A Complete Program of Security & Privacy
Jostle takes the security and privacy of your data extremely seriously. In addition to meeting all legally-required security arrangements, we deliver enterprise-level security through a comprehensive program that deals reasonably with all identified risks. This program includes:
Secure Cloud Infrastructure: Jostle’s platform is deployed and secured in a professionally managed cloud infrastructure. The core Jostle platform is run on an IBM infrastructure that is SAS 70 compliant. Some aspects of Jostle are run on Google’s enterprise cloud infrastructure, depending on your degree of integration with Google.
Physical Security: The IBM and Google data centers are well secured and monitored.
Infrastructure Security: The underlying networks and systems actively managed by IBM and Google, including systematic vulnerability scanning and systematic application of system patches. The underlying software applications are maintained by Jostle, including systematic testing and security patching, as well as real-time monitoring of system heath.
Identity and Access Management: Your Jostle deployment is private to your organization. Access is limited to users you designate and controlled by encrypted passwords.
Encryption: All data transmissions you make to/from the Jostle platform and the data centers are securely encrypted at 256 bits via HTTPS (SSL/TLS).
Data Backup: We automatically back up all data daily using a separate physical infrastructure that is also SAS 70 certified.
No Exploitation: Jostle will not use your data, or access your users, other than as required to deliver our service to you. None of our infrastructure providers may access or index your data for any purpose, other than as required to deliver and secure the Jostle service, or as required by applicable law.
Further details on each of these elements of our security program can be found here.
Protection from the Patriot Act
As part of its battle against terrorism, the United States has enacted the “Patriot Act” that allow US authorities to access data, including personal information, in the custody or control of a service provider located in the United States. Many organizations, including those based in the US, are concerned over this kind of government access to their proprietary data and employee personal information.
Canada has implemented legislation to prevent or minimize the reach of the Patriot Act into Canada. As a Canadian company using Canadian-based hosting centers, Jostle is not subject to the Patriot Act. By using Jostle’s services, your users’ personal information will be much further from the reach of the Patriot Act and well protected by Canada’s robust Privacy Laws. In contrast, if you are buying a cloud-based service from a US located company, your users’ data can be legally accessed by US authorities under the Patriot Act without your permission or even your knowledge.
If you are a Public Body that is subject to a “personal information storage in Canada” policy or legal requirement, you will be in compliance with your legal obligations if you use Jostle’s cloud computing services. British Columbia (Freedom of Information and Protection of Privacy Act) and Nova Scotia (Personal Information International Disclosure Protection Act) both require all their Public Organizations to store their personal information in Canada (subject to limited exceptions).
European-Level Information Protection
Europe imposes the most strict privacy laws on personal information — much more so than the US does. The US has no single data protection law comparable to the EU’s Data Protection Directive (EU Directive 95/46/EC). Consequently US-based services need to take steps under a self-regulation “US-EU Safe Harbor” program in order to hold EU-derived data and allow their European customers to be compliant with the Data Protection Directive. However, in many cases such Safe Harbor provisions fall far short of the protections found in the Data Protection Directive, and critics claim that the Safe Harbor program does not provide an adequate level of protection.
The Canadian Personal Information Protection and Electronic Documents Act (SC 2000, c 5), and Canada’s various Provincial Privacy Laws, are much more comparable and equivalent to the EU Data Protection Directive, and have the force of law (not just self-regulation) throughout all of Canada. Thus, European based customers, or customers who have any EU employees, can confidently use the Jostle platform knowing that EU Data Protection Directive requirements are being fully met and that the data is well protected by Canadian privacy laws. In fact, we provide this same high level of privacy and protection to all Jostle users.
Furthermore, if you are an organization that is subject to any data protection laws, policies or guidelines of a European country that prevent or limit data storage or processing in the US because of Patriot Act or similar concerns (see above), then using Jostle services in Canada is a clear and compelling alternative.
Cloud Computing Guidelines and Best Practices
Jostle complies with best practices and guidelines for cloud computing service providers, as specified in “Cloud Computing Guidelines For Public Bodies”, June 2012, issued by the Office of the Information and Privacy Commissioner for British Columbia, Canada.