1. How are Jifflenow & other staff authenticated and authorised?
The Jifflenow CSM/Administrator user who sets up the initial configuration for the application are authorized by our SSO mechanism. All activities are logged and auditable.
2. How do users register and what is their permission level?
There are different types of roles a user can be assigned within the Jifflenow platform. Users can self-register or be added and assigned roles through the Administrator of the Company. Users self-registering through the application are assigned the default role of “User” which has the lowest privilege levels in the application. These users are typically people from Sales team who initiate meeting request in the application. User roles beyond “User” (for example, Executive, Executive Admin) can only be added by the Administrator of the application or by changing an existing user’s role.
3. How are the user’s verified when registering or added by the administrator through the system?
The system sends a verification email to the email address provided by the user or added by the administrator. This email contains a one-time valid URL that the user has to click. This link will show the user a page to set up his password credentials.
4. Is there a password policy? If yes what are the constraints?
There is a password policy. Passwords have to be minimum of 8 characters length. It should contain at least one capital letter, one small letter and one number or special character.
5. Is there support for Industry Standard SSO mechanisms like SAML or OAuth?
We support SAML ( both IdP and SP initiated) and OAuth2 (Goo gle Apps.) for SSO.
6. How are passwords stored? If encrypted how are they encrypted?
Passwords are hashed and stored. They are hashed using bcrypt hashing algorithm with a unique password salt.
1. Do you collect any personally identifiable information of Users/ Customers/ Partners? If yes what are they?
We minimally collect user information for identification, communication, processing and reporting for intended purpose of the system. We collect the following information:
- First Name
- Last Name
- Email Address
- Business Phone
- Job Title
2. Is the security of your software assessed by a qualified, independent security firm?
Yes, we regularly conduct penetration testing of the application with the help of Veracode. We can provide the last penetration test result of the application upon request.
3. What is your log and data retention policy?
We preserve the access and action logs up-to 30 days. We preserve the access and action logs up-to 30 days. All Customer Data will be removed from the Jifflenow Services within 90 days after termination of the contract.
4. Are databases backed up and encrypted?
The databases are managed by Amazon Relational Database Service (Amazon RDS). The database are automatically backed up with daily full backups. The database backup is encrypted. Encryption keys are managed by the AWS Key Management Service (Amazon KMS).
5. Are user passwords expired? How often do the users have to change their passwords?
Yes, user passwords expire and has to be reset every 90 days. This does not apply if the customer uses SSO Integration.
6. Does Jifflenow have a Staging/ Preprod environment and how are they segregated from Production Environment?
Jifflenow has a Staging Environment which has the same platform setup and running for customers to try out features and test integrations. Staging Environment is hosted outside Production environment and the data is not shared between the same environments.
7. Is Production data ever used in Non-Production Environments?
No. Production data never moves out of our Production environment.
Secure Development Process
1. How is your application development team educated about current application security risks and best practices?
Jiffle development understands the importance of application security and the information security. The application is developed generic and any data processed is at runtime to the specific company’s environment. Only the Infrastructure team has access to the production infrastructure.
2. Do you follow a defined software development lifecycle with security embedded within it?
Yes, every requirement and enhancement is analyzed from a security perspective and we ensure the need is met with security in mind.
3. Do you have secure coding standards? How are these kept up to date with emerging threats?
We follow the security guidelines of OWASP 10. The underlying application framework used is Rails which implements this guidelines.
Infrastructure & Security
1. Is the security of your Infrastructure assessed regularly for any weaknesses?
Yes, we assess the Infrastructure using OpenVAS every month or whenever there are major changes done to the infrastructure. We can provide the recent penetration test result of the infrastructure upon request.
2. How is data isolated between each tenant/ customer?
We are a single tenant for every customer. All our customer instances get their own database and are logically separated. The database credentials API and access tokens are unique to each customer and dynamically generated during provisioning. Every instance specific to a customer can only be accessed using the customer specific credential.
3. How do you detect a compromise or intrusion, and how are customers informed of the impact?
Our infrastructure runs within Amazon Virtual Private Cloud (Amazon VPC). A lot of network security features are available for Amazon VPC. We utilize Security Groups as Stateful firewall along with host level firewalls. We have active monitoring of the Production Instances and External monitoring of the availability of applications. We also have audit logs that help us to take proactive and reactive steps.
4. Which Jifflenow staff have access to Infrastructure?
The Customer Success and Infrastructure Team have access to the production servers for maintenance reasons. The user’s are well trained on handling customer data and all the actions are logged. Access is using SSH with multiple factors of authentication.
5. Where is the hosting done and what compliance certifications do they hold?
Our Infrastructure is managed by Amazon Web Services (AWS). The primary data center is in us-east region. The secondary (DR) data center is in us-west. Our datacenter partner has been certified for ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3. They are committed to be EU GDPR requirements.
6. How are the platform updates managed? e.g. OS patching, web server/ DB patching?
We subscribe/watch for security updates. Together apply it on our testing/staging environments, verify it doesn’t affect the application, then apply the patch on the production environment. All the machines are patched with up-to-date patches every 4 weeks. Very High Impact patches are applied within 48 hours.
7. Is there transfer of information over the network from the user’s browser to the servers secure?
Yes all the communication between the user’s browser to the server is encrypted over TLS.
8. If TLS is used for information transport, what version is used?
TLS 1.1 and TLS 1.2 with modern ciphers suite recommended by Mozilla TLS Observatory.
9. Is the data secured at rest?
Yes. Data at rest is secured. AWS provides data-at-rest options and key management to support the encryption process. Encryption keys are ma naged by the AWS Key Management Service (Amazon KMS).
10. Is there an anti-virus software that is installed on the environment that scans periodically?
Yes we have ClamAV installed on our environments, that scans daily for any commonly susceptible to virus and malware attacks. The antivirus database is updated daily.
11. What is your process for notifying customers of security problems and their solutions?
At Jifflenow we take a lot of proactive measures to prevent any sort of security incidents. All our customers have a dedicated account manager and customer service manager. The customer is notified within 48 hours after we are aware of the incident.
12. Is Jifflenow GDPR compliant?
Jifflenow is EU-GDPR Compliant. Jifflenow is EU-US Privacy Shield approved.
Jifflenow Technical & Organizational Security Measures
Jifflenow will, consistent with current best industry standards and such other requirements based on the
classification and sensitivity of Information, maintain physical, administrative and technical safeguards and other
security measures (i) to maintain the security and confidentiality of Controller Information accessed, collected,
used, stored or transmitted by the processor, and (ii) to protect that information from known or reasonably anticipated
threats or hazards to its security and integrity, accidental loss, alteration, disclosure and all other unlawful forms
of processing. Without limitation, Jifflenow complies with the following requirements:
- Firewall – Jifflenow has installed and maintaining a working network firewall to protect data accessible
via the Internet and will keep all Controller Information protected by the firewall at all times.
- Updates – Jifflenow will keep its systems and software up-to-date with the latest upgrades, updates, bug
fixes, new versions and other modifications necessary to ensure security of the Controller Information.
- Anti-malware – Jifflenow will at all times use anti-malware software and will keep the anti-malware
software up to date. Jifflenow will mitigate threats from all viruses, spyware, and other malicious code
that are or should reasonably have been detected.
- Encryption – Jifflenow encrypts data at rest and data sent across open networks in accordance with
industry best practices.
- Testing -Jifflenow regularly tests its security systems and processes to ensure they meet the requirements
of this Security Policy.
- Access Controls – Jifflenow secures Controller Information, including by complying with the following
- Jifflenow assigns a unique ID to each person with computer access to Controller Information.
- Jifflenow restricts access to Controller Information to only those people with a “need-to-know”
for Permitted Purpose.
- Jifflenow provides ability for controller to review the list of people and services with access to
its Information, and provide necessary technical measures and process for removing accounts
that no longer require access
- Jifflenow will not use manufacturer-supplied defaults for system passwords and other security
parameters on any operating systems, software or other systems. Jifflenow will mandate and
ensure the use of system-enforced “strong passwords” in accordance with the best practices
(described below) on all systems hosting, storing, processing, or that have or control access to,
Controller Information and will require that all passwords and access credentials are kept
confidential and not shared among personnel.
- Password best practices. Passwords must meet the following criteria:
- Contain at least 8 characters and should contain at least one capital letter, one small
letter and one number or special character;
- Not match previous passwords, the user’s login, or common name;
- Must be changed whenever an account compromise is suspected or assumed; and
- Are regularly replaced after no more than 90 days.
Controller Information when an account exceeds more than ten 5 consecutive incorrect
transmission), from Jifflenow’s and any third party information.
employees, subcontractors, agents, and suppliers that meets the standards set out in this policy, including
methods to detect and log policy violations.
to any subcontractors, affiliates, or delegates (“Subcontractors”) without Controller’s prior written
environments to systems holding Controller Information or Processor’s corporate or development
workstation networks requires multi-factor authentication (e.g., requires at least two separate factors for