4.11. Symphony OCR for NetDocuments Security Overview

Symphony OCR Software Architecture

Symphony OCR is installed as an on-premise Windows service.

Symphony OCR consists of a back-end service that monitors NetDocuments for new and changed documents, analyzes documents, and OCRs documents.  The Symphony OCR service also presents a web based interface for administration.  This web interface is only exposed on the firm’s internal network.

Authentication With NetDocuments

Symphony OCR interacts with NetDocuments via the standard NetDocuments REST API (full details of the NetDocuments API integration can be found here: https://support.netdocuments.com/hc/en-us/articles/205219850-API-Documentation ).

Symphony OCR uses the Internet standard OAuth2 authentication protocol to request permission from the user.  Once the user has approved integration, NetDocuments provides SymphonyOCR with an access token that is used for operations that interact with NetDocuments (querying for document meta data, downloading document content, uploading document content).  A NetDocuments administrative user must give explicit permission for this access to be configured, and the administrative user may revoke the access via the NetDocuments administrative interface at any time.

All network communication between Symphony OCR and NetDocuments is encrypted using standard HTTPS protocols.

Details of the Initial Account Setup Use-Case

1. During initial setup, the user clicks a "Connect to NetDocuments" button in the Symphony OCR interface.
2. After clicking, they are redirected to the NetDocuments login screen, where they enter their NetDocuments administrative account credentials.
3. A short-lived authorization code is then returned to Symphony OCR.
4. Symphony OCR interacts directly with the NetDocuments authentication server to exchange the authorization code for an authentication token.  This exchange is protected by a pre-agreed upon Client ID and secret Client Token that is specific to Symphony OCR.
5. The authentication token is used for all subsequent interaction between Symphony OCR and NetDocuments.  Under no circumstances does the browser have access to the NetDocuments authentication token.