Jifflenow Privacy Policy



      

iPolipo, Inc. dba Jifflenow (“Jifflenow”) values the privacy of our clients, their employees, their customers, and others (individually or collectively, “User” or “Users”) that use Jifflenow to manage meetings at B2B events such as trade shows, user forums, and that otherwise use www.Jifflenow.com and its associated websites, products, and services (collectively, the “Service”). That is why we are taking steps to comply with the General Data Protection Regulation (“GDPR”), and have filed the application with the Department of Commerce to self-certify to the EU– US Privacy Shield and Swiss – US Privacy Shield (collectively, “Privacy Shield”). We are currently in compliance with many of the requirement. Our application to self-certify to the Privacy Shield is pending and we will update our Privacy Policy and also upload Privacy Shield Notice, to our website, as soon as we are directed by the Department of Commerce to do so.

This Privacy Policy details Jifflenow’s information-handling practices with respect to information you provide to us or that we learn from your use of the Service and tells you how we may collect, use, and in some instances share this information.
By using our Services you are consenting to Jifflenow processing your information as described in this Privacy Policy now and as amended by us. These uses include the collection, storage and deletion, disclosure and transfer of your information to and from the United States to provide you with the Services you have requested.

If you have any questions or comments about our practices or this Privacy Policy please contact us at privacy@jifflenow.com

The Information Jifflenow Collects

  • Personal Information:In its course of business, Jifflenow collects personal information from its Users. This information includes contact information, such as their name, company name, address, business contact information, phone number, and e-mail address. Personal Information may not, however, include social security number, driver’s license number bank account information, credit rating, or other personal financial data
  • User Information:Users have the opportunity to share various types of information amongst themselves through use of the Service. You can upload and post meeting details, your bio, photo, personal links and other documents you wish to have accessible to other users. This content along with all other information related to your use of the Service, including, but not limited to, meeting times, meeting occurrences and meeting logistics is stored and maintained on Jifflenow’s third-party server hosting partners. Providing your Personal Information and any other information about you via the Services, is voluntary and this information will be visible to other users and should correlate with the degree of interaction you want to have with other users. Please be aware that any information that you choose to share on any publicly available portion of the Service or with third parties, including without limitation your personal page, calendar page, links to social network pages, blogs, may be collected and used by others without restriction.
  • “Cookies” Information: When you access the Service, we may send one or more cookies – small text files containing a string of alphanumeric characters – to your computer. Jifflenow may use both session cookies and persistent cookies. A session cookie disappears after you close your browser. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Service. Persistent cookies can be removed. Please review your web browser “Help” file to learn the best way to modify your cookie settings. Please note that disabling cookies may prevent you from accessing some of the functionality available via the Service.
  • Log Information:When you visit the service, like many website’s our servers automatically record information that your browser sends whenever you visit a website (“Log Information”). This Log Information may include information such as your IP address, date and time, browser type and the domain from which you are visiting. For most users accessing the Internet from an Internet service provider (or “ISP”), the IP address will be different every time you log on. We do not use this information to identify you personally. We use it to analyse usage trends, administer the Site and the Service and for the Site’s technical maintenance.

Children’s Privacy

  • Consistent with the federal Children’s Online Privacy Protection Act of 1998 (COPPA), we will never knowingly request personally identifiable information from anyone under the age of thirteen (13) without requiring parental consent, and no part of the Service is directed to persons under 13. Any person who provides their personal information to Jifflenow represents that they are 13 years of age or older.

The Way Jifflenow Uses Information

  • Jifflenow uses the information that we collect to provide you all of the features and services found on the Service. We will use your email address, without further consent, for non-marketing or administrative purposes such as notifying you of major site updates.
  • Jifflenow may use all of the information that we collect from our Users to understand the usage trends and preferences, to improve the way the Service works and looks, to improve our marketing and promotional efforts, and to create new features and functionality.
  • Jifflenow may use automatically collected information and cookies information to remember your information so that you will not have to re-enter it during your visit or the next time you use the Service.
  • Jifflenow will not use your email address or other personally identifiable information to send promotional or marketing messages without your consent or except as part of a specific program or feature for which you will have the ability to opt-in.

When Jifflenow Shares Information

  • As a service provider, we do not independently use or disclose Personal Information transferred to us by, or on behalf of, a Client or an User for any purpose other than to process that information in order to fulfil our contractual business processing functions, except as required or permitted by law. Furthermore, we take all commercially reasonable steps to safeguard the Personal Information we hold against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the Personal Information is held. The precise nature of the safeguards we employ will vary depending on (i) the sensitivity of the Personal Information at issue, (ii) the format in which it is held, and (iii) the manner in which it is stored.
  • Jifflenow may disclose both personally identifiable and automatically collected information to affiliated companies or other businesses or persons to process such information on our behalf, to provide, without limitation, website maintenance and security, to offer certain features, to assist us in improving the way the Service works and looks, and to create new features. We require that these parties agree to process such information in compliance with our Privacy Policy, we use reasonable efforts to limit their use of such information, and we require these parties to use any other appropriate confidentiality and security measures.
  • Compliance with Laws and Law Enforcement.Jifflenow cooperates with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including subpoenas), to protect the property and rights of Jifflenow or a third party, to protect the safety of the public or any person, or to prevent or stop any illegal, unethical or legally actionable activity. If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Jifflenow will automatically send the friend a one-time email inviting them to visit the site. Jifflenow does not store this information.

Our Commitment to Data Security

  • We use secure server software and firewalls to protect your personally identifiable information from unauthorized access, disclosure, alteration, or destruction. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software.
  • No data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us and you do so at your own risk. Once we receive your transmission, we make reasonable efforts to ensure security on our systems.
  • If Jifflenow learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. Jifflenow may post a notice on the Service if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive a free written notice of a security breach you should notify us at privacy@jifflenow.com

Change of Ownership or Other Business Transition

  • In the event Jifflenow goes through a business transition, such as a merger, acquisition or the sale of all or substantially all of its assets (a “Business Transition”), your membership in Jifflenow and the Jifflenow servers containing Your Information will, in most instances, be part of the assets transferred. In such event, you will be notified via e-mail and/or through a notice on our Web site and any other appropriate methods prior to the Business Transition, and Jifflenow’s custody of Your Information will be transferred subject to all the terms and restrictions in this Privacy Policy.
  • Following a Business Transition, Jifflenow or its successors will continue to use Your Information in accordance with the Privacy Policy under which the information was collected. If, however, we plan to use Your Information in a manner different from that stated at the time of collection we will notify you via e-mail and/or through a notice on our Web site and any other appropriate methods. You will have a choice as to whether or not we use Your Information in this different manner. Whether or not you wish to have Your Information used in this different manner, you will retain ownership rights to Your Information and the ability to delete Your Information at any time. Please note, if you have deleted or deactivated your account with the Services or are an opt-out User, then you will not be contacted, nor will Your Information be used in this different manner.

Log Files and Backups

  • Like most Internet services, we use log files, both on the client and server side. The data held in log files includes your IP address, browser type, e-mail application, Internet service provider (“ISP”), referring/exit Web pages, computer platform type, date/time stamp, and user activity. Jifflenow uses server log data to analyse trends, administer the Services and the Site, and improve service levels. IP addresses are not tied to any Personally Identifiable Information.
  • The Software has associated log and temporary files that are stored on your local hard drive and on Jifflenow’s servers. These files store Your Account Information, your permissions, preference settings, system notifications as well as other data necessary to operate the Jifflenow services.
  • Your Information may also exist temporarily within regularly performed server backups.

Phishing

  • We do not and will not, at any time, request your credit card information, your Jifflenow user name, login password, or national identification numbers in a non-secure or unsolicited e-mail or telephone communication.
  • Identity theft and the practice currently known as “phishing” are of great concern to Jifflenow. Safeguarding information to help protect you from identity theft is our priority.

Your Choices: Providing, Changing or Deleting Your Information

  • You may, of course, decline to share your personally-identifiable information with Jifflenow, in which case Jifflenow will not be able to provide to you some or all of the features and functionality found on the Service. All Users may review, update, correct or delete the Personal Information in their registration profile. Non-Users may also request deletion of their Personal Information from our servers. If Users completely delete any such information, their use of the Services may be limited or terminated. If you would like us to delete your records in our system, please contact us and we will attempt to accommodate your request. See below for privacy contact information.

Data Retention

  • We reserve the right to retain your Personal Information or other data collected from you as a result of your use of the Services to prevent fraud and misuse of the Services.

Security & International Transfer

  • Jifflenow is very concerned with safeguarding your information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access. Your information may be transferred to and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. Jifflenow transfers Personal Information to the United States and maintains and processes it there. You consent to such transfer.

Links

  • The Site contains, and the Software may present, links to other sites. Please be aware that Jifflenow is not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave the Site or otherwise link to other sites, to read the privacy policies of each and every site that collects personally identifiable information. Jifflenow’s Privacy Policy applies solely to information collected by the Services, the Software or the Site.

Government Authority

  • You should be aware that, as with all legal contracts, our Terms of Service and this Privacy Policy could be amended, terminated or modified without the consent of you and/or Jifflenow by judicial proceeding, court order, in connection with bankruptcy or other insolvency proceedings, or pursuant to other government action. When reasonable and lawful, we will notify you if this occurs.
How do we train and manage our associates?

We educate our associates about our information security policies and practices, and use reasonable efforts to help ensure that our associates comply with these policies and practices. These efforts include: Conducting appropriate background checks of all newly-hired associates; Including information on Jifflenow’s policies in our associate orientation process; Requiring associates to execute appropriate non-disclosure agreements; Including information on our policies and practices on the Jifflenow website; Disseminating information on our policies and procedures to associates at appropriate intervals; Limiting access to Personal Information to associates with a business need for seeing it; Promptly ending associate access to systems and facilities upon termination of associate services; Monitoring associates for compliance with policies; and imposing appropriate disciplinary measures for breaches of policies and procedures.

How do we ensure the security of our facilities?

We use third-party server hosting partners’ highly secure to host all our applications. We may also host your Personal Information on our servers. Please contact us at security@jifflenow.com for further information about security at our third-party server hosting partner or our servers.

How do we ensure the security of our information systems?
  • Information systems include network and software design, as well as information processing, storage, transmission, retrieval and disposal. We employ policies and practices to protect Personal Information throughout its life cycle – from data entry to data disposal. These policies and practices include, among other things:
  • Requiring use of virus protection software on all computer systems attached to Jifflenow client server network;
  • Limiting all access to Jifflenow resources and networks to approved configurations and utilizing appropriate identification and authentication methods;
  • Utilizing firewalls (which are configured and maintained in accordance with industry-standard procedures and specifications);
  • Requiring appropriate disposal of all documents and electronic media containing Personal Information;
  • Employing appropriate intrusion detection, monitoring, and logging capabilities to enable detecting and responding to potential security breaches;
  • Maintaining appropriate incident handling procedures for responding to any breaches;
  • Regularly obtaining and installing patches to address software vulnerabilities;
  • Developing Client applications utilizing appropriate security methods including multiple-factor authentication, strong passwords, session time-outs, and access controls;
  • Encrypting of Data in transit, rest and backups.
  • Maintaining adequate disaster recovery and business continuity plans for all core functions.
What additional safeguards do we have in place to protect Personal Information?”

Due to the constantly changing nature of technologies and security concerns, we conduct appropriate, periodic reviews of our security policies and practices. Additionally, periodic assessments are conducted as appropriate. All allegations of system or data misuse (by associates, contractors or any third parties) are thoroughly investigated by Jifflenow in accordance with our policies, and reported to law enforcement authorities where appropriate.

How long will we retain Personal Information?

We may keep a record of User’s Personal Information, correspondence or comments in a file specific to the Client, to which access by our associates and by any third parties with whom we contract will be strictly limited on a business need-to-know basis. We will retain User’s Personal Information for as long as necessary to fulfil the purposes for which it was transferred to us, or as required or permitted by law. We have established minimum and maximum retention periods, as well as appropriate procedures for the destruction and disposal of Personal Information.

How do we update Personal Information such that it is sufficiently accurate for processing purposes?

As a service provider of business processing functions, we rely on our Users to provide us with updated Personal Information on an ongoing basis, as necessary in relation to our provision of the services. Upon receipt of updated Personal Information, we will amend the User’s Personal Information that we hold where such amendment is reasonably necessary to enable us to continue providing the services to the Client in accordance with our contractual obligations as a service provider. This updating of Personal Information is rarely performed.

Changes and Updates to this Privacy Policy

We may occasionally update this Privacy Policy. When we do, we will also revise the “Last Updated” on our website. For changes to this Privacy Policy that may be materially less restrictive on our use or disclosure of personal information that you have provided to us, we will use commercially reasonable efforts to obtain your consent before implementing the change. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting the information we collect. Your continued use of the Service constitutes your agreement to this Privacy Policy and any updates.

Contacting Us

If you have any questions, comments, or concerns about this Privacy Policy, please contact us at privacy@jifflenow.com or at:

iPolipo, Inc. DBA Jifflenow

1330 S BASCOM AVE, SUITE C,
SAN JOSE, CA 95128

iPolipo, Inc. dba Jifflenow (“Jifflenow”) (“We” or “Our”) have certified with the EU-U.S. and Swiss-U.S. Privacy Shield (the “Privacy Shield”) with respect to the personal data we receive and process on behalf of our customers in the European Union, the European Economic Area, and Switzerland, through our Services. Unless not defined in this Jifflenow Privacy Shield Notice, capitalized terms will have the same meaning as ascribed to them in our Terms of Use and Privacy Policy.

Jifflenow complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union and Switzerland to the United States, respectively. Jifflenow has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy notice, the Jifflenow Privacy Policy or the Terms of Use and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

Jifflenow certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data submitted by our customers in participating European countries through the Services, and our Privacy Shield certification will be available here. We may also process personal data our customers submit relating to individuals in the EU and Swiss via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Data Processed

We provide the Services so that our customers can communicate and operate aspects of their businesses. In providing these Services, we process data our customers submit to the Services or instruct us to process on their behalves in connection with the Services (“Customer Data”).

Purposes of Data Processing

We process Customer Data submitted by customers for the purpose of providing the Services to customers. To fulfill these purposes, we may access data to provide the Services, to prevent or address service or technical problems, to respond to customer support matters, to follow the instructions of our customer who submitted the data, or in response to contractual requirements with our customers. We will offer you the opportunity to opt-out before your personal information is used for purposes not listed here or in the Privacy Policy.

Third Parties With Whom We May Share Customer Data

We use a limited number of third party providers to assist us in providing the Services to our customers. As of the date hereof, these third-party providers perform technical operations such as database monitoring, data storage and hosting services and customer support software tools.

These third parties may access, process or store personal data in the course of providing these services, but based on our instructions only. If you wish to opt-out of services, or delete or deactivate services of any of our third party providers, please send us an email request at privacy@jifflenow.com. Please note that such an opt-out, delete, or deactivation will impact your enjoyment of our Services.

If we receive personal data subject to our certification under the Privacy Shield and then transfer it to a third-party service provider acting as an agent on our behalf, we are potentially liable under the Privacy Shield if both (i) the agent processes the personal data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage.

Questions or Complaints:

In compliance with the EU-US and Swiss-US Privacy Shield Principles, Jifflenow commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact Jifflenow at:

privacy@jifflenow.com or at our mailing address:
iPolipo, Inc.?1330 S Bascom Ave, Suite C,
San Jose, CA 95128

We will work with you to resolve your issue.

Dispute Resolution

Jifflenow has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.

We also commit to cooperate with competent EU data protection authorities (DPAs) with regard to our customers end users’ human resources data transferred from a European country participating in the Privacy Shield in the context of the employment relationship.

Arbitration

You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from BBB PRIVACY SHIELD; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.

U.S. Federal Trade Commission Enforcement

Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Right of Access

EU and Swiss users have legal rights to access certain personal data we hold about them and to obtain its correction, amendment or deletion. Those users may exercise some of those rights through the options described in our Privacy Policy. But please be advised that because our personnel have a limited ability to identify and access an individual user’s personal data that our customer has submitted the Services, if you wish to request access, to limit use, or to limit disclosure, we may first refer your request to the customer who submitted your personal data, and we will support them as needed in responding to your request.

Jifflenow acknowledges that EU and Swiss individuals have the right to access the personal information that we maintain about them. An EU or Swiss individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their query to privacy@jifflenow.com. If requested to remove data, we will respond within a reasonable timeframe.

Requirement to Disclose

We may disclose personal data when we have a good faith belief that such action is necessary to: conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements; or to enforce our contractual obligations.

Jifflenow Technical & Organizational Security Measures

Jifflenow will, consistent with current best industry standards and such other requirements based on the
classification and sensitivity of Information, maintain physical, administrative and technical safeguards and other
security measures (i) to maintain the security and confidentiality of Controller Information accessed, collected,
used, stored or transmitted by processor, and (ii) to protect that information from known or reasonably anticipated
threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms
of processing. Without limitation, Jifflenow complies with the following requirements:

  1. Firewall – Jifflenow has installed and maintaining a working network firewall to protect data accessible
    via the Internet and will keep all Controller Information protected by the firewall at all times.
  2. Updates – Jifflenow will keep its systems and software up-to-date with the latest upgrades, updates, bug
    fixes, new versions and other modifications necessary to ensure security of the Controller Information.
  3. Anti-malware – Jifflenow will at all times use anti-malware software and will keep the anti-malware
    software up to date. Jifflenow will mitigate threats from all viruses, spyware, and other malicious code
    that are or should reasonably have been detected.
  4. Encryption – Jifflenow encrypts data at rest and data sent across open networks in accordance with
    industry best practices.
  5. Testing -Jifflenow regularly tests its security systems and processes to ensure they meet the requirements
    of this Security Policy.
  6. Access Controls – Jifflenow secures Controller Information, including by complying with the following
    requirements:
    1. Jifflenow assigns a unique ID to each person with computer access to Controller Information.
    2. Jifflenow restricts access to Controller Information to only those people with a “need-to-know”
      for Permitted Purpose.
    3. Jifflenow provides ability for controller to review the list of people and services with access to
      its Information, and provide necessary technical measures and process for removing accounts
      that no longer require access
    4. Jifflenow will not use manufacturer-supplied defaults for system passwords and other security
      parameters on any operating systems, software or other systems. Jifflenow will mandate and
      ensure the use of system-enforced “strong passwords” in accordance with the best practices
      (described below) on all systems hosting, storing, processing, or that have or control access to,
      Controller Information and will require that all passwords and access credentials are kept
      confidential and not shared among personnel.
      • Password best practices. Passwords must meet the following criteria:
        • Contain at least 8 characters and should contain at least one capital letter, one small
          letter and one number or special character;
        • Not match previous passwords, the user’s login, or common name;
        • Must be changed whenever an account compromise is suspected or assumed; and
        • Are regularly replaced after no more than 90 days.
    5. Jifflenow will maintain and enforce “account lockout” by disabling accounts with access to
      Controller Information when an account exceeds more than ten 5 consecutive incorrect
      password attempts.
    6. Jifflenow will isolate Controller Information at all times (including in storage, processing or
      transmission), from Jifflenow’s and any third party information.
    7. Jifflenow will regularly review access logs for signs of malicious behavior or unauthorized
      access.
  7. Processor Policy – Jifflenow will maintain and enforce an information and network security policy for
    employees, subcontractors, agents, and suppliers that meets the standards set out in this policy, including
    methods to detect and log policy violations.
  8. Subcontract – Jifflenow will not subcontract or delegate any of its obligations under this Security Policy
    to any subcontractors, affiliates, or delegates (“Subcontractors”) without Controller’s prior written
    consent.
  9. Remote Access – Jifflenow will ensure that any access from outside protected corporate or production
    environments to systems holding Controller Information or Processor’s corporate or development
    workstation networks requires multi-factor authentication (e.g., requires at least two separate factors for
    identifying users).

Access Management

1. How are Jifflenow & other staff authenticated and authorised?

The Jifflenow CSM/Administrator user who sets up the initial configuration for the application are authorized by our SSO mechanism. All activities are logged and auditable.

2. How do users register and what is their permission level?

There are different types of roles a user can be assigned within the Jifflenow platform. Users can self register or be added and assigned roles through the Ad ministrator of the Company. Users self registering through the application are assigned the default role of “User” which has the lowest privilege levels in the application. These users ar e typically people from Sales team who initiate meeting request in the application. User roles bey ond “User” (for example, Executive, Executive Admin) can only be added by the Administrator of the application orby changing an existing user’s role.

3. How are the user’s verified when registering or added by the administrator through the system?

The system sends a verification email to the email address provided by the user or added by the administrator. This email contains a one-time valid URL that the user has to click. This link will show the user a page to set up his password credentials.

4. Is there a password policy ? If yes what are the constraints?

There is a password policy. Passwords have to be minimum of 8 characters length. It should contain at least one capital letter, one small letter and one number or special character.

5. Is there support for Industry Standard SSO mechanisms like SAML or OAuth?

We support SAML ( both IdP and SP initiated) and OAuth2 (Goo gle Apps.) for SSO.

6. How are passwords stored? If encrypted how are they encrypted?

Passwords are hashed and stored. They are hashed using bcrypt hashing algorithm with a unique password salt.

Data Protection

1. Do you collect any personally identifiable information of Users/ Customers/ Partners? If yes what are they?

We minimally collect user information for identification, communication, processing and reporting for intended purpose of the system. We collect the following information:

Mandatory:

  1. First Name
  2. Last Name
  3. Email Address
Optional:

  1. Business Phone
  2. Job Title

2. Is the security of your software assessed by a qualified, independent security firm?

Yes, we regularly conduct penetration testing of the application with the help of Veracode. We can provide the last penetration test result of the application upon request.

3. What is your log and data retention policy?

We preserve the access and action logs up-to 30 days. We preserve the access and action logs up-to 30 days. All Customer Data will be removed from the Jifflenow Services within 90 days after termination of the contract.

4. Are databases backed up and encrypted?

The databases are managed by Amazon Relational Database Service (Amazon RDS). The database are automatically backed up with daily full backups. The database backup is encrypted. Encryption keys are managed by the AWS Key Management Service (Amazon KMS).

5. Are user passwords expired? How often do the users have to change their passwords?

Yes, user passwords expire and has to be reset every 90 days. This does not apply if the customer uses SSO Integration.

6. Does Jifflenow have a Staging/ Preprod environment and how are they segregated from Production Environment?

Jifflenow has a Staging Environment which has the same platform setup and running for customers to try out features and test integrations. Staging Environment is hosted outside Production environment and the data is not shared between the same environments.

7. Is Production data ever used in Non-Production Environments?

No. Production data never moves out of our Production environment.

Secure Development Process

1. How is your application development team educated about current application security risks and best practices?

Jiffle development understands the importance of application security and the information security. The application is developed generic and any data processed is at runtime to the specific company’s environment. Only the Infrastructure team has access to the production infrastructure.

2. Do you follow a defined software development lifecycle with security embedded within it?

Yes, every requirement and enhancement is analyzed from a security perspective and we ensure the need is met with security in mind.

3. Do you have secure coding standards? How are these kept up to date with emerging threats?

We follow the security guidelines of OWASP 10. The underlying application framework used is Rails which implements this guidelines.

Infrastructure & Security

1. Is the security of your Infrastructure assessed regularly for any weaknesses?

Yes, we assess the Infrastructure using OpenVAS every month or whenever there are major changes done to the infrastructure. We can provide the recent penetration test result of the infrastructure upon request.

2. How is data isolated between each tenant/ customer?

We are single tenant for every customer. All our customer instances get their own database and are logically separated. The database credentials API and access tokens are unique to each customer and dynamically generated during provisioning. Every instance specific to a customer can only be accessed using the customer specific credential.

3. How do you detect a compromise or intrusion, and how are customers informed of the impact?

Our infrastructure runs within Amazon Virtual Private Cloud (Amazon VPC). A lot of network security features are available for Amazon VPC. We utilize Security Groups as Stateful firewall along with host level firewalls. We have active monitoring of the Production Instances and External monitoring of the availability of applications. We also have audit logs that help us to take proactive and reactive steps.

4. Which Jifflenow staff have access to Infrastructure?

The Customer Success and Infrastructure Team have access to the production servers for maintenance reasons. The user’s are well trained on handling customer data and all the actions are logged. Access is using SSH with multiple factors of authentication.

5. Where is the hosting done and what compliance certifications do they hold?

Our Infrastructure is managed by Amazon Web Services (AWS). The primary data center is in us-east region. The secondary (DR) data center is in us-west. Our datacenter partner has been certified for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3. They are committed to be EU GDPR requirements.

6. How are the platform updates managed? e.g. OS patching, web server/ DB patching?

We subscribe/watch for security updates. Together apply it on our testing/staging environments, verify it doesn’t affect the application, then apply the patch on production environment. All the machines are patched with up-to date patches every 4 weeks. Very High Impact patches are applied within 48 hours.

7. Is there transfer of information over the network from the user’s browser to the servers secure?

Yes all the communication between the user’s browser to the server is encrypted over TLS.

8. If TLS is used for information transport, what version is used?

TLS 1.1 and TLS 1.2 with modern ciphers suite recommended by Mozilla TLS Observatory.

9. Is the data secured at rest?

Yes. Data at rest is secured. AWS provides data-at-rest options and key management to support the encryption process. Encryption keys are ma naged by the AWS Key Management Service (Amazon KMS).

10. Is there an anti-virus software that is installed on the environment that scans periodically?

Yes we have ClamAV installed on our environments, that scans daily for any commonly susceptible to virus and malware attacks. The antivirus database is updated daily.

11. What is your process for notifying customers of security problems and their solutions?

At Jifflenow we take a lot of proactive measures to prevent any sort of security incidents. All our customers have a dedicated account manager and customer service manager. The customer is notified within 48 hours after we are aware of the the incident.

12. Is Jifflenow GDPR compliant?

Jifflenow is EU-GDPR Compliant. Jifflenow is EU-US Privacy Shield approved.