Data Protection

Starting with a secure by design approach. We take security seriously and work hard to exceed industry standards in protecting data.

We maintain geographically diverse data centres, running operating systems using multiple layers of security to ensure your customer data is secure. The following information articulates in detail how we achieve this level of protection for our customer data.

Infrastructure

  • Our platform is hosted over multiple availability zones on Amazon Web Services (AWS).
  • Customer data is housed in customer-specific data stores.
  • All services are geographically diverse and span across multiple availability zones.
  • Our application’s servers are protected by strict ACL’s and Web Application Firewalls that monitor web activity and proactively block suspicious activity and issue alert notifications.

Data Handling

  • All customer data resides in Australia.
  • All data is encrypted at rest, this includes any backups taken.
  • Backups of customer data are taken hourly, daily, weekly and monthly
  • In flight data is 256-bit encrypted
  • Our application and API endpoints are only available on SSL/TLS and any claims are validated under RCF7519.
  • No personal information is stored on any on-site hardware (including; door scanners, lead capture devices or our smart badges)

Data Transfer

  • We follow best practices and handle any customer data with extreme sensitivity. We request all customer communications that contain personally identifiable information be secured with our PGP key.

Auditing

  • We are happy to undertake any required internal compliance and security audits. We can also provide any relevant documentation and/or provide test environments for internal penetration testing.
  • We conduct regular load tests to ensure our infrastructure can efficiently process large scale events.
  • We conduct bi-annual external penetration testing with two different vendors

Permissions

  • Access to our application and customer data is provided only to internal Jomablue staff as required for function of their role.
  • Access to codebase or infrastructure services is limited to the product team and multi-factor authentication is used
  • Access to our application is provided to our customers’ staff under the direction of the customer. In all cases, strong passwords and two-factor authentication is enforced.
  • User accounts expire after one month on inactivity

Monitoring

  • Our services are monitored by third party services and an escalation process is in place in the event of a disruption.
  • We maintain logs through AWS Cloudtrail and Cloudwatch to provide infrastructure and application audit trails.

Policies and Processes

  • We run unit and integration tests every time our codebase is updated, ensuring only passing code is ever available for a release.
  • Change Management systems support the team to ensure structured releases do not impact availability.
  • Access to our application will automatically log out after a period of inactivity
  • We maintain a zero-trust corporate network
  • All staff computers run with full disk encryption, enforced strong passwords, and centrally managed software installation and update policies
  • All staff are regularly educated on internal security policies
  • Every team member uses a password manager with two-factor authentication.

GDPR readiness

  • If your organisation requires a DPA due to GDPR obligations contact privacy@jomablue.com

PCI Compliance

  • Jomablue is not subject to PCI compliance. All payment processes are handled by third parties that are PCI compliant.
Bitnami