
Printing steps on your iPad
What & How
iPad app Send/Receive FeatureExample Step 1 Step 2 Step 3
Yes Box.net Dropbox Open file in your application. Click To “open in…” Select “Print Cloud “ from the list. Select “Action button” ‐> “Print” and follow the step to get the release code. Yes Evernote (Pdf, MS office files) Open file in your evernote application. Click To “open in…” Select “Print Cloud “ from the list. Select “Action button” ‐> “Print” and follow the step to get the release code. No Evernote Native note format. Select arrows on the bottom, then send to [email protected] Receive release code via email address associated with Print Cloud account. Only limited to apple branded. iWorks (Pages, Numbers, Keynotes) Setup WebDAV https://www.iceprintcloud.co m/cloud_drive Logins. In my document, select arrows and select WebDAV. Select destination folder in Print Cloud, then copy, Open Print Cloud apps to go through standard print steps. No Safari Touch arrow on next to URL address box, select “Mail Link to this page” send to [email protected] Receive release code via email address associated with Print Cloud account. No Email (Attachment) In the email, press and hold attachment icon, then Select “Open in…”, “Print Cloud” In the Print Cloud app., touch “Action” button, and follow standard print flow. No Email (Body) Forward email to [email protected] Receive release code in your email that is associated with Print Cloud account.
Print file from box.net
1. Open box.net app., locate and open the file.
Click on the arrow that is pointing rightward on the top right hand corner (shown by the
“red circle) below.
2. You will see a list of applications. Select “Print Cloud.”
3. This will bring up the Print Cloud application in the foreground. To save the file to
“Print Cloud Drop Folder.” Press “Save.”
4. Locate the “Project”
Æ“Print Cloud Drop Folder.”
5. Select the “Actions” button at the top right hand corner as shown in the screen shot
above.
6. Select item to print. Then, press “Print.”
7. Print dialog appears, select “Ricoh Print Cloud.”
You now have the option of setting Print job validity from 1 day to 1 week, printing the entire
job, or just select pages.
8. After making the necessary selections and selecting ‘Print,’ you are presented with the
6 digit release code.
Print from iWorks
1. You must set up WebDAV (only for the first time).
Server Address:
https://www.iceprintcloud.com/cloud‐drive
User Name:
[email protected]
(Your registered email address)
Password: xxxxxxxx
2. Next you are presented with 3 choices, Pages/PDF/Word format.
3. Select a folder to copy, such as “Print Cloud Drop Folder.”
4. Copy to the selected folder.
5. Copying begins…
6. Press Home button twice to move to Print Cloud application, or start Print Cloud.
7. To complete the print process simply follow the standard print process after locating the
file.
• If you do not need to store the file on your account, then use
[email protected]
, receive a release code attached to the account.
8 Printing from an iPhone with the Print Cloud Application
1. Login Screen ‐ press “Login.”
2. Provide the login name & password
and press “Login” button.
3. Registered computer will be listed.
4. Advance to the “Project” folder to
locate the Print Cloud folder and
finally locate the file.
5. Press the “Action” button
and press ‘Print.’
6. Print Dialog appears.
Select “Ricoh Print Cloud.”
7. Settings appear – make required
changes and press ‘Print.’
8. You will get a release code.
9 Printing from an Android Phone with the Print Cloud
Application
1. Obtain Print Cloud account. Email notification after Provisioning work is completed.
• Request Print Cloud account setup
• Go to
www.iceprintcloud.com
and register for the first time,
• Set up password.
2. Get Print Cloud application from Market ~ Search “Print Cloud.”
Install the apps.
*Before the release, you can install using apk file. Remember to check “Unknown
Source” check mark under Settings Æ Application
Start Print Cloud app.
Login to Print Cloud service.
You will see all the computers you set
up with your Print Cloud PC agent and
will have access to the files.
Printing steps on your Android Phone
What & How
Android app’s share
Feature
Example Step 1 Step 2 Step 3
Print Cloud app. Select the desired file ~ Yes Box.net Dropbox Local app.** Open file in box.net application. Click menu button and then go to File menu ~ Send ~ Select “ Print Cloud” from the list. Select “Print Cloud“ from the list. File will be landed on Print Cloud Drop folder. Follow the standard print step. Yes Evernote (Pdf, MS office files) ~ local app.** Open file in your Evernote application. Open using default program on your android. Click menu button and then go to File menu ~ Send ~ Select “ Print Cloud” from the list. Select “Print Cloud“ from the list. Select “Action button” ‐> “Print” and follow the step to get the release code. No Evernote Native note format. Select arrows on the bottom, then send to [email protected] Receive release code via email address associated with Print Cloud account. No Browser Touch menu and “select “Share page” ~ select “email” and send it to on [email protected] Receive release code via email address associated with Print Cloud account. Receive release code via email address associated with Print Cloud account. No Email (Attachment) In the email, press the attachment icon to open with local app. Click menu button and then go to File menu ~ Send ~ Select “ Print Cloud” from the list. Select “Print Cloud“ from the list. No Email (Body) Forward email to [email protected] Receive release code in your email that is associated with Print Cloud account.
Printing from the Print Cloud App.
2. Open Print Cloud app.
1. Select file to “view.”
3. Press “Menu” button, ‘More’ then “Print.”
4. Select “Print Cloud.” Click “Next.”
5. Set the desired settings. Press “Print.”
6. You will be provided the
release code upon completion.
7. To retrieve the print out, walk up to MFP and open the Print Cloud application on the MFP.
8. Type in the release code to obtain the print out.
Print from box.net
1. Open box.net app., and locate and open the file.
808535
2. Box.net uses local app. To view files.
4. Open and view with local app.
Press “Menu.”
5. “File” button and select “Send via Email.”
6. Select “Print Cloud.”
7. Select “Save to Print
Cloud Drop Folder &
Print.”
8. The Print Cloud screen appears.
Select ‘Ricoh Print Cloud,’ then press
‘Next.’
9. Press ‘Print.’
10. You will be provided the
release code upon completion.
11. Also, you will get the release code notice via email and SMS if it is set.
E‐mail Notification
Release code notice via SMS message
Note:
If you do not need to store the file on your
account, then use
[email protected]
,
and receive a release code attached to the
account.
10 System Compatibility
Operating Systems for Computers to Be Backed Up:
•Windows XP with latest service packs
•Windows Vista with latest service packs
•Windows 7 with latest service packs
•Mac OSX 10.4 and greater ‐ all with latest updates
oNOTE: On some 10.4 systems there can be issues with automatic backup due to
various limitations and bugs in Mac OSX 10.4.
Resources on Desktop:
•500 MB free hard disk plus the size of the largest file to be backed up
•256 MB free memory
Web Browsers:
•IE 6 and later
•Firefox 3.0 and later
•Safari 3.0 and later
•Chrome 2.0 and later
Mobile Platforms:
•iPhone/iPad OS 3.1 or later
•Android 1.5 and later
•BlackBerry Series 8000 or later
•WebOS ‐ all versions
•Other mobile phone with modern browsers
Mobile Phone Browsers
•Requires WAP 2.0‐style mobile browser, such as:
•Native browsers for Symbian Series 60, WebOS (Palm)
•Opera
•Internet Explorer (Win Mobile)
•Safari (iPhone)
Supported Document Types for Offline Viewing
•Microsoft Products
oMicrosoft Word (doc, docm, dot, dotx, docx)
oMicrosoft Excel (xlc,xls,xlsb,xlt,xlmx,xlsx,xltx)
oMicrosoft PowerPoint (ppt, pptx, pot, potx, pps, ppsx, pptm)
oMicrosoft Outlook (exported .MSG files only)
oMicrosoft Publisher (pub)
oMicrosoft Visio (vsd, vst)
•Adobe Products
oAdobe Acrobat (pdf)
oAdobe Illustrator (ai)
oAdobe Photoshop (psd)
oAdobe Postscript (PS, EPS)
•OpenOffice File Formats
oODT, STW, SXW
•Other Image Formats
oBMP, CUR, DIB, RLE, ICO
oJPG, JPEG, JFIF, JPE, JP2
oGIF, GFA
oPNG
oSVG
oWMF
oCorel Draw (CDR)
oPaintShop Pro (PSP)
oMacPaint (pntg)
oTIF, TIFF
•Other Document Formats
oWordPerfect ( wp5, wpd, wpg, wpg2 )
oFrameMakeer (fmv,mif)
oXYWrite (xyp)
oRTF
•Other Spreadsheet files
oLotus 1‐2‐3 (wk1,wk3,wk4,wks)
oCSV
•
Video Formats ‐ note that not all codecs are supported in the various video formats
oMicrosoft Audio Video (AVI)
oWindows Media Video (WMV)
oApple QuickTime (MOV, MP4)
oApple iTunes( M4V)
oMoving Picture Experts Group (MPEG, MPG)
oAdobe ShockWave Flash (SWF)
oOther (3GP, OGV)
Note: Not all files of the supported file types will be possible to print. There will be cases where
older versions, secured versions or other types of issues will prevent conversion to pdf for Print
Cloud. Print Cloud cannot guarantee that every file is convertible (example: password‐protected
files, or PDFs with security disallowing print or open commands).
11 Print Cloud Security White Paper
Introduction
Note: The Integrated Cloud Environment’s Print Cloud Service is provided by Soonr, Inc.” Soonr” is a registered trademark of Soonr, Inc. The security details provided in this section pertain directly to “Soonr” and the “Print Cloud” product. Soonr (referred to as “Print Cloud” within the Integrated Cloud Environment) is a cloud based service that creates a unique workplace to enables its users to close more business faster. Computer files are protected offsite and web services enables secure collaboration, sharing, and access from any Internet‐ capable mobile handset or remote computer, from anywhere in the world, across any network, and without the need for servers or expensive software. Through this capability, Soonr subscribers can for instance perform real‐time searches of their computers, download files to their remote device, view images, and securely control the sharing of files for specified periods of time. Data is formatted automatically for any mobile device without the need for any Soonr software on the handset. The capability is protected by US Patent # 7779069B2. Soonr is built on a secure and extensible, open standards‐based application platform and works across carriers and handset operating systems including Apple’s iPhone OS, Android, Symbian OS®, Microsoft® Mobile, Blackberry®, Palm OS® and others. The scalable Soonr platform allows Soonr partners to offer specific services to their user segments. Regular feature enhancements assure that every Soonr implementation evolves as technology advances in mobile devices. From its conception, security is one of the foundation pillars on which every aspect of the Soonr service is built. This section provides an overview of end‐to‐end Soonr (referred to as Print Cloud within Integrated Cloud Environment) security.Security Summary
In brief, Soonr’s security begins with the design of the system and flows through to the physical security of the datacenter and the protection of subscriber’s private data. The Soonr system includes: • 256‐bit encryption of all data transmissions • Proprietary methodologies to discourage hacking • Modular data center design to provide ease of scalability, redundancy, and protection of data • Data Centers that are SAS 70 compliant • Encryption of files at rest on the servers • HTTPS with VeriSign certificate • Auto‐logoff after period of inactivity • Virus scanning of all files transmitted through the system • Physically secure, environmentally protected data center • Role‐based access and user authentication • Device security (no persistent data, cookie management) • HIPAA compliance • And more.. This document provides details on these and other aspects of Soonr’s service and security.11.1 Part 1 About the Soonr Service
11.1.1 Architecture Overview The overall Soonr architecture consists of the central Soonr datacenter (comprised of modules called Datacenter Cells), and Soonr components installed on the subscriber’s computer where the subscriber’s files reside and, optionally, on the subscriber’s own mobile phone. 11.1.2 Datacenter Cells At the center of the Soonr system is the concept of a Datacenter Cell. Several datacenter cells are operated simultaneously and internal replication of data from cell to cell protects against failure of any one cell. Each cell consists of the following server components: Management Server. The Management server is the main management component in the cell and handles several key functions: • Secure login access • PXE boot images and server configurations • Internal DNS Server • SMTP gateway • Nagios Surveillance Server Load Balance Server. The Load Balance server distributes the full external load on the datacenter cell into multiple channels through the entire service so there is no overload at internal points. Application Servers. The application servers are where the Soonr application logic runs. Each application server is capable of handling Desktop Agent connections as well as Web and mobile HTTP sessions. Account Server. Data related to subscribers’ Soonr accounts resides on the Account Server. Even in the event of the physical loss of one server, Soonr protects users content by spreading it across multiple databases so that the content cannot be easily linked to any one subscriber. Note: Shared server with Metadata Server, below.Metadata Server. The Metadata Server stores the metadata about all the objects that each Soonr subscriber has stored in the system. Note: Shared server with Account Server, above. Storage Servers. To provide mass storage for objects that require persistent storage, servers are used that are each capable of storing 24TB in a RAID 5 configuration. As the need for storage capacity grows, additional storage servers are introduced and attached to the internal network. Together, these components service the entire Soonr system, as shown in the following diagram: 11.1.3 Subscriber Software Components Physically separate from the Soonr datacenter cell, the Soonr system includes two components installed on subscribers’ equipment: Desktop Agent. An essential component of the Soonr service, the desktop agent is a small client application that is installed on subscribers’ desktop and laptop computers. The Desktop Agent is used to keep the files in the system updated at all times. The supported platforms are Windows 7, Windows™ Vista, Windows XP, Windows 2000, and Mac® OS 10.4+. The Linux platform will be periodically reviewed for implementation, but it is not in the current plan. The Desktop Agent establishes a connection to the Soonr service and is responsible for securely transferring selected information from the subscriber’s computer to the Soonr service for persistent mobile access. The Agent authenticates itself with the user ID and password for the proper Soonr account. The agent includes several advanced security features: • 256 bit SSL is used for all communications to the service • The agent and the Soonr server communicate using proprietary methods, further ensuring that information is unintelligible by outside systems • The agent interacts only with the Soonr servers, making it very difficult to redirect information Subscribers can choose what types of data can be accessed remotely, including files, folders, and e‐mail messages. Any information outside explicitly shared content can be excluded.
Mobile Client – an optional application that can be installed on mobile devices. The Soonr mobile client, which supports a selected set of handsets, allows the exchange of data from the handset to the system and back to the subscriber’s desktop computer. Currently the uploader is primarily used for digital photos but will be extended to work for files. 11.1.4 Connection Persistence Connections to the Soonr service occur through three different means: from the subscriber’s own computer running the Soonr agent software, through any the web browser on any Internetenabled computer, and via an application or browser on any mobile phone. Computer running Soonr Agent. When a connection to the Soonr service is established from a computer running the Soonr agent software, that connection stays open and available. This is necessary for Soonr to carry out its primary function, providing secure access to files residing on that computer at any time, from any other computer or mobile phone. The agent maintains the connection for as long as the Internet connection is present. If the Internet connection is lost for any reason, the agent detects this and attempts periodically to re‐initiate the Soonr session. Other Computer. Accessing the Soonr service via a browser from any other computer (one that is not running the Soonr agent) does not maintain a persistent connection. If the subscriber does not explicitly end the Soonr session by logging off or closing the browser window, the session automatically times out after 30 minutes of inactivity, even if the computer is used for other purposes during that time. Mobile Phone. A Soonr session initiated from a mobile phone ends when the subscriber logs off. Should the subscriber neglect to log out of Soonr or close the phone’s internet browser, the session automatically times out after 30 minutes of inactivity. If the “remember me” convenience feature is selected, the subscriber can initiate a new session without completing the login credentials. 11.1.5 Virus Scanning All files that pass through the Soonr service’s servers, including e‐mail messages and attachments, are scanned in real time for the presence of viruses. If a virus is detected, the operation ceases immediately. Since incoming data streams are purged immediately if a virus is detected, it is not possible for infected files to be written to the Soonr servers. Scanning is performed on the mail gateway by the open‐source Clam AntiVirus platform for UNIX. 11.1.6 Support for Encrypted Access All access to Soonr’s systems is through 256‐bit SSL encryption. Individual Soonr subscribers can access their Soonr information through three mechanisms: 1. Soonr client for local access. With this method of access, Soonr assumes the subscriber is the owner of the information since the individual is physically working with the computer on which the data is stored. The Soonr desktop client can include authentication for access to the local Soonr client if desired, and the client will honor any access right and restrictions set through the normal OS mechanism. When the client communicates with the Soonr servers via the Internet, it uses 256‐bit SSL for all operations. This level of security is twice the requirements used by many financial institutions and has been proven to be very secure.
2. Web access from a browser. When a subscriber logs into the Soonr service, HTTPS is used for all communications with the service. HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) encrypts and decrypts the page requests and page information between the client browser and the web server using a secure Socket Layer (SSL). 3. Access from a mobile device. Soonr uses the HTTPS protocol whenever possible. Subscribers can choose to override this and use unsecured HTTP, but a subscriber would do so only due to limitations of their handset. The majority of modern mobile handsets support HTTPS. If desired, secure access can be enforced as the only level of access that is allowed, however doing so may preclude use of the service from some older mobile handsets. 11.1.7 Server Encryption Subscriber file uploads to and downloads from the Soonr servers are fully encrypted. To render thumbnails and collect metadata for faster access, files may be stored on the Soonr servers in an unencrypted state. 11.1.8 Encryption at Rest Data files are stored on servers with 256 bit AES encryption. This prevents the physical files from being viewed in the unlikely event that the files are removed or copied. Encryption at rest is the ultimate defense against physical security breaches. 11.1.9 VeriSign Certificate Soonr is VeriSign secured for authentication. Information exchanged with any address beginning with https is encrypted using SSL before transmission.
11.2 Part 2 About the Soonr Datacenter
About the Facility Soonr servers are located in Market Post Tower, a 309,000 square foot, dedicated datacenter and carrier hotel facility in San Jose, Calif. The site is owned and managed by CRG West LLC, a datacenter and property management firm head‐ quartered in Los Angeles that operates six large datacenters throughout the United States. The facility houses servers for dozens of major telecommunications, media, technology, entertainment, financial services, Web services, and other companies. In 2009 Soonr expanded with another similar facility managed by the same company in Milpitas, Calif. Physical Security – SAS 70 The Market Post Tower facility is guarded at all times and monitored by closed‐circuit video. Personnel access is controlled through multilevel security: biometric hand scans, badge, and PIN, all three of which must be negotiated successfully before access is granted. Soonr’s servers reside in a locked cage and are not shared. To assure an ongoing high level of security, the entire facility is subject to periodic audits under SAS 70 (Statement on Auditing Standards No. 70) as defined by the American Institute of Certified Public Accountants. CRG West manages more than 2 million square feet of network‐neutral, first‐class datacenter, collocation, and office space in six major cities throughout the United States. Environmental Protection Contingency plans covering business continuity and operational recovery circumstances, including backup power, communications, cooling, fire, and earthquake are in place and are reviewed and tested periodically. 11.2.1 Network Security Procedures in place to monitor and control the network traffic include: • Make sure the cell receives traffic only on permitted TCP ports • Maintain a white list of source IP that can be let in on other ports • Log detailed statistics of traffic to and from the cell • Perform egress filtering to prevent the cell from leaking unwanted traffic (deny and react by raising an alarm to spoofed traffic originating from the cell) 11.2.2 Platform Security All Soonr servers operate using the SUSE® Linux® operating system and are thus not at risk by attacks launched against other server operating systems. Servers are updated daily with any security patches that are released for the operating system and applications.11.3 Part 3 About Devices and How They Interact With Soonr
11.3.1 Logon Attempts and Unsuccessful Logon Attempts Logging on to the Soonr service requires entry of the subscriber’s account ID and password. If an incorrect password is entered, access is denied. After three attempts with incorrect passwords, access to the account is disabled. To re‐enable the account, the subscriber clicks on the “forgot password” link, and an email is sent to the subscriber with a new password that can be used until the subscriber changes it again. 11.3.2 Data Transmission Encryption All communications between customers’ mobile phones or remote computers and the Soonr service, in both directions, are fully encrypted. Similarly, all communications between the Soonr agent on any computer and the Soonr service are fully encrypted. Data security is accomplished through 256‐bit SSL connections to subscribers’ computers and mobile phones. No data is ever exposed “in the clear”. The Soonr client communicates with Soonr servers using a proprietary method that eliminates the possibility of hijacking the client and send information to another destination. Any Soonr subscriber can verify the current status of Soonr’s SSL certificate by clicking on the Verisign Secured™ trustmark that appears in the Soonr agent configuration screen on the subscriber’s computer. A small percentage of subscribers may own an older‐generation mobile phone that does not support SSL. It is highly unlikely that owners of these mobile phones are active data users. In such rare cases, data necessarily must be sent in the clear. However, before such communication commences, the subscriber receives a prompt indicating that the ensuing session will be conducted on a non‐encrypted line. The subscriber must acknowledge the prompt and assent to the use of an unencrypted line in order to continue. 11.3.3 Firewalls Soonr Side Firewall: Only the services and port that are part of the public solution are exposed through the Soonr firewall and thus visible to subscribers. Subscriber Side Firewall: For a firewall installed at a subscriber location, outgoing connections to the Soonr service are established by the Desktop Agent and pass through the subscriber’s firewall. For some enterprise customers that install agents inside the corporate firewall establishing a connection can be problematic. This is an issue only for very security‐ conscious companies that have advanced application firewalls that do detailed analysis on the traffic going through the ports. Soonr technical support personnel are available to consult regarding specific settings for these circumstances. 11.3.4 Data Storage on Mobile Phones A cookie is stored on each subscriber’s mobile phone in non‐volatile memory. This cookie is used by the Soonr software to identify the device when the subscriber logs in, providing “remember me” capability. The subscriber can choose whether to enable “remember me”, and whether to subsequently reverse the setting or disable the cookie (at the cost of convenience when logging into the Soonr service). With respect to data files (spreadsheets, etc.), these are never stored on a subscriber’s mobile phone unless the subscriber explicitly downloads the file and chooses to save it on the device.11.3.5 Loss of Mobile Phone With Soonr, data is not stored on the mobile phone unless a subscriber explicitly downloads the file to save it to the device. Accordingly, loss of a phone poses very little threat of the loss of confidential data or files. In the event that a subscriber’s mobile phone becomes lost, access security is assured by having the subscriber log on to the Soonr service (from any computer) and change the account password, rendering the stored cookie unusable. Re‐establishing service on a replacement phone is accomplished through the same SMS subscriber‐authentication procedure employed when creating a Soonr account. Subscribers can disable the “remember me” functionality for a specific device through the “My Account” page. Doing so disables the ability to support automated logins from the device. It will force the device to re‐authenticate when trying to login.
11.4 Part 4 About User Data and Personally Identifiable Information
11.4.1 User Data To create an account, subscribers provide certain personally identifiable information: full name, e‐mail address, and mobile phone number. The Soonr software collects additional subscriber information, including IP address, browser, and operating system and version. To optimize their Soonr experience, the make and model number of the subscriber’s mobile phone is collected when logging in from their phone. None of this additional information can be used to identify subscribers personally. 11.4.2 Role Based Access Soonr has implemented a role based system that differentiates among different kinds of accounts, including end‐user accounts, administration accounts, reseller accounts, managers for trial accounts and trial accounts. This flexible role based system allows for creation of additional roles when new requirements surface for additional access control. Some roles may also control aspects of the user interface or access to certain APIs. For instance, trial accounts do not allow access to the administration interfaces that administration roles give access to; guest accounts may not have access to search or organizer modules, etc. 11.4.3 Inactive Account Closure If a Soonr account is inactive for 90 days, files and folder information cached on the Soonr servers are purged. The user ID, e‐mail address, password, along with the subscriber’s full name and mobile telephone number are not purged, allowing the subscriber to reactivate the account and allowing the Soonr service to send periodic reminder messages. 11.4.4 User Authentication When a subscriber creates a Soonr account, the Soonr service requires a valid e‐mail address verification before the account becomes active. This is achieved by sending a message to the e‐mail address, requiring a response initiated by the subscriber. Once the Soonr service receives the e‐mail response, the account becomes active.An optional corresponding authentication procedure can be performed on mobile phones. The Soonr service sends a message via SMS containing a multi‐digit code to the subscriber’s phone number. The subscriber must validate the phone number by entering this numeric code into the Web site. Once the code is received and verified by the Soonr service, the account, with that specific mobile phone number, is authenticated. These two procedures are in effect to prevent fraud and misuse of e‐mail addresses and phone numbers. If the subscriber changes his or her phone number or email address, the authentication process must be repeated before the new information is effective. 11.4.5 Share Invitations In addition to providing Soonr account holders with the ability to access files on their computer, a core feature of the service is the ability for account holders to share files or entire folders by invitation with anyone who has an Internet‐connected computer or data‐capable mobile phone. Folders containing a collection of images, such as jpeg files, PowerPoint® presentations, and other documents can be shared. While logged on to the Soonr service, the subscriber selects files to be shared and supplies the e‐mail address or mobile phone number of the invitee, or a Soonr user ID if the invitee already has a Soonr account. The invitee receives a message via e‐mail or SMS indicating that information from the Soonr subscriber is being shared. To access the shared information, the invitee logs on to the Soonr service with the subscriber name and temporary password supplied in the invitation. For the invitee, sharing is a read‐only experience, assuring the integrity of the actual files on the subscriber’s computer. If desired, however, a share recipient can download files, useful in a collaborative working environment. Invitees (share recipients) can choose to save shared files to their local hard drive (when using a computer) or to their mobile phone (if the capability exists and sufficient memory is available.) The Soonr subscriber generating the share invitation can allow or prevent the share recipient from using Soonr to re‐share the information with other people. Most share invitations do not expire, however the owner of the files issuing the invitation can revoke sharing for individual files or entire folders. When this is done, the shared folder is removed immediately from the share recipient’s desktop when they are removed by the owner. In the case where a share is sent and the only available information about the recipient is a mobile phone number, the sender has the option to limit the duration of the share’s lifespan from one day to “indefinite”. 11.4.6 White listing, Black listing and Fraudulent User Prevention Soonr currently supports black listing of e‐mail addresses and phone numbers to prevent fraud and misuse of the system. The system can be extended with white listing and black listing of IP ranges, phone number ranges and email address patterns. 11.4.7 Personally Identifiable Information Protection All Personally Identifiable Information (PII) data is encrypted with 128‐bit SSL while in transit between subscriber s’ devices and the Soonr datacenter. All PII is stored in the Account Database.
