1. OUR COMPANY AND PRODUCT
J.E.S.I. Management Solutions Pty Ltd takes data security and privacy very seriously. Our JESI users are located all over the world and we want to provide with confidence, that our practices and policies we have implemented are aligned to global best practice and continuous improvement management and monitoring.
JESI is a Travel or Journey Management Software solution that creates a Safer connected network irrespective of where Travelers are going or what type of transport is being used. Using SMS or Online check in, users can confirm their Safe arrival. If Travelers don’t confirm their safe arrival, JESI automates an Emergency Alert to predetermined contacts.
JESI is a cloud-based software solution that is accessible across the globe via any device that can connect to the Internet. The user does require data connectivity to view data, create, edit or delete a journey and generate an incident alert, however the user does NOT require data connectivity to generate an automated escalation alert. The users do require either data or mobile connectivity to confirm a safe check-in.
JESI was launched as a commercialized entity in March 2014 and has achieved significant growth across the globe and is recognized as industry best practice for managing a workforce who operate in remote and isolated environments. JESI aspires to being the number one Risk Management Solution for remote and isolated workers in the world. As such, our commitment to safeguarding our client and user’s data is critical and one that the company takes seriously.
2. SECURITY CONTROLS
2.1 DATA CENTER SECURITY
JESI outsources hosting of its product infrastructure with the world’s most recognised data-center provider, Amazon Web Services (AWS). AWS has the capability to host data in multiple locations across the globe, however we have selected Australia (Sydney) as the primary location for JESI to be hosted. Australia has a strict regulatory security and privacy framework that is considered to be one of the best in the world AUS Privacy Principles. AWS maintains an audited security program, including SOC-2 and ISO 27001 compliance. AWS Compliance Programs. AWS Cloud provides built in controls, auditing and managing identity, configuration and usage that support our ability to remain compliant with governance and regulatory requirements. Their extensive infrastructure guarantees system uptime of 99.95 to 100% and includes power, networking or security considerations. Access to AWS physical centres are controlled with security guards and highly classified restrictions for AWS Employees. View AWS Data centres and controls
2.2 NETWORK SECURITY
Security is implemented in AWS Virtual Private Cloud (VPC) security groups, which applies address and port protection to limit what is accessible. This allows for greater control for network traffic from a public networks. We are continually reviewing and improving network security.
2.3 CONFIGURATION MANAGEMENT
The tech tools used to manage the system configurations enables an automated and consistent methodology that safely and predictably; creates, changes, and improves infrastructure. It facilitates an automated and systematic approach to storing version controls, reducing errors, duplication, replication and significantly improves efficiencies.
Principles used are aligned to The Twelve-Factor App of storing configuration with the application.
2.4 ALERTING & MONITORING
JESI has fully automated build procedures that include automated monitoring, alerting and response technologies to continuously alert the JESI technical team when components of the software are not operating correctly. These alerts also include unexpected or malicious activities.
Our technical team operate a 24/7 rostering schedule that ensures timely responsiveness to automated alerts when required. The JESI system captures and stores log’s that incorporates other integrated third party technologies. These logs include authentication attempts, permission changes, infrastructure health, and requests performed, among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
At the user front end, all system interaction, page views, and other access to the JESI Software is also logged. All changes to the codebase require a testing and review process before being deployed.
2.5 ACCESS TO JESI INFRASTRUCTURE
Access to the JESI Infrastructure is tightly controlled by the Development Team through AWS Identity and Access Management policies & access keys. All access is tracked, logged, and date stamped.
3. APPLICATION PROTECTION
3.1 WEB APPLICATION SECURITY
AWS provides several security capabilities and services for privacy and controlled network access. Network firewalls built into Amazon VPC, and web application firewall capabilities in AWS Web Application Firewall (WAF) allow the creation of private networks, and control access to instances and applications. AWS ensure secure connections by using encryption in transit across all services. Protections from Distributed Denial of Service (DDoS) attacks are automatically provided by AWS.
Multiple layers of authorization rules are applied to all API interactions to ensure confidentiality between tenants. This ensures that data is not visible between tenants.
3.2 PRODUCT DEPLOYS
JESI continues to deliver product enhancements, additional features and other technical requirements. These varying types of deploys can be administered several times during the day, week, month and year.
Prior to deploying new or additional code, our technical team has a rigorous release process that incorporates functional testing, code reviews, testing and approval to release. If a failure occurs during a deploy, rollback is immediately and automatically engaged. The deploys released to the live production site occur without any disruption for JESI users.
Major feature or epic releases are controlled extensively in the staging environment and testing is generally undertaken by JESI Customer Solutions Representatives and if relevant, the engagement of JESI Clients.
3.3 VULNERABILITY SCANNING & PENETRATION TESTING
The level of maturity associated with our current software development, future product development roadmap and company growth incorporates a future scheduled program that incorporates vulnerability scanning and penetration testing.
We have a comprehensive risk management matrix that is undertaken and maintained for all of the JESI technology tools.
4. CUSTOMER DATA PROTECTION
4.1 CONFIDENTIAL INFORMATION CAPTURED IN JESI
4.2 CREDIT CARD INFORMATION PROTECTION
Several JESI Products require customers to pay for the service by credit card. JESI does not store, process or collect credit card information submitted to us by customers. Our third party vendors are trusted and hold relevant PCI-compliant requirements. For purchases made directly online via trusted website, JESI uses Stripe and for online credit payments for invoicing, JESI uses Pin Payments.
4.3 ENCRYPTION IN-TRANSIT & AT-REST
All interactions with JESI are encrypted in-transit with TLS 1.1, or 1.2 and 2048 bit keys.
All database information is encrypted at rest. JESI does not permit collecting or storing of sensitive information like financial or health data through its service, as outlined in our End User Agreement.
4.4 USER AUTHENTICATION & AUTHORIZATION
The password process is encrypted and secure. A new JESI user is required to create a unique password that is not restrictive, however a 4 digit security code is generated that secures the user identity to their JESI profile. Additional security for the JESI user is by way of confirming their mobile number to their last name when first activating their JESI user profile. If the users mobile number is updated, the user is required to respond to the SMS by confirming with their last name. The same process is applied, when a forget or reset password is activated.
JESI Company Accounts incorporate 4 permission levels and the company/Client is responsible for administering the users permission based on their own internal access roles. For more information about user roles, please view JESI Company Account Permission Levels.
4.5 JESI EMPLOYEE ACCESS
JESI has restrictive controls for JESI employees accessing data across the entire JESI infrastructure, to include but not limited to, technology tools that are directly related to the JESI software, internal corporate functions, production clients and other customer solution tools to manage user interaction. JESI employees are granted access to production data based on their role in the company through role based access controls or on an as-needed basis.
Engineers and members of the technical team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information that supports product development or support. Access to the product infrastructure is restricted and requires user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical team and our data-center support team.
The JESI Customer Solutions Team have access based on their work responsibilities associated with supporting and servicing JESI Company Accounts. All access requests, logins, queries, page views and similar information are logged.
All JESI Employees are inducted in to the company and associated policies to include non-disclosure confidentiality agreements.
4.7 DATA RETENTION POLICY
Customer data is retained for as long as required and in-line with respective company data retention policies. Data can be destroyed only upon a client’s written request.
5. BUSINESS CONTINUITY & DISASTER RECOVERY
JESI maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, JESI’s goal is to quickly and transparently isolate and address the issue.
Infrastructure is replicated and distributed across 2 distinct availability zones within AWS, to allow full redundancy.
5.1 BACKUP STRATEGY
Full database backups occur as a minimum once a day and stored on a distributed file storage facility. Backups are tested and retained indefinitely or as required by company policy. Backups are encrypted and have strict access policies.
5.2 JESI SOFTWARE INCIDENT MANAGEMENT
JESI Management Solutions Pty Ltd provides 24×7 coverage to respond quickly to all security and privacy events. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, third party alerts, customer requests, security events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.
Our Data Protection Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
5.3 JESI DATA BREACHES
JESI considers all data breaches serious and have several automated alert mechanisms in place to identify if a data breach has occurred within the JESI Hosted Environment. Primarily the alerts identify unauthorized access to the JESI hosted infrastructure and associated third party technology providers.
If a data breach has occurred, the initial analysis is to determine the extent of the breach, who may have been impacted, the type of breach and how to immediately quarantine or disable if necessary.
Once the breach has been effectively triaged, the JESI Data Protection Officer is appointed to communicate the data breach to those impacted, to advise what the breach was/is, who has been impacted, how they may be impacted and if at that time, a resolution to resolve the breach has been deployed or actioned. The timeframe for disclosure of the data breach to the respective parties is within 72 hours of the breach having been identified and assessed.
Post the outcome of the data breach, the JESI technical team initiate further investigations to identify the root cause, and implement modifications as required to prevent further breaches.
6. JESI CUSTOMER RELATIONSHIP MANAGEMENT (CRM)
JESI maintains a Customer Relationship Management (CRM) that captures customer/client data that includes, Company Names, First/Last names, email, mobile and other phone numbers, communication correspondence, JESI proposals and other customer related information. Access to the CRM data is limited to a small set of JESI employees based on their roles, and access is limited to the individuals who need it to respond to customer support and related requests.
JESI uses other communication tools to keep prospective clients up to date with the company progress, enhancements, case studies and general JESI information. The data captured includes Company Names, First/Last, email, job title. There is an opt out/in feature available that allows self-subscribed or to unsubscribe. Subscribers on the list are added by self-subscribing via the JESI website.
Other JESI communication is to the JESI users, by way of the JESI Checkin Newsletter. The primary purpose of the JESI Checkin is to keep JESI users up to date with product enhancements, new features and other information that directly relates to the JESI Software.
JESI does not sell or share lists with any third parties.
7. CERTIFIED TECHNOLOGY
JESI maintains a Technology Risk Register that provides oversight to a variety of third party technology tools that manage all associated functions with the JESI Software, Client Management, Communication and Corporate Governance. This process ensures that the third party technology tools that are used or integrated hold industry best practice with respect to privacy and security certifications.
Our primary Sub-processors include AWS, Google and Twilio.
8. OUR COMMITMENT TO GDPR
The General Data Protection Act (GDPR) is considered the most significant piece of European data protection legislation to be introduced in the European Union (EU) and is effective as of 25th May 2018. GDPR Requirements
As JESI is a provider of services for clients located in the EU, we have an obligation to ensure compliance. In our view the requirements are industry best practice and set a global benchmark in data security.
We have created a checklist that identifies our progress in meeting the GDRP requirements. JESI Checklist GDPR
JESI values transparency in the way we manage the security and privacy of our user’s data and are continuously improving our process and system security.
This document is intended to highlight the methods, approaches and process we have in place to demonstrate our commitment to providing best practice for both the JESI business, JESI Account Companies, Subscribers and users.