Jetpack Workflow Security Practices
Jetpack Workflow is committed to safeguarding the security, confidentiality, and integrity of customer data. This document provides an overview of the technical and organizational measures we implement to protect data and ensure the trust of our users, customers, and stakeholders.
This overview is intended for customers, prospects, auditors, and other stakeholders who want to understand our security posture.
This Security Policy complements our Privacy Policy, GDPR Addendum, and California Privacy Notice, which provide additional information on how we collect, use, and protect personal data.
Infrastructure Security
Our application and all associated customer data is hosted in US data centers by Heroku and Amazon Web Services (AWS), both of which are recognized for their industry-leading security and compliance standards. Physical security measures are managed by our hosting providers, ensuring that data center access is restricted to authorized personnel.
These providers maintain compliance with the following certifications:
- ISO 27001
- SOC 1 and SOC 2 / SSAE 16 / ISAE 3402
- FISMA Moderate
- Sarbanes-Oxley (SOX)
To learn more about the physical security, environmental safeguards, network security, and vulnerability management of our hosting infrastructure, please refer to the Heroku Security Policy. To learn more about Amazon Web Services’ approach to security, please visit the AWS Security Center.
Data Encryption
All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS) protocols, with support for TLS 1.2 and higher. Data at rest is encrypted using AES-256, the industry standard for secure storage. Encryption keys are securely managed through AWS Key Management Service (KMS) and Heroku’s built-in encryption capabilities, which utilize AWS’s managed services. Backups of customer data are also encrypted to ensure the confidentiality and integrity of stored information.
Access Management
Access to production systems and customer data is restricted to authorized personnel based on role-specific requirements. We enforce strong authentication mechanisms, including Multi-Factor Authentication (MFA), for all administrative and privileged access. Access permissions are reviewed on a regular basis to ensure they follow the principle of least privilege and reflect current job responsibilities.
Application Security
We follow secure software development lifecycle (SDLC) practices to minimize security risks throughout the development process. These include:
- Regular internal security assessments and peer code reviews
- Automated dependency scanning via Dependabot
- Prompt identification and remediation of known vulnerabilities
- Monitoring and logging of application activity
We periodically conduct third-party penetration testing on our Classic product to assess and validate its security posture. While we are actively expanding these practices to other products, they are not yet in place across the entire platform.
We also encourage developers to reference OWASP guidelines for secure coding practices, and we continue to expand internal awareness around secure development, though no formal training program is currently in place.
Monitoring and Detection
We maintain centralized logging and performance monitoring across our application and infrastructure. Alerts are routed through an on-call incident management platform to ensure 24/7 visibility and response coverage by our engineering team.
Actively available logs are retained for 30 days to support investigation and incident response. Older logs are retained in long-term storage to ensure compliance and historical auditability.
Business Continuity and Disaster Recovery
We maintain continuous, encrypted backups of customer data to support business continuity and disaster recovery. Backups are stored in the same geographic region as our production systems.
Disaster recovery procedures are tested periodically to ensure service continuity in the event of an incident. Our internal objectives are a Recovery Point Objective (RPO) of 2 hours and a Recovery Time Objective (RTO) of 24 hours, though actual recovery times may vary depending on the nature and scope of the incident.
Incident Response
Jetpack Workflow maintains a formal incident response plan to detect, investigate, and mitigate security incidents. In the event of a confirmed breach involving customer data, we will notify affected parties without undue delay and in accordance with applicable laws and contractual obligations.
Our response procedures include defined roles and escalation paths, logging and forensic analysis, and coordination with relevant stakeholders. The plan is reviewed and tested periodically to ensure its effectiveness.
Vendor and Third-Party Security
We employ a rigorous vendor management process, including security and compliance evaluations. Third parties are required to adhere to strict confidentiality and security obligations. A list of our current subprocessors is available upon request by contacting privacy@jetpackworkflow.com.
Payment Information
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. Jetpack Workflow does not store or process full credit card numbers.
Compliance Alignment
We align our practices with recognized industry standards and applicable regulatory requirements, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Payment Card Industry Data Security Standard (PCI-DSS) through our service providers.
Our GDPR Addendum and California Privacy Notice provide additional information on how we protect the rights of individuals in the European Economic Area and California. A Data Processing Addendum (DPA) is available upon request.
Contact and Additional Information
If you have questions about our security practices, require additional documentation, or would like to request a Data Processing Addendum (DPA), please contact us at:
Email: security@jetpackworkflow.com
Note: This page provides a high-level overview of our security measures. For more information, please refer to our Privacy Policy, GDPR Addendum, or California Privacy Notice, or contact us directly.