Commitment to Security and Privacy
At Jetpack Workflow, the security of your team and client information is a high priority for us. If you have any questions after reading this, or believe you have encountered an issue affecting security or privacy, please let us know by contacting us at firstname.lastname@example.org
We use Stripe for encrypting and processing credit card payments. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry. For more information, refer to Security at Stripe
Jetpack Workflow relies on a number of third-party systems and components to serve our customers, from a 3rd party CRM vendor in Sales to external hosting for our Application. All 3rd party tools are evaluated to ensure that they meet our security and privacy requirements.
Our application and all associated customer data is hosted in US data centers by Heroku and Amazon AWS. These data centers have been certified to:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- FISMA Moderate
- Sarbanes-Oxley (SOX)
To learn more about the Physical Security, Environmental Safeguards, Network Security, and Vulnerability Management of our hosting infrastructure, read more at Heroku Security
The Jetpack Workflow application receives annual security scans from Cigital to maintain its listing with Apps.com platform. These scans determine our application’s ability to resist common attack patterns and identifies vulnerable areas that may be exploited by a malicious user. Cigital determines that Jetpack Workflow security controls are effective in resisting common attack patterns like:
- Input Validation Attacks
- Confidentiality Attacks
- Authorization Attacks
- SQL Injection
All issues identified by the security scans are addressed as soon as practicably possible.
Backups & Disaster Recovery
Our data is continuously and automatically backed up. Backups are stored on physically separate systems and are tested regularly.
Our hosting provider is designed for stability, mitigates common issues that can lead to outages, and can recover failed components.
Jetpack Workflow periodically tests our ability to redeploy our application in the event of catastrophic failure at current data centers.
Data in Transit
Jetpack Workflow supports TLS 1.2 for all client connections, when possible. For the most secure experience, make sure you are using the latest version of a TLS supported browser. Check your browser TLS compatibility using at SSLLabs.com.
Data at Rest
Data at rest is protected by AES-256, block-level storage encryption.
Jetpack Workflow designs all our internal and external systems with the security and privacy of customers in mind. All changes to infrastructure or applications are reviewed for security and privacy impacts. We monitor multiple channels of information and use various monitoring tools to evaluate the security of our systems. Any issues found in the Jetpack Workflow application is assessed, ranked for risk, then prioritized for mitigation.
Access to Customer Data
Jetpack Workflow employees are granted access to Customer Data when required to fulfill their duties, which includes everything from assisting customers with questions to evaluating the impact of changes on the system. All Jetpack Workflow employees undergo pre-employment background checks and are given frequent guidance on how to securely handle all customer data. All access is revoked when an employee leaves or is in a role that does not require access to Customer Data.
As a part of Jetpack Workflow standard procedures, we ask for permission before entering a customer account on their behalf and only make changes on customer request.
All Jetpack Workflow application access is logged. Our PCI-compliant payments process logs all access and changes to payment and billing related information.
Data Retention & Destruction
Jetpack Workflow retains all data for active customers. Customers are free to cancel their accounts at anytime and request the full deletion of their Jetpack Workflow data from our systems.
Our hosting provider uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data when deprovisioning resources, ensuring that our customer data is fully erased when no longer used.
If Jetpack Workflow believes that a customer’s data has been accessed by unauthorized persons, we will notify impacted customers within 48 hours of discovery.