We maintain geographically diverse data centres, running hardened operating systems and multiple layers of security ensuring data is safe and secure
- All customer data resides in Sydney, Australia.
- Customer data is housed in individual data stores and are accessed using individual application servers.
Data Handling and Transfer
- All data is encrypted at rest and in ﬂight data is protected by SSL/TLS with an A+ rating on SSL Labs tests, meaning we enforce strong cipher suites.
- Our application and API endpoints are only available of SSL/TLS and authenticated under standard RCF 7519.
- We follow best practices and handle any customer data with extreme sensitivity. We request all customer communications that contain personally identifiable information be secured by PGP with our public key (available from MIT PGP register https://pgp.mit.edu).
- No personal information is stored on any door scanners, lead capture stations or our smart badges.
- Our platform is hosted on Amazon Web Services (AWS).
- Datastores and application servers are geographically diverse and span across multiple availability zones and is designed for redundancy and high availability.
- Our application servers and datastores maintain strict ACLs which are regularly audited.
- Daily, weekly and monthly snapshots of all customer data for backup and recovery - all backups are encrypted.
- We conduct regular load tests to ensure our infrastructure can efficiently process large events.
- We rely on third parties for some image caching, sms and email delivery. These services are actively monitored.
- Strong user passwords are enforce and are hashed (blowfsh). Jomablue staff cannot recover your password, only reset it.
- API endpoints require valid authentication under standard RCF 7519.
- Access to our application or customer data is provided only to Jomablue team members that require it for their job function.
- Access to codebase or infrastructure services is limited to only the product team and multi factor authentication is used here available.
- Access to our application is provided to our customers staff under the direction of the customer, in all cases strong passwords and access time limits are enforced.
- Our services are monitored by third party services and an escalation process is in place in the event of a disruption.
Incidents are investigated and reports are kept.
Policies and Processes
- Change Management systems support the team to ensure structured releases do not impact availability.
We run unit and integration tests every time our codebase is updated, ensuring only passing code is ever available for a release.
- We maintain a zero-trust corporate network.
- All staff computers run with fulldisk encryption, strong passwords, and centrally managed software installation and update policies.
- All staff are educated on internal security policies.
- Every team member uses a password manager with dual factor authentication.
- We contract with respected, external security firms who perform regular audits of our servers and mobile applications to verify that our security practices are sound and to monitor the service in light of new vulnerabilities discovered by the security research community.
- Jomablue is not subject to PCI compliance. All payment processes are handled by third parties that are PCI compliant.