Security

In the wake of recent attacks against MSP Automation tools, we’d like to take a moment to discuss ImmyBot’s security posture, and what our plans are to remain ahead of the curve.

We are SOC 2 Type II compliant

ImmyBot instances are isolated with their own database, app services, and storage accounts

ImmyBot’s mandatory AzureAD SSO prevents unauthorized access from stale local user accounts.

ImmyBot’s strict use of Entity Framework means our codebase never generates SQL. All input is sanitized by default.

Communication to RMMs, like ConnectWise Automate and N-Central, uses MFA. You do not need to disable Multifactor authentication for our integration to function.

ImmyBot Agent communication is secured through the Azure IoTHub.

We do not sell your data. Privacy Policy – Immense Networks

ImmyBot is built on .NET and Vue.js hosted in Azure leveraging services like SignalR, Service Bus, and Postgres Flexible Server. Our security posture benefits tremendously from using these modern services.

Authentication

We require Single Sign-On (SSO) with Microsoft Entra. We believe SSO is a basic human right and do not put it behind a paywall like many other vendors.

SSO Wall of Shame

Data Access

Another example is our database access is done exclusively through Microsoft’s Entity Framework ORM. This significantly reduces the likelihood of SQL injection, a common attack vector. Many legacy tools have SQL embedded directly in the application code itself, which can lead to vulnerabilities if the developers aren’t careful.

xkcd: Exploits of a Mom

Isolation

Each ImmyBot instance has its own Storage Account, Database, and Web Services. This was done intentionally to prevent cross-tenant data leaks and to make it easier for us to comply with privacy regulations. Our intention is to eventually offer ImmyBot in a Bring-You-Own-Cloud format allowing you to host it in your own Azure tenant where you control the location of the data. This is important for countries where data needs to remain within its borders.