Comprehensive security and privacy
Jostle takes the security and privacy of your data extremely seriously. We deliver enterprise-level security through a comprehensive program that’s audited annually against SOC 2 Type II requirements. Key elements of our security program include:
In order to comply with the data privacy requirements in your region, you can choose to have your instance hosted on any of our data centers, which are located in the US, Europe, Australia, and Canada. If your Jostle® instance is Google integrated, your LIBRARY files will be stored in Google Drive using your own Google domain.
Jostle’s platform is deployed and secured in a professionally managed cloud infrastructure, utilizing best-in-class, third-party data center providers. Key features include:
- network of global SOC 2 and ISO 27001 compliant data centers and service providers;
- systematic vulnerability scanning and systematic application of system patches to ensure threats are identified and removed; and,
- 24x7 monitoring and protection.
Your data is only ever stored in our production environment, is owned by you, and can only be accessed by the people you authorize. All data transmissions you make to/from the Jostle platform and the data centers are securely encrypted at 128 bits via HTTPS (SSL/TLS).
Our access to your data is strictly controlled and limited to authorized personnel, and only for the purposes of delivering and supporting Jostle’s services. All Jostle employees receive training on Jostle’s security and privacy policies and procedures.
Our software services undergo rigorous testing from both security and performance perspectives, and we use best-in-class systems to independently monitor security, performance, and system health in real time. We also utilize third-party testing as required to identify and address any vulnerabilities.
Jostle automatically backs up all data daily using a separate physical and logical infrastructure, and retains the backups for seven days.
Your Jostle intranet is only accessible by the people that you invite. Identity management can be handled using a unique Jostle ID, or via integration with Active Directory or one of our qualified third-party SSO providers. Your administrators can define access to the content in your Jostle intranet based on role, location, and a number of other parameters.
Certifications and audits
Jostle’s operations undergo an annual third party audit according to AICPA SOC 2 Trust Service Principles. A copy of our most recent SOC 2 Type II report is provided to customers under NDA.
Jostle complies with best practices and guidelines for cloud computing service providers, as specified in “Cloud Computing Guidelines For Public Bodies”, June 2012, issued by the Office of the Information and Privacy Commissioner for British Columbia, Canada.
Data ownership and confidentiality
You maintain ownership of all the enterprise data you put in your Jostle intranet. Per our Subscriber Agreement, we have strict obligations to keep it secure and confidential.
Keeping your data in-country
A number of Jostle customers have strict requirements to keep their data in a particular country. For example, many publicly funded organizations in Canada must do this. Jostle’s FOIPPA option: a) keeps your data in the specified country, and b) stops users from logging in if they’re outside that country, including via the mobile phone. Learn more…
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Jostle is committed to helping our customers comply with the GDPR through our robust privacy and security protections.
As a Canadian Corporation, Jostle has always had to comply with the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Although many of the provisions of the GDPR are similar to those contained in PIPEDA, there are some unique requirements that will require enhancements to our service, contracts, and documentation. We’re currently working with our European customers to finalize these details in advance of the May 2018 deadline.