Security




Overview

We understand that keeping our customers' data secure is of the upmost importance and go to considerable lengths to ensure that all data sent to Jumplead is handled securely.

Keeping Jumplead secure is fundamental to our business.


Best practices

Incident response plan

We have in place a formal procedure for security events. When a security event is detected it is escalated to our emergency response team, they are alerted, and assembled to rapidly address the situation. After a security event is fixed we write up a post-mortem analysis.

The analysis document is distributed across the company and includes action items that will make the detection and prevention of any similar event easier in the future.

Build Process Automation

We use a continuous deployment methodology so that we can safely and reliably rollout changes to both our application and operating platform within minutes. We typically deploy code several times a day, and can quickly release a security fix quickly when required.


Infrastructure

All of our services run in the cloud. Jumplead does not run our own routers, load balancers, DNS servers, or physical servers.

Jumplead services and data are hosted in Amazon Web Services (AWS) facilities in the EU (Ireland), and have been built with disaster recovery in mind.

All of our infrastructure is spread across 3 AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly.

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

Jumplead uses MongoDB Cloud Manager backup solution for datastores that contain customer data.


Data

All customer data is stored in the EU. Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However, strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

Data transfer

All data sent to or from Jumplead is encrypted in transit using RSA 2048 bits (SHA256withRSA) encryption. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

Jumplead publishes CAA DNS records to ensure certificates are only issued from certain vetted certificate authorities.


Authentication

Jumplead is served 100% over https. We have two-factor authentication (2FA) and strong password policies to ensure cloud services are protected.


Security reports

We encourage and reward contributions by developers and security researchers who help make Jumplead more secure. We provide rewards and/or public recognition for security vulnerabilities that are responsibly disclosed to us.


GDPR readiness

We're committed to supporting our customers to prepare for the General Data Protection Regulation (GDPR). We're working on implementing our readiness programme across our organisation.

Policy and product changes, specifically around data access, management and portability are in development. We are also reviewing our contract commitments with our customers and vendors.

We'll be ready to share more detailed information regarding our progress soon and commit to being GDPR ready by the 25 May 2018.


PCI compliance

Jumplead is not subject to PCI obligations. All payment processing is outsourced to Stripe, our PCI DSS compliant payment processing partner.