You surely have a ton of other questions about ResourceConnect, how it works, and what you can expect. The section below is an attempt to answer all of the questions we receive, or expect to receive. 914-842-1734 if you have any other questions that can't be answered here.
Who created ResourceConnect?
ResourceConnect was created by the same team that created ingot maker
What is EmpowerDB?
Our other product is EmpowerDB
. It's a cloud based database built for direct service nonprofits to keep track of the clients they serve.
If your organization is on the look out for a new database, and you appreciate our focus on providing secure and user-friendly products at an affordable price, you can learn more about EmpowerDB 716-826-5111
Also note that in the future there will be lots of exciting integrations between ResourceConnect and EmpowerDB. Plus, EmpowerDB members receive a discount on their ResourceConnect usage. See the Pricing
section for more.
Can more than one user be signed on at once?
Definitely! ResourceConnect was designed for multiple users at an organization to use at once. The "Internal Chat" feature allows users to coordinate with each other about which chatters they might take and share other important information.
Note that only one person may use a single user account at one time. If someone else tries to log in with that user account, the original person will be kicked off the system. This is one of the reasons why we include in our terms of service a stipulation that you MUST make a separate user account for every person who uses ResourceConnect. Read more about that policy here
Is there a demonstration version of ResourceConnect we can test on first?
No. But instead you can do two things...
First, you can view the demonstration video
and other training materials
we've created. These materials should provide a pretty complete picture of what the system is like.
Second, you can just sign up for an account and use that as your test version. We offer a one month free trial for just this reason. We know sometimes organizations need to see and experience something themselves before they can commit to using it.
Note, that the SMS chat is only available for paid subscriptions.
Why are you so obsessed with confidentiality and security?
Our original background is in providing services to Domestic Violence and Rape Crisis Centers where confidentiality and security are paramount. If the safety issues we warn about aren't an issue for the type of people you serve, you may choose to be more lax around this topic.
But look, even though the people you serve may not have such life-or-death consequences surrounding their confidentiality, if you were to ask them "Would you want someone else to see this conversation?" how do you think they're respond? We feel like the majority of cases people would respond "No". So why shouldn't you take every step possible to make sure you treat their information with as much security as possible?
What kind of support will we get with ResourceConnect?
If you simply have questions about using ResourceConnect, we expect you to take a look through this FAQ section first to see if your question has already been addressed. Our goal is to have this FAQ section be a complete resource of any and all questions an organization could have while setting up and using the system. If you don't see your question addressed, reach out to us via the Contact
section here and we'll get back to you within one or two business days. We'll most likely respond to you with links to the FAQ section that we've since added or updated to address your question.
If you're having any issues with the product, you can let us know using the same 904-558-6202
form. Please be as detailed about what's happening, including, if possible, the steps that have happened that lead to the problem. We are committed to making sure ResourceConnect works as flawlessly as possible. We will respond to any reports of something going wrong as quickly as possible. If you leave your phone number, we may just give you a call to make addressing the problem go quicker.
Will you do a demonstration of ResourceConnect for our organization?
We're sorry, but since ResourceConnect is a low-cost, subscription service we are not able to spend time giving individual demonstrations of the product. Our other product, EmpowerDB
, is structured, and priced, to allow us to give a lot more one-on-one attention to prospective and existing clients. So we will be glad to show ResourceConnect to any sites who are also interested in seeing EmpowerDB.
We hope that the questions and answers in this FAQ section, as well as the demonstration video
we created, will provide all of the information an organization would need to determine whether or not the system would meet their needs.
If you have questions that you haven't seen answered on this site, don't hesitate to get in touch
with us and we'd be glad to post your question, and our answer, here.
Can you fill out a security questionnaire and/or sign a form so we can get approval to use ResourceConnect?
We're sorry, but since ResourceConnect is a low-cost, subscription service we are not able to spend time filling out forms or questionnaires that you may need in order to begin using a service. Our other product, EmpowerDB, is structured, and priced, to allow us to give a lot more one-on-one attention to prospective and existing clients. So we may be open to filling out questionnaires or paperwork for organizations looking to join ResourceConnect and EmpowerDB together.
We hope that the questions and answers in this FAQ section provide all of the information an organization would need to go through the process of gaining administrator approval.
Will ResourceConnect give us statistics about the conversations we have?
Currently no. In the future, probably. But likely never as much as you're probably hoping it will.
For example, there will never be an accurate way of knowing how many people you've spoken to on ResourceConnect. Someone who started as an SMS chatter, clicked on your link to the web chat, and then accidentally closed the window and reloaded the page would show up as three different people if we were just counting by number of sessions. Thus, showing you the total number of chat sessions you had would give you a misleading look at how many people you spoke to.
At this point, if you want to collect data on the conversations you have, you should set up an alternate collection tool that asks the questions that are relevant to you per-conversation. Soon, there will be a way for EmpowerDB Data Forms to be linked to ResourceConnect so that post-conversation data can be inputted directly via the Provider Chat form.
We will never set up a system where people seeking support must answer survey or demographic questions before they enter the chat. And we require in our terms of service that you do not create your own methods to collect demographic information from people before you provide them with support.
Does ResourceConnect support emojis or pictures?
No. They pose an added complication for the encryption process. We could be convinced to give adding support for emojis or pictures another shot if our users felt like this was needed.
Does ResourceConnect support video chat?
Not currently. But this is a feature we're very interested in providing support for in the future.
Can ResourceConnect translate messages?
We do not currently support any language translation.
In the future we could leverage a language translation API to translate incoming messages. But we will never add support for having outgoing messages translated into another language. There is simply no way to be confident that computer based translation hasn't written a message that contains something inaccurate or inappropriate.
We recommend having canned messages
in various languages letting people know what they can do to get support in their language.
Do you have a setup and administration training video?
We have made this training video
to walk you through the entire setup process. The various settings in the admin panel are also explained in greater detail here.
This video, along with the Provider Training Video
, can be great tools to help you decide whether ResourceConnect will be a good fit for your organization's needs.
How do you recommend we add our ResourceConnect information to our webpage?
Your organization's webpage likely already has a section where visitors are told about your phone support hotline. We recommend adding an additional line below your phone number with wording like "Chat with us here".
We recommend that this button leads to another web page on your own site that explains what the web chat is, and the security issues that the visitor should be aware of. Particularly you should explain that while the web chat is encrypted, if their computer has been compromised, someone else could still see the chat conversation. You should strongly encourage visitors to either find a safe, untampered with computer for the chat, or to call your phone support line from a safe phone. See here
for more information on the safety considerations of the web chat.
After explaining the safety implications, there can be another button/link that leads directly to your ResourceConnect Web Chat URL, or opens another page on your website that includes the Web Chat embedded in an iframe.
Further instructions for both options are below...
Button/link to Web Chat Page:
This is the simple way of getting people to the Web Chat. It's perfectly fine to just go this route.
You would simply create an HTML link that directs to your WebChat URL: /www.resourceconnect.com/[your alias]/chat
<a href='/www.resourceconnect.com/[your alias]/chat'>Start WebChat</a>
We recommend that you DO NOT make this link open the ResourceConnect chat page in a new window/tab. In other words, do not use the "target" attribute in your HTML link. The issue here is the Quick Escape
button in the chat page. If you had the chat page open in a new window/tab and the chatter clicked "Quick Escape", they would be directed to the Quick Escape location. However, your organization's web page will still exist as another tab open on their browser and be visible on the chatter's computer.
Embedding the Web Chat on Your Webpage:
If you are embedding the ResourceConnect chat inside your own webpage, you will use the URL: /www.resourceconnect.com/[your alias]/embed
Embedding the chat would be done using an HTML iframe. For example:
<iframe src='/www.resourceconnect.com/[your alias]/embed' width='500' height='700'></iframe>
Again, it's very important that the chat window does not appear on the user's page until they have read your safety warning and consented to starting the web chat. This means you would need to set up your site like the following:
â¢ A "Chat with us" link on your homepage, or in the header that appears throughout your site. That link leads to...
â¢ A "Safety check" page making sure people know not to use the site on computers that could be compromised. This page would feature another "Chat with us" button leading to...
â¢ A final page on your site with the Web Chat embedded in an iframe.
The /embed link and the /chat link are almost identical. The difference is, on the /embed link, there will be no header with your organization name and (530) 547-0421
button. It is assumed that if you are embedding the chat into your site's page that your organization name is already present on the screen. Also, there is no Quick Escape button in this instance because it is not possible for the ResourceConnect chat window to direct a user to a completely different page, away from your organization's web page, while within an iframe. Thus, if embedding the chat window in your organization's web page, you should include a prominent Quick Escape button somewhere on your own web page
If all of this sounds like too much for you, or you're not capable of including a prominent Quick Escape button, please go the "Button/link" route described in the first section above.
You should not use the abbreviated URL, rc.chat/[your alias], in your own web page. This address should only be used in situations where a person would need to type in the URL to your chat and you want to save them the trouble of typing out the full www.resourceconnect.com/[your alias]/chat address. Or you would use it within an SMS message so you don't use up as many characters as the full address.
Your SMS number can also be displayed on your organization's webpage for those looking to communicate with you via SMS. Please include some language in your webpage warning people not to send you an SMS/Text message from a device they feel could be compromised.
This may all be too much information to pass off to someone in just the header of your organization's webpage. If you are used to having hotline information in your header, you may want to instead make your header say something as simple as "Call / Text / Message Us Here". Then the resulting page can give people the options available to them to get in touch with you and make sure they know which option is safest in their situation.
What privileges does an administrator have?
A user with Administrative privileges can access the Administrative Settings for your organization's account.
Actions available in the Administrative Settings include:
• Adding / editing User Accounts
• Adding / editing Canned Messages
• Changing message expiration time periods
• Changing auto-response messages
• Viewing / changing organization's encryption key
• Accessing the billing section
How many user accounts can we create?
As many as you'd like! There is no limit on user accounts and no price differences for the number of users you add.
When agreeing to use the Web Chat, we actually require that you to create a separate user account for every person who uses the system. Read more about that policy here
How many administrator accounts can we create?
There is no limit on the number of administrator accounts you can create. However, with the (203) 345-5446
, we hope that you don't make users administrators without good reason.
Why do you require all users to have their own user account?
With other services that charge per user, it can be common for budget conscious nonprofits to get in the habit of creating one user account that multiple people share. We do not charge per user account specifically to prevent this unsafe situation from happening.
There are two main reasons why we feel it is unsafe to have multiple people sharing the same user account...
First, if one of the people using a shared account were to leave your organization for "unfriendly" reasons, you will want to have the ability to immediately turn off access to that person's ResourceConnect account in order to prevent them from accessing the system and acting irresponsibly. If you had multiple people using the same account, you would have to change the password, notify all of the other people about the password change, and potentially do the same with your encryption key. With this hassle ahead, you may be tempted to trust that the exiting person wouldn't act irresponsibly and just keep the shared account credentials the same. It should go without saying that extending this amount of trust to a former employee or volunteer has the potential to backfire.
The second reason we require all users have their own accounts is because only one person can be signed in with a particular account at once. If someone else tries to log in using that same account, the first person will be kicked off the system. Thus, if one account was being used by multiple people, there could be a situation where Advocate A is talking to Jane Doe, then Advocate B signs on with the same account and kicks out Advocate A. Advocate B will now see all of the messages that Advocate A and Jane Doe exchanged.
We understand that with organizations with a large volunteer base may find it cumbersome to make individual accounts for all users. But we hope that the security implications described above, and the fact that we place no limits or price differences on number of users, can persuade you to go through the process of creating separate user accounts for everyone.
How do you recommend we handle our encryption key?
Protecting your ResourceConnect encryption key is imperative to keeping the information contained, and passing through, the ResourceConnect server confidential.
What Not to Do
Yes, we've got to start with the "Don't"s. You should never be sending the key through email/text or saving it on your computer. Once the key is stored or sent in some kind of digital format, it becomes impossible to delete. You might think the key gets buried among the piles of other digital data in your life, but when your digital data ends up in the wrong hands, you can bet that a person looking to do harm will know just what to search for to find it. And you might think that you could just delete the message that contains the key after the fact, but in the digital world, there's essentially no guaranteed way to delete information.
Next, don't let non-administrators copy the key for themselves. Even if they say they'll abide by all the rules on this page. This doesn't make you an untrusting person. This makes you a realistic person who cares about the confidentiality behind the data the key protects.
Do: Write in a Safe Place
When you first get your key, write it down on a card. Something like a blank business card or an index card. Make sure you clearly write out any letters that could be ambiguous. For example, zeros and the letter 'O' can sometimes be confused with each other when being hand-written.
Keep this card locked in a very safe place. Not just in your desk drawer or your locked office. An actual container meant for actually locking and securing information.
When someone is using ResourceConnect on a new computer, retrieve the card from it's locked place. Enter the key into the computer for the person needing it. Return the card to its locked place.
Do: Store in a Password Manager
Password managers make for great places to store encryption keys. When we say "Password Manager" we do not mean a Word/Excel file you keep on your computer. We do not mean a note file you keep on your phone. We mean an actual program built for managing your passwords.
We recommend the following password managers:
(Recommended for Android users)
Now, what to do about the master password for the Password Manager? You either write it down (as described above), or memorize it. And, of course, avoid all of the "Don't"s above when dealing with your master password.
What happens if we forget our encryption key?
If you forget your encryption key, you will not be able to fully sign into the Provider Chat. We cannot help you recover your encryption key. If you lose it, it's gone forever!
First, it might not actually be lost. If you have SOME computer that is able to log into the Provider Chat, then the key IS saved on that computer. To see what it is, you must go to that computer, log in as an administrator, go to your Organization's Account settings (button on the top right of the Provider Chat), select Web Chat Settings, and then scroll down to the "Encryption Key" section. Click the "View Key" button to see your key.
If you don't have any computer that is capable of logging into the Provider Chat, you have lost your encryption key! You can reset it, but know that all of your past messages will have to be erased. To reset your key:
- Log into the Provider Chat as an administrator
- On the screen that asks for your encryption key, click on "Account Settings"
- Make sure you're in the "Web Settings" tab
- Scroll down to the Encryption Key section
- Click the link for "Create New Key"
- Go through the Key Generation Process again
- Write down the new key
- Don't lose it this time
- Click "Reset Key"
Do you have a training video for using the Provider Chat?
We sure do. You can watch the Provider Chat training video 4805653765
This video, along with the Setup and Administration video here here
, can be great tools to help you decide whether ResourceConnect will be a good fit for your needs.
How are chatters assigned their six digit numbers?
The six digit numbers assigned to the people chatting with you are made up completely at random. The numbers have nothing to do with the person you're talking with. For SMS conversations, the numbers have nothing to do with the person's phone number.
We assign numbers to people purely because there needed to be some way of differentiating between Person A and Person B! You can always use the Rename
feature to change the name of a person you're chatting with, though we understand that in the majority of situations you aren't getting people's names.
It IS possible that two different people will be issued the same number. Perhaps, Jane Doe uses the chat and gets assigned the number 123456. Then if her session gets deleted or expires, the number 123456 is up for grabs again. Some other person, chatting with any other organization, could randomly be assigned that number again. We feel, though, that with 900,000 numbers to pick from, the chances of you seeing the same number twice is very rareâ¦ and the chances of you realizing you've seen the same number twice are even rarer.
How do you recommend responding to harassing individuals?
We strongly recommend that you completely cease engaging with someone as soon as you realize they are harassing instead of seeking support. A harasser is just looking to get some kind of reaction out of you. If you give ANY kind of response to their behavior, you are declaring to them that they have been successful.
So this means, do NOT
do any of the following:
• Tell them goodbye
• Ask them to stop messaging you
• Delete them
• Try to make them see the error of their ways
• Get angry at them
• Respond pretending that they're not actually bothering you
• Threaten them with legal/police action
Instead, the moment you realize someone is a harasser, simply 9702792257
them. You would choose to Ignore someone if there were no reason to see any more of their messages. You would choose to Mute them if there was a reason why you might need to see the kinds of messages they were sending (for example, if the harasser was an abuser of a person you're providing services to.) The harasser will not know they have been ignored or muted, they will continue to send messages, get no reaction from you, have no validation for their actions, and eventually (some taking longer than others) stop messaging you.
We do not recommend deleting
a harasser who is still online. If someone is deleted, they will be sent to the Quick Escape location. For a harasser looking for ANY kind of reaction, this, again, counts as a success. They will just use the back button to go back to the chat, get issued a new chatter number, and continue their behavior.
We are unable to block a person from using the system. Unfortunately, no technology exists that can stop a determined individual from continuing to act abusively on the internet. 773-625-6590
, so we cannot block a single IP address from using the system. And even if we could, this wouldn't solve the problem. Someone could always use another internet connection, or they could be using one of the many types of internet services that constantly changes users IP addresses.
People acting abusively on the internet is unfortunately just a fact of life at this point. We fully support efforts of any organization looking to change the dynamics of why this appears to be a given in our society. But any attempt for you to alter this nature via the ResourceConnect chat will have a much more likely chance of causing more problems than it solves.
Why must chatters be "Assigned to Me" before we can respond to them?
Before a user can respond to a chatter, they must select the "Assign to Me" option. This option exists as both a button that shows up in the conversation, or an option in the conversation settings (the three-dot-settings icon to the right of the conversation name).
Selecting this option moves the conversation in the "Assigned" category of chatters. This user now becomes the only person who can see the conversation with this chatter. If it's a Web Chat, the chatter receives a notification that the user has joined the chat.
The user may choose to Unassign
the conversation so that any other user may talk to the chatter.
The Assign/Unassign feature has been built with confidentiality in mind. The person you're communicating should be made to feel like they are disclosing information with just the one person they are speaking to, not an entire organization's worth of people. Having the chatter's conversation visible to everyone in an organization would be like taking a hotline phone-call and putting it on speaker phone.
What is the âRenameâ option and when would it be used?
One of the options available in the settings of a conversation is 'Rename'.
This option allows a user to change the name that appears for this person away from the six digit numbers that are randomly assigned
. If a user is switching back and forth between multiple conversations at once, it may be helpful to have different names for the conversations instead of just random numbers.
If your organization is in the practice of asking for, or obtaining, the real names of chatters, the conversation name could be changed to the name of the person you're communicating with.
The name could be changed to something else distinct about the person that would help in differentiating them from other chatters. Perhaps "DV Survivor", "Relative of Survivor", or "Eastern Texas".
Or the name could be changed to something that would help other users on the Provider Chat know which person would be an appropriate fit to talk to the chatter. Perhaps "Spanish Speaker", or "Legal Assistance" or "Jackie, She's Yours".
Finally, it could be possible that none of these uses cases would be helpful to you. If so, you are completely free to never use the "Rename" feature.
Some other things to note about the names of conversations you set:
The people you're chatting with will not see what you've named them. They will always appear to themselves as being named "You".
The name one person assigns to a conversation will be visible to all users signed into the Provider Chat. So let's keep it professional, folks!
Names are saved on the ResourceConnect server and are encrypted with your organization's unique encryption key. So if the chatter's real name is used, know that that name is protected under the same zero-knowledge encryption setup
as the rest of ResourceConnect.
If someone who you've named leaves the chat and comes back, the system will NOT know they are the same person. They will get issued a brand new six digit code.
What is the âMuteâ option and when would it be used?
One of the options available in the settings of a conversation is 'Mute'.
This option allows a user to tell the system to no longer show notifications of new messages from this chatter. The user will still be able to access the channel and read the messages, but they will not get notified of any additional messages.
The chatter will not be notified that they have been muted.
Muting a conversation only affects the user who has selected this option. All other users who may be on the Provider Chat will still get new message notifications from the chatter; unless, of course, they mute them too.
Two common examples of when a conversation might be muted are:
1) A user may Mute a chatter who is yet to be assigned to a user because they know this person is not an appropriate fit for them.
2) Someone is acting abusively and the user wants to still be able to see what they're saying, but doesn't want to keep getting alerted about new messages coming in. (Read more about dealing with abusive individuals 819-860-5195
What is the âIgnoreâ option and when would it be used?
One of the options available in the settings of a conversation is 'Ignore'.
This option allows a user to tell the system to remove the chatter from the Provider Chat screen. The user will not see this chatter in their list of conversations and will no longer have access to their messages. This is similar to the Delete
option, but with one key difference: the chatter will not know they have been ignored. To them, it will seem like their messages are still reaching you.
This option will likely exclusively be used when dealing with harassing/abusive people. Read more on what to do in these situations here
Some other things to note about ignoring a conversation:
If one user decides to ignore a conversation, ALL users on the Provider Chat will also have that conversation ignored.
If someone is ignored on the Web Chat, they could simply reload the page, or open the chat in another window, and the system will not realize they are the same person. Their will no longer be ignored and their messages will be visible.
If someone is ignored on the SMS Chat, the system will remember who they are for the period of time set in the "Ignored Caller Deleting" dropdown in the SMS Settings Administrative Panel. However, note that all SMS messages by ignored chatters WILL still count towards your SMS Unit consumption. (More on that here
.) Thus, you may be more inclined to Ignore harassing Web Chatters and Mute
harassing SMS Chatters.
And, as we've said above, neither Web or SMS chatters will know they've been ignored.
What is the âDeleteâ option and when would it be used?
One of the options available in the settings of a conversation is 'Delete'.
This option allows a user to tell the system to remove the chatter from the Provider Chat screen and delete all their messages and everything about them from the server.
We highly recommend you Delete every conversation as soon as it's finished. We live in a world where all data is saved forever and can be accessed in an instant. But ResourceConnect is not a data storage service, it's a communication service. Once your communication is done, there should be no reason to keep it.
To put it another way, if you wouldn't record someone's phone call, you shouldn't be keeping their text conversation!
Deleting Web Chat Conversations:
If the Web Chatter is still online when you delete their conversation, they will be redirected to their ###Quick Escape location.
This feature could be useful in situations where a user suspects that the person they are chatting with might currently be in distress, or someone else has commandeered their computer. Being redirected to the Quick Escape location will clear their screen of the previous messages that have been sent and remove all immediate visual clues that the chatter was using ResourceConnect. An abusive person could
still press the browser back button, or look at the browser history, and see that ResourceConnect was previously being used. But the contents of the conversation will be cleared.
However, Deleting a conversation of an abusive individual who is still online is not recommended. In this case, the abusive individual WILL know that their conversation has been deleted. They will simply go back to the chat screen, be immediately connected again, and be re-energized to try and get deleted again. Read more about how to deal with abusive individuals here
Deleting SMS Conversations:
Deleting an SMS conversation clears all encrypted messages, and the chatter's phone number from the ResourceConnect server.
If someone who has been deleted messages again, the system will consider them a completely new person and assign them a brand new six digit number
There is no concept of "Online" or "Offline" for SMS chatters. And there is no way to re-direct SMS chatters to an alternate location upon deletion. Read more about SMS safety considerations here
What is the âUnassignâ option and when would it be used?
One of the options available in the settings of a conversation is "Unassign".
After a conversation has been Assigned
to you, and you become the only person who can communicate with that chatter, you could be in a situation where you would want another one of your colleagues to talk with this person. Perhaps you're going off-shift. Perhaps you've realized that the person you're talking to has needs that are better addressed by someone else.
Selecting "Unassign" moves the chatter back to the Unassigned category. All other users will see them in their list. Any other user, including yourself, can click "Assign" on their conversation to begin responding.
It's important to note, though, that selecting "Unassign" will clear all messages
in the conversation. This is because the person you were speaking to had thought they were communicating with just you. If the past messages came along with the conversation after it was Unassigned, it would negate the protections described in the Assigned feature (502) 690-0578
. The person you're chatting with will not be alerted to the fact that their past messages have been cleared. The 641-387-4838
WILL be visible to all other users, however.
In the future, there will be an "Invite" button that will allow you to add another user to the conversation without the messages being cleared. In this instance, the chatter will be informed that another person has joined the conversation.
What is the âDelete Messageâ option and when would it be used?
By hovering over a message and clicking the "Info" icon to the right of the message, a user can select an option for "Delete Message".
When selected, the message is removed from the user's screen, the chatter's screen, and the ResourceConnect server.
The two common uses of this feature are:
A user has sent a message to a chatter but realized there was some kind of mistake in the message contents. The user may want to delete the message and retype it.
A chatter has sent a message that the user has decided is so ill-advised, that it's worth making an attempt to get the message stricken from all record. For example, a survivor of domestic abuse threatening the life of their abuser. In this case, after deleting the message, the user should explain to the chatter why the message was deleted and caution against further statements.
In both of the cases above, it is important to remember that just because a message has been deleted off all users' screens, the chatter's screen, and the ResourceConnect server; this does NOT mean the chatter hasn't taken a screen shot of the message.
What are âCanned Messagesâ and when would they be used?
A provider may find that they are writing the same messages to chatters over and over. Some examples of frequently sent messages would be: welcome messages, safety checks, goodbyes, referrals to other organizations, instructions on how to get support in unspoken languages.
To help prevent providers from typing the same information, users with administrative permissions can go to the Admin Panel and edit the organization's list of Canned Messages.
These Canned Messages can then be selected by users by clicking the "Can" icon to the left of where a message is typed.
Once a Canned Message is selected, it's contents get added to the chat box. The user can either send the message as is, or modify the message before sending it.
The same list of canned messages is available for Web and SMS conversations. When setting up Canned Messages, you will see at the bottom right of the text box an indication of how many SMS Units that message is. To keep your SMS Unit consumption costs down, you may want to keep an eye on the number of SMS Units the Canned Message is if you're setting up a message that could be used frequently over SMS. You could also have multiple versions of the same message, one long-form response that staff know to use for Web conversations, and an abbreviated response for SMS conversations.
All Canned Messages that are set up on the Admin Panel will always show up for all users.
Is it possible to send chatters an automatic response when they first reach out?
Yes, users with administrative permissions have the option to go to the Admin Panel and craft four different automatic responses: one automatic response that will be sent to web chatters when no staff members are online, another that will be sent to web chatters when there are staff members online, and another pair to be sent to SMS/Text chatters when staff are or aren't online.
Why canât the Provider Chat be accessed on a smartphone or tablet?
If a provider tries logging into the Provider Chat via any devices that declares itself to be a mobile device (smartphones and most tablets), the user will see a message letting them know the Provider Chat must be used on a desktop or laptop computer.
This limitation is in place purely due to our strong feelings that a provider carrying in their pocket a device that can access so many confidential conversations would be a significant security risk. That device could get lost or stolen, revealing confidential information to a stranger. Or someone who knows the provider could be using their phone and inadvertently see information they shouldn't see. These are only two of the many horrific situations we imagine could come up with having such important information being so portable.
Also, we feel like a provider should be their best-typing-self when they're providing others with support. Smart phones and tablets do not allow for providers to be at their best-typing-self. Providing people with emotional support on complex issues seems like a bad place for autocorrect embarrassments, unfortunate typos, and responses that are delayed because the provider is battling with a keyboard less than 2 inches wide.
How do you recommend making strong passwords?
We believe the information contained, and passing through, ResourceConnect is of the utmost importance. Thus, we recommend making a strong password for your ResourceConnect account and not succumbing to all of the password cheating strategies that we normally get tempted by.
But how to make a strong password that can actually be remembered? We have three methods that we recommend:
1) Random Words
Quick, go grab a book. Any book. Open to a random page. Point to a word at random. Don't look for a word that you like. That's not how random works.
Got your word? Alright, now do it again.
Now you have two totally random words. Listen, you can definitely remember two random words. People as far back as the 90's used to be able to memorize the phone numbers of everyone they knew. And you are WAY smarter than those fools from the 90's.
Unfortunately two random words isn't good enough. You've gotta make it a bit more complicated. Do at least two
of these things:
• Add a number or symbol to the beginning, middle, or end of your two words
• Intentionally misspell one of the words
• Replace some letters in the words with a number or symbol
• Capitalize some random part of the word
• Translate one of the words to another language
2) Sentence Initials
Think of a sentence that is memorable to you but not an incredibly popular sentence. For example, the chorus of that new Taylor Swift song probably won't work.
Type out the initials of that sentence. Like this:
(Anyone who can tell us what song that comes from wins one free month of ResourceConnect)
Unfortunately, those initials aren't good enough. You've gotta make it a bit more complicated. Do t least two
of these things:
• Mix up the capitalization
• Put in some punctuation
• Put in a random number somewhere
• Spell out one of the words completely instead of just putting the initial
3) Full Sentence
This one's similar to the above. But this time, let's just type the full sentence out. It's more typing, sure, but at least you're typing something real and not a bunch of gibberish.
Yet again, you should be adding a bit more randomness to your password than just that sentence. Put a weird symbol in there somewhere unexpected, misspell a word, etc, etc.
Actually Remembering It
So now you've got your fancy, secure password. Congrats! Now how do you remember it?
You COULD write it down on a post-it note that you'll "definitely" throw away soon. But you probably know by now that we're gonna green-light that idea.
Instead, we recommend this...
Log into the system with your new password.
Log into the system with your new password.
Log into the system with your new password.
Log into the system with your new password.
Log into the system with your new password.
Log into the system with your new password.
Log into the system with your new password.
Yup, seven times. Haven't you seen the research that people don't actually remember something unless they hear it seven times? Well that applies to passwords too. Probably.
Type your password seven times today, and use that password consistently in the days to follow, and you'll remember it.
Still worried you'll forget it? Use a password manager. A REAL password manager. Not a notepad file you keep on your phone or computer. A real password manager would be something like the following:
(Recommended for Android users)
Final Guilt Trip
If you cheat on making your password, you might get away with it. You might never be hacked. No harm will come to you and the people you provide services to. And you'll get to feel so proud of yourself for breaking all the rules and getting away with it. There's something distinctly human about that feeling, isn't there?
But really, why risk it? Even if there's only a 5% chance that breaking the rules will have negative consequences, why keep that 5% on the table? The information in ResourceConnect is important enough that it's worth removing all possibilities of something going wrong.
And in exchange for you following the rules, you get something extra special. You get the feeling that you're one of only 1 out of 1,000 people who actually decided to make positive choices about their security. And at the end of the day, feeling like you're a better person than the vast majority of the world is a much better feeling than breaking rules and getting away with it.
Should I click the "Remember Me" button when logging in?
Listen, we're not here to tell you not to click this button. If we didn't want you to click this button, we wouldn't have added it in the first place. We're just here to make sure you know that it's important to know what it means when you click this button.
There are two ways browsers can remember your log-in:
A "Remember Me" Check-box
When you click these checkboxes, the service that you're using places a cookie on your browser that says "We have verified that this person has previously signed into our system." That way, you don't have to keep putting in your username and password each time.
Your password isn't saved on your computer. Just a marker that the service uses to identify your device.
This does mean, though, that if anyone were to get on your computer - either someone else you know, someone who stole your computer, or because you're using a computer at a public place - that this person will be able to use the service without having to log in.
Thus, for services that you use that deal with confidential information, you should only ever check the "Remember Me" box if you are very confident that you will be the only person that will ever be able to use this computer. If you're not confident in this, please don't check this box.
Yes, this means you'll have to enter your email and password each time you use the service. But we believe this minor inconvenience is worth it to keep confidential information secure.
The Browser Asks to Remember the Password
Sometimes after you've signed into a service, the browser you're using will ask you if you want it to remember the password.
When you click 'Yes' to these prompts, your password is saved in a special file in your browser. The next time you visit the log-in page, the browser puts in your password automatically so you don't have to.
Pulling out these saved passwords is incredibly easy for someone who knows what they're doing. And there are plenty of instructions on the internet for how to do it. This means that if someone were to get on your computer for even thirty seconds, they could find your password, copy it down, and then use it to sign in as you from any other computer. And, of course, if your computer ever gets hacked, those passwords are fair game to the hacker too.
Thus, we strongly encourage you to click 'No' to these password prompts for any service that you use that has the slightest bit of importance in your life.
What are the safety risks of using the Web Chat?
The ResourceConnect Web Chat features a couple major security features which make it a great choice for confidential web-based communications...
The ResourceConnect Web Chat is end-to-end encrypted. Thus, only you and the person you're chatting with can read the contents of the messages being sent. Even our own staff are not able to read the contents of your messages, and thus would be unable to hand over any readable content in the event of a court order.
The contents of the messages do not get saved anywhere on the user's device. Unless the user has taken screenshots of their conversation, once the chatter closes their browser window or a message has hit its message expiration date, that message will be completely gone. Also, once a message has hit its message expiration date, or one of your users deletes it or the conversation it was used in, that message will be permanently removed from the ResourceConnect servers.
However, there are still some important safety risks to be aware of and warn the people who will use this service about...
First, there is no technology anywhere, and never will be, that can prevent information from being read on a device that has a virus, malware, spyware, etc installed on it. If a spyware or virus program is able to record keystrokes or take screenshots every X number of seconds, there's nothing that can be done to make this device safe.
You should always inform users of this risk before they even visit ResourceConnect. You should inform them again via the ###Auto Response messages you set up. And you should inform them a third time within the first message that one of your users sends the chatter. Read more in our implementation guide here
If a person believes their device even has the potential to have been compromised, it is safer for them to use another device to communicate with you on ResourceConnect or give your organization a call from an unmonitored phone.
Second, you should be aware that an eavesdropper who listening to the internet traffic of a ResourceConnect chatter will be able to see that the person is communicating with someone
on ResourceConnect. They won't be able to see which provider they're talking to, but they will likely be able to put two-and-two together if they saw that the user was on your organization's webpage and then they were suddenly using ResourceConnect. Again, because ResourceConnect is end-to-end encrypted, anyone listening in on the internet traffic won't be able to see what is being said. They will only be able to see that something
is being said. In certain situations, this could pose a risk. Usually, however, if a person is worried their internet connection could be monitored, they should also be concerned their device has also been compromised. Thus, they should not use ResourceConnect unless they can do so from another location.
Note that the mention of these security risks is not an indication that we believe ResourceConnect is not a safe form of communication. We are simply giving you all the information available for what risks are out there. If you get in the practice of identifying whether these risks apply to the person you're communicating with, then ResourceConnect can be a great tool for safely communicating with people in need.
Also keep in mind that ResourceConnect is not meant to stop people from calling your organization. A phone call can sometimes be the safest and most efficient method of communicating. Feel free to use our service as a way to better ease people into communicating with you over the phone or visiting you in person.
Is there anything that can be done to make chatting with Web Chat safer?
There is not a lot that can be done to avoid the safety risks of using the Web Chat
There is no way to reliably tell if a computer or smartphone has been compromised. If a person even has a suspicion they could be using a device that could have been compromised by someone else, there is no safe way to have confidential conversations on it.
If, by chance, a person is certain their device has not been compromised, but is concerned about someone listening on their web traffic and seeing they're communicating on ResourceConnect or visiting your organization's webpage, they can use a VPN or the Tor browser
to hide their internet traffic from eavesdroppers.
Can people seeking support use the Web Chat on their smartphones?
Yes, people coming to you for support may use their web browser on their smartphone to communicate with you via the Web Chat.
Unlike the concerns we have
with Providers using the Provider Chat on their mobile devices, we do not have the same level of apprehension about one person having one conversation on their own device (as long as, of course, the provider has confirmed that their device is safe to use).
And, of course, people may use their phones to communicate with you via the SMS Chat. Though we believe the Web Chat is the safer option, so we encourage providers to get chatters to use the Web Chat, when possible.
What is the Quick Escape button?
Unless you're using the Embedded Web Chat Link
, people communicating with you via the Web Chat will see a "Quick Escape" button on the top right of their screen. Pressing this button will immediately end the person's ResourceConnect session and send them to an alternate web site. The default is to send to Google. But the person may click the dropdown immediately below the Quick Escape button to change the place they want to Quick Escape to. For example, if it would be more natural for that user to be on the YouTube homepage instead of the Google homepage, they can set this instead.
The system will attempt to notify the provider that the Quick Escape button was pressed. But it's possible that the chatter's browser will change the page before this signal can be sent to the ResourceConnect server. Either way, the provider will definitely see that the person has left the chat.
On the chatter's end, it is possible to click the back-button to get back to the ResourceConnect chat page. None of the messages from that conversation will appear. The system will consider this a brand new session from a brand new person. It may be a safety issue for someone besides the chatter to click the 'back' button and see that the chatter was speaking with your organization on ResourceConnect. This is one of the many reasons why you should do a safety check with the chatter at the very beginning to make sure they are in a situation where their digital record won't be an issue.
Deleting a Web Chat conversation while the person still has the window open will send them to their Quick Escape location. This could come in handy if you suspect that the person you're chatting with is in distress or someone else has commandeered their computer. Note that even though the messages will be removed from the chatter's browser, this don't necessarily mean that no one on the chatter's end took screen shots of the conversation.
Deleting any SMS Chat conversation will not redirect an SMS chatter to another location. And all messages will remain on the person's phone unless they manually delete them. This type of functionality is not possible with SMS. Read more about deleting conversations (639) 754-6842
What are the safety risks of using the SMS Chat?
SMS messages do get encrypted on the ResourceConnect server with your organization's unique encryption key as soon as they arrive. Thus, we are not able to provide readable messages in the event of a court order.
However, unlike the relatively 5139931879
, there are a number of issues to be aware of with the SMS Chat...
SMS Chat messages cannot be end-to-end encrypted. SMS technology was created long before end-to-end encryption was widely available.
Because the messages aren't encrypted, this means that cell phone providers can, and do, keep copies of SMS messages on their servers. Verizon makes public that they keep messages for up to four days. Verizon can even, at times, show the contents of a user's text messages when logging into the Verizon account portal. Other cell phone providers say they don't keep the contents of messages, but nothing is stopping them from doing so.
All cell phone providers keep logs of which phone numbers their subscribers are texting to. These logs show up on billing statements. If a person seeking support from you is using a family phone plan, or someone else gains access to their phone bill, it will be clear that they had a conversation with your organization.
Next, the SMS routing service we use, Twilio, is handling these SMS messages in plain text too. Twilio provides a way for the ResourceConnect server to delete a message from their server after it's been sent; a function we utilize. But unless you're on the development team at Twilio, the reality is there is no way of knowing whether or not that's actually happening.
Phone spyware is also very good at recording SMS messages. Thus, all of the same recommendations of warning users to not use ResourceConnect on a device that could have been tampered with apply to SMS conversations as well.
Finally, while messages sent via the Web Chat will disappear at an interval that you control, it is not possible for SMS message to automatically expire on a user's phone. The only way to get a message off a person's phone is for that person to manually delete them.
These factors are the reason why we recommend that providers using the SMS service ask users, either in the SMS auto response or the first few messages to the user, to switch to use the Web Chat instead. This would be a case where using the abbreviated URL - rc.chat/[your alias] would be acceptable.
Note that the mention of these security risks is not an indication that we believe ResourceConnect is not a safe form of communication. We are simply giving you all the information available for what risks are out there. If you get in the practice of identifying whether these risks apply to the person you're communicating with, then ResourceConnect can be a great tool for safely communicating with people in need.
Is there anything that can be done to make chatting with SMS Chat safer?
There is not a lot that can be done to avoid the risks mentioned in the question above
Using a "dumbphone" reduces the risk of spyware. We know of no spyware that is possible to run on dumbphones. However, just like smartphones, SMS messages will still stay on the phone unless manually deleted, and there will still be records of the SMS messages with the cell phone company.
Using a third party app like Whatsapp for SMS messaging may also reduce the risk of the messages being picked up via spyware. Spyware cannot access the contents of applications like Whatsapp unless the phone is rooted. However, if someone has put spyware on a phone it's very likely that they also went through the (not that much) trouble to root it too.
You can ask the people you chat with over SMS to manually delete the conversation after you've finished. But it's very possible many people will ignore or forget this recommendation.
Can we see the phone number of someone talking to us on SMS chat?
Even though we do store people's phone numbers on our server
, to protect the identify of the person you're chatting with, we do not make it possible for you to see their phone numbers. The (650) 445-8725
have nothing to do with their phone number.
If you really need to know someone's phone number, you can ask them to send it to you in a message. It is then that person's choice as to whether to respond and provide their number.
Can we be the first to send someone a SMS message?
We have intentionally NOT made this possible. You can only message someone once they have messaged you.
While we can see some practical uses for this ability, we see a lot more ways that this ability could lead to abuse or unsafe situations.
What is an SMS Unit?
One SMS message may be multiple SMS Units. SMS messages can only be 160 characters long. Modern phones are able to get around this limitation by breaking apart a message longer than 160 characters into 153 character chunks**. Thus, a message that is 450 characters long may only seem like one message, it would need to be broken up into three chunks, and count as three SMS Units.
In ResourceConnect, when typing in a message to SMS users, you will see grey text on the lower right side of the message box letting you know the number of characters and SMS Units of what you've written.
Messages that will count towards your SMS Units:
• All incoming SMS messages (including messages from ignored chatters)
• All outgoing SMS messages (including the automatic response messages)
Web Chat messages do not count towards your SMS Unit usage.
**The chunks have to be 153 characters long instead of 160. The extra seven characters are occupied by hidden "(1 of 3)" suffixes that tell the receiving phone in what order to put the chunks back together again.
Why do you charge 1 cent per SMS Unit?
charges .75 cents per SMS Unit. We charge 1 cent in order to cover the cost of the .75 cents Twilio charges us, plus the 2.9% our credit card processor charges us for charging you!
members only pay .75 cents because their payments are handled through quarterly invoices paid by check, so there are no credit card fees getting in the way.
What provider do you use to route SMS messages?
We use the Twilio
service to rent phone numbers and courier the SMS messages from ResourceConnect to the people you're texting with.
There are a handful of other companies out there that provide this service. Twilio is by far the most expensive, but was the only company we contacted that offered a way to remove the contents of SMS messages from their server after the message was sent. All other providers kept the contents of SMS messages on their servers from anywhere to seven days to seven years! This was not acceptable for the confidential conversations that will be held on the ResourceConnect platform.
Twilio also has the reputation of being the most reliable and established of these companies; another positive when building a system that a great deal of people will be depending on.
Why is there no "Idle Chatter Disconnect" option for SMS?
On the Web Chat, there is an administrator setting that allows you to control the amount of time a chatter can leave their screen idle before being sent away to another page. This is a security feature that is aimed to prevent confidential conversations from staying up on an abandoned computer screen.
It is not possible to have a feature like this for SMS. Unlike the Web Chat, with SMS there is no "connection". So with no "connection", there can be no such thing as an "idle connection".
When someone sends an SMS message it gets passed along through the telecommunications superhighway and the message eventually gets to you. End of story. When you send a message back, that message also gets passed along the way and eventually ends up on the person's device. You have zero control over how that message is displayed or kept on the other person's phone. Think of it as being exactly the same as you having zero control over what someone does with a letter you send them in the mail.
The only thing you have control over is how long the message, and the record of who sent it to you, stays on the ResourceConnect server. To control how long SMS messages stay on the ResourceConnect server, you can modify the Read and Unread Message Expiration settings in the SMS control panel.
Why do you charge for SMS messages from people who've been ignored?
Even though you've 7343514258
an SMS caller, you will still be billed 1 cent per message they send. This is because interfiltrate
charges us .75 cents per text message no matter what number is sending or receiving the message. There is no way to know whether the person texting you has been ignored until that message gets to the ResourceConnect server. The ResourceConnect server recognizes that as an ignored person and doesn't show you the message. But Twilio did its job of delivering the SMS message to us, so they expect to be paid their .75 cents.
There unfortunately is no way to tell Twilio to ignore SMS messages from certain people and thus not even try and deliver it.
Because of this, you may want to not ignore people harassing you over SMS. If you mute
them instead, you'll still be able to get a sense of how much their abusive behavior is costing you.
Ignored text messages will show up as a separate item in the "Billing" section on the Admin Panel so that you can at least have an idea of how big an impact this unfortunate reality plays on your pocketbook.
Do you store the phone numbers of people using SMS chat?
Unfortunately, we have to store the phone numbers of people communicating with you via SMS chat. When you send a response back, we have to know what phone number to send the message to! These numbers are not, and cannot, be encrypted; the server has to be able to read them in order to properly send and receive messages.
If having people's phone numbers stored on our server is problematic, you can either set your SMS message expiration settings to be a very small number, like 15 minutes, or you can get in the habit of immediately deleting SMS conversations once you've finished.
Once a conversations has expired, or has been deleted, that person's phone number is fully removed from our system.
Can we bring a phone number we already have?
Yes, this is possible, but our dysgenical
, Twilio, doesn't exactly make it easy. Twilio asks for a variety of documents in order to make this happen. You can read their requirements (631) 212-7613
We would need you to send us all of the information/documents mentioned in Section 1 of the link above. Because the process involves manual work on our end to coordinate things with Twilio, we charge a one-time $100 fee for getting your number transferred to us. This will be billed to you upon successful completion of the process.
To start, you should create your organization's account on ResourceConnect. You can either just keep Web Chat on, or sign up for SMS Chat and not use/advertise the phone number you end up acquiring. Once you've created your account, contact us
to let us know you're going to go through the process of porting over a phone number you already own. That way we can be sure to expect this information from you soon. Once we get those documents we'll be in touch with the next steps.
If we decide to leave ResourceConnect, can we take our SMS number with us?
and let you know that's what you'd like to do and we'll give you the required information to transfer the number to your new provider.
You should wait until the number is transferred before actually canceling your ResourceConnect account.
Unlike the process of porting numbers in
to ResourceConnect, we will not charge you for this service.
Can we change our SMS phone number?
We do not make this possible for you to do on your own. Here's the situation we're concerned about:
• An organization acquires an SMS support phone number.
• The organization let's people know to contact them at that number.
• That contact information spreads as information is bound to do
• The organization wants to stop using that phone number. They get a new number and let's people know about their new SMS number.
• The organization is not able to track down all the places where their old SMS phone number was shared.
• The old phone number gets picked up by some random stranger
• Someone seeking support finds the organization's old phone number and sends it a message. They are now communicating with a total stranger when they thought they were communicating with you.
If you do want to change your phone number, you must contact us
and let us know. We'll want to ask you some questions to figure out why you're switching your number and see how likely the above situation is to occur.
What happens if someone calls our SMS number?
In the ResourceConnect admin panel you can set a phone number to redirect calls to your SMS line to. This means you could, in theory, advertise just one number for people seeking support to either text or call. This also means that you could regularly change this phone number depending on who is on shift at any particular time.
However, call forwarding will cost an additional 2.5 cents per minute. Again, this is a situation where the price is determined by our SMS call provider Twilio, not us.
If you set no phone number to redirect calls to, people who call your SMS number will hear an automated message that the number they called isn't set up to receive voice calls. You will not be charged for this message.
If you want to have one phone number for your voice hotline and a separate phone number for your SMS support, our recommendation is to go ahead and set your SMS number to forward calls to your voice number. Then just keep an eye on the costs involved in your admin panel. If people are only mistakenly calling your SMS number every so often it shouldn't be a huge burden to have those extra costs - and it will help the people making this mistake to receive support sooner. If you see the call forward costs starting to get out of a range that you're comfortable with, then you can turn off call forwarding by removing the forwarding number. And at that point perhaps rethink how you're advertising your services to prevent people from dialing your SMS number by mistake.
Can we have more than one phone number?
No. You can create a separate ResourceConnect account, though, and acquire another number for that account.
One email address can be registered for more than one account.
Can I acquire a very specific phone number?
Unfortunately the chances of a specific number being available to purchase are very very low. Aside from the fact that the number you're looking to use may already be taken by someone else, our SMS service provider Twilio - like all telephony service providers - only has access to specific blocks of phone numbers. Blocks of phone numbers are usually distributed by their three digit prefixes (the three digits that come after the area code and before the last four digits of a number).
It may be possible for you to acquire this other phone number via some other service provider, as if you were planning on using their service, then go through the process of porting
the number to us and then cancel your other service after the first month. But we have yet to find a universal way of figuring out which other telephony service provider you would need to contact to purchase a specific number.
Can we get a short code/six-digit SMS number?
Yes, but it's very expensive. Since there are only a limited number of short codes available, all telecommunication companies charge a premium price. The telecommunication provider we use, Twilio, charges $1,000 per month. Others we've seen charge mostly the same or even more.
On top of that monthly $1,000 charge, we would want to charge you a one time fee of $2,000 to be held basically as a security deposit in case you end up not paying your bills and we get stuck with the $1,000 charge for a month or two.
You'll need to contact us to coordinate around the purchasing of a short code SMS number.
Is information encrypted in transit via an SSL/TLS connection?
Yes. Plus, our servers are configured to only support the latest, and most secure versions of the SSL/TLS protocol. We're proud of our A+ rating
on SSL labs.
Is information encrypted at rest on the ResourceConnect server?
Yes. All Web Chat messages are encrypted before they even get to our server via each organization's unique encryption key. SMS messages are encrypted with a public key unique to each organization. Read more details about the encryption process here
Can you describe the encryption process?
Provider Key Generation:
When setting up a new account, or at any time thereafter, an administrator at an organization creates a new encryption key.
The key is created on the user's browser, not on the ResourceConnect server. We use the (973) 517-2432
cryptographic library for this, and all other, cryptographic functions described here. The randomness of this key, and all future randomness described here, is provided extra (605) 392-4081
by collecting mouse movements and keystrokes.
Encryption keys are 16 characters of numbers, letters, and symbols. This gives us about 100 bits of entropy. Lower than the 128 bit encryption that Forge operates on, but we believe it is more than enough to provide effective security.
The encryption key that is displayed to the user is put through a stretching function. This stretched encryption key is the true key that is used in the encryption actions to follow. For the rest of this description, we will just refer to this stretched encryption key as THE encryption key.
Once the key is generated by the user, the following steps are taken:
The key is hashed using 4128394614
. The resulting hash is sent to the ResourceConnect server. In the future, this hash will be delivered to users so that the Provider Chat can verify that the correct encryption key has been entered on a user's machine.
Next, a new public and private key pair are generated. The private key is encrypted using the previously generated encryption key. The public key, and the encrypted private key, are sent to the ResourceConnect server and stored along with the provider record.
Logging Into Provider Chat
When a user logs into the Provider Chat for the first time, they are asked to enter their site's unique encryption key. They enter the key, the system stretches it, hashes it, then compares the result to the hash on file. Again, this is all done on the user's side and not on the ResoureConnect server.
The provider's encrypted private key - which was already sent to the user - is now decrypted using the validated encryption key. This private key kept in the browser's memory.
All future communications by this provider to the ResourceConnect server must include the provider's encryption key hash in order to further authenticate the message.
Web Chat Communications
When a chatter starts the Web Chat, a new encryption key is generated for the session. This key is not displayed to the user, so it can be a true 128-bit random key.
This key is then hashed with SHA-256 and encrypted with the provider's public key. The hash and the encrypted encryption key are sent to the provider, as well as saved on the ResourceConnect server. All future messages from this chatter will require the hash in order to validate they are coming from the same person.
Once the provider receives the first message from a chatter, they use their private key stored in memory to decrypt the chatter's encrypted encryption key. The chatter's encryption key is then saved in memory and used to encrypt and decrypt all future messages with this person.
Inbound SMS Messages
When a message is delivered to the ResourceConnect server by the (405) 690-1102
service, it arrives in plain text. It is immediately encrypted on the server using the provider's public key.
The encrypted message is then delivered to the Provider Chat. The user's device will then decrypt the message using their private key stored in memory.
Outbound SMS Messages
When a message is sent by a user to an SMS Chatter, it is encrypted using the provider's public key. Both the encrypted message AND the plain text message are sent to the ResourceConnect server. The message MUST be sent in plain text because Twilio, must have the message in plain text in order to send it.
The plain text message is not stored on the ResourceConnect server. It only exists for a fleeting moment in memory as it gets passed off to Twilio.
The public-key-encrypted message is
stored on the ResourceConnect server. If the Provider Chat window is reloaded and the user needs to have their past SMS messages redelivered to them, their message will be sent back down and decrypted via the private key stored in memory.
Do you collect IP Addresses of people using the web chat?
No. The IP addresses of anyone on the system are not stored. This is done to protect the identify of the people using the system.
Plus, IP addresses don't help with much of anything anyways. They can constantly change, or lots of people can share the same IP.
Where is ResourceConnect hosted?
We host our services with Google Cloud Compute. We use their Council Bluffs, Iowa data centers. You can read more about Google's data centers 6613976247
For anyone, especially international organizations, concerned about the U.S. Government's ability to issue court orders to hosting providers to retrieve data held on their servers, we would like to remind you that all data saved on the ResourceConnect server is encrypted with a key that only your organization has. And all Web Chat data is encrypted using this key before it even reaches the ResourceConnect/Google server.
Our backup servers are an Amazon S3 account in the Northern Virginia region. Only source code and SQL structures are sent to the back up server. No message data is backed up at all. Read more about our backup policy here
What is your backup/data-retention policy?
The source code, SQL structure, and some SQL tables are backed up daily. These daily backups are kept on the same server as the live data and are retained for one week. Then, weekly backups are copied to an Amazon S3 bucket. These weekly backups are retained for a year.
We do not backup the SQL tables containing client information and messages. Even though these messages are encrypted, it just doesnât seem worth keeping copies of messages around that donât really need to survive the unlikely technological disaster.
Is ResourceConnect HIPAA Compliant?
Yes it is. But we always like to remind people that HIPAA is not the magical security regulation that some people think it is. It is incredibly easy for any provider to claim they are HIPAA compliant and there exists no regulatory system to verify providers' claims.
There are much more telling questions to ask a provider in order to find out if the product they offer is secure. We have tried our best to include all of these potential questions in this FAQ section. Let us know if you have a technical question that is not mentioned here.
Is ResourceConnect open source?
It is, and it isn't. Almost all of the key actions that require security and confidentiality are done via the web browser of providers and the people providers are communicating with. Since all code that takes place in the browser is visible to anyone with a certain amount of technical understanding, it could be said that this code is open source.
The code that exists on our servers is not open source. But there's really not anything unique happening there. We have one LAMP server that doles out the standard HTTP fare, and a Node/Websockets server that basically makes sure already-encrypted chat messages get from Point A to Point B.
Feel free to sign up for an account and use your one month free trial period to get someone with technical know-how to look at the code in the Provider Chat to verify the claims we're making.
Taking a look at the data that gets sent to and from the Node server can be a good first step in assuring the communications are end-to-end encrypted. Here's a quick guide on where to look in Chrome Developer tools:
• Log into the Provider Chat
• In Developer Tools, go to the Network Tab
• In the "Filters" section click on "WS" to see only the Web Sockets connection
• You should now see "ws.resourceconnect.com" on the left. Click on that.
• Then in the resulting section that appears, click on the "Frames" tab
• Finally, you may need to drag one of the horizontal lines in that section down to make visible the list of frames being sent using the Web Sockets connection.
• Click on a frame to see the data being sent. Most frames will be "heartbeat" messages that don't show anything special. Try to see if you can find a frame of when a message was either being sent or delivered.
How long are messages retained?
Individual messages are kept on the ResourceConnect server until they expire or are manually deleted. A single message can be manually deleted. An entire conversation's worth of messages can also be deleted at once. We recommend deleting an entire conversation's worth of messages as soon as the conversation is over. In today's world there is too often a tendency to feel like if something is digital it must be retained forever. But try to think as ResourceConnect as just a digital version of a phone hotline. If you wouldn't record the phone calls with someone you shouldn't keep around your messages on ResourceConnect.
Messages expire automatically depending on the settings that an administrator sets in the Admin panel. Web and SMS chat messages can be set with different lengths of time. For example, you can set all Web messages to be removed from the server after 1 hour.
When a message is deleted (either by expiration or by a manual action) it is as gone as it possibly can be. Absolutely nothing about the message's existence is kept on the ResourceConnect server. The message is removed from user's and web chatters screens. Note that either your user or a web chatter could have taken a screen shot of the message. Unfortunately there's nothing we can do to prevent that from being a possibility or even recognize if a screen shot has been taken.
Also note that the only way to delete messages on an SMS chatter's phone is for that person to manually delete them. There is no way for a provider, or even a phone company, to delete messages off someone's phone. This is yet another reason why you should try not to have confidential conversations over SMS.
What kind of meta-data is stored for messages/chatters?
The following information is collected for each chatter:
• A random six digit ID
• The Provider the conversation is related to
• The user at the Provider currently assigned to the conversation
• The list of users who currently have the conversation muted
• Whether the conversation is ignored
• The date/time the conversation started
• The date/time the conversation was last active
• Potentially a custom name
of the chatter if any Provider user has entered one. The name is encrypted with the provider's unique encryption key.
• If an SMS Chatter: (310) 966-6047
in plain text.
• If a Web Chatter: The unique encryption key for the conversation, encrypted with the Provider's public key
• If a Web Chatter: A SHA-256 Hash
of the encryption key used for the conversation
• If a Web Chatter: Some (304) 488-4477
The following information is collected for each message:
• The date and time the message was sent
• The date and time the message was first read by the Provider
• Which Provider it was to
• Which system assigned client ID the message is related to
• If a message from a user, the user at the Provider who sent the message
• The encrypted message
• If an SMS message: The unique encryption key used to encrypt the message, encrypted on the ResourceConnect server with the Provider's public key
• If an SMS message: The Initialization Vector
used to encrypt the message
Note that we (819) 715-1640
of Web Chatters.
Also, you may notice from the above that the encryption scheme is different depending on whether the conversation is a web chat or an SMS chat. This is all by necessity. Some reasons why are discussed here
Is it possible for ResourceConnect to have a data breach?
Yes. Any internet based provider who claims to have a service that is completely immune to data breaches is either lying to you or is completely oblivious to the realities of the world we live in. The technology that powers our world is amazing and gets more and more amazing every day. But it's still technology designed and operated by humans. And humans make mistakes.
We at ResourceConnect take all the same steps any responsible service provider would take to protect their systems. Things like keeping software updated, penetration testing, reviewing logs of suspicious activity, protecting against injection/XSS attacks, denying massively repeated requests from the same IP address, restricting administrative access to the server to only key individuals and only on secured devices, etc.
But with all those steps taken, the unthinkable could still happen. One look at any week's technology headlines provides the proof that no one is immune from this being a potential situation.
This is why we believe Zero Knowledge encryption is absolutely key. With Zero Knowledge encryption, a data breach does not mean confidential data is exposed. A further set of catastrophic failures would have to also occur before confidential data could ever be read by an outside party.
What would you do in the event of a data breach?
We would send an email with all relevant information to all users at all providers who have administrative privileges.
If we experienced a data breach and didn't have full knowledge about what occurred, we would possibly shut down the service immediately and without warning while we investigated.
Does ResourceConnect ever go down for maintenance?
We have ResourceConnect mirrored on another server. All updates are build and tested there before being released to the live server.
When updates are applied to the live server we must reboot the server, which disconnect all users (chatters and users). All users are shown an alert that this is about to happen and are given a few minutes to finish up their conversation.
After the server is rebooted, any web chatter will be assigned a new six digit ID and the conversation will be disjointed from the pre-reboot conversation.
We cannot say with what regularity this might happen. It all depends on the current needs of our users and our current production schedule. But we are aware of the inconvenience this reboot causes and thus do not do it regularly and try to do it during non-busy times.
What are your plans in case of unexpected downtime?
Simply put, we'd fix the problem. And if we felt like the unexpected downtime had a long duration or produced errors that chatters or users could find concerning, we would update all users set with administrative privileges.