Open Site Navigation

Security

Security & Architecture

Introduction

Enterprises increasingly rely upon third-party software and services to handle business-critical processes and operations. Whether on-premises or in the cloud, these solutions must provide a level of security that protects critical company data and minimizes risk.

Jigso provides a secure, reliable and resilient Software-as-a-Service platform, which has been designed from the ground up based on industry best practices. Jigso’s security standards and practices are backed by a multi-layered approach that incorporates best practices for preventing security breaches, as well as ensuring data integrity, availability, confidentiality and privacy.

The below reviews the network and hardware infrastructure, software and information security that Jigso includes as part of this platform.

Data Center Infrastructure

Jigso hosts the Software-as-a-Service production environments in the Amazon Web Services Virtual Private Cloud global infrastructure. Servers at the data center are located in a secured location with security measures implemented to protect against environmental risks or disaster. Amazon Web Services (AWS) designs and manages its infrastructure in alignment with the following regulations, standards, and best-practices: ISO 27001, SOC 1/SSAE 16 (former SAS70), SOC 2, SOC 3, PCI DSS Level 1, HIPAA, FedRAMP.

AWS constantly updates its compliance programs. For full and up to date list click here.

Infrastructure Security

End-to-End Network Isolation – The Virtual Private Cloud is designed to be logically separated from other cloud customers and to prevent data within the cloud being intercepted.

External & Internal enforcement points – All servers are protected by restricted AWS Security Groups allowing only the minimal required communications to and between the servers. The configuration of AWS Security Groups is restricted to authorized personnel.

Subnet Segregation – Jigso’s environment is separated into public and private zones. Only the web servers in the public zones are accessible from the Internet by HTTPS on port 443. HTTP traffic on port 80 is used to redirect customers to a secure connection over HTTPS. All other servers, such as database, storage and services machines are restricted to the private zone.

Server Hardening – Servers are hardened according to industry best practices.

Vulnerability Management – Vulnerability scans are performed continuously. Their reports are sent to relevant personnel for risk analysis & remediation. In addition, Jigso is subscribed to several relevant bulletins and notifications services which are monitored by the relevant personnel. When a relevant vulnerability has been discovered, the incident response team is alerted to determine the appropriate response.

Intrusion Prevention – Monitoring tools are implemented to detect unusual or unauthorized activities and conditions at ingress and egress points. These tools monitor server and network usage, port scanning activities, application usage and unauthorized intrusion attempts.

Distributed Denial of Service (DDOS) Protection – Multiple services to mitigate DDOS attacks are in place, as well as multi-homed network connection across multiple transit providers to achieve Internet access diversity.

Segregation Between Office and Production Networks – There is a complete separation between the Jigso Corporate network and the Production network. Access to the production environment is granted to authorized personnel only, and traffic between the networks is sent over an encrypted tunnel.

Regular Penetration Tests – Penetration tests are performed to the Jigso Application on an annual basis, in order to determine, among others, that customers, groups of individuals, or other entities only have access to their own confidential information. The penetration test is performed by an information security consultancy group on Jigso’s application end. Any identified critical and high-risk security vulnerabilities are mitigated as soon as possible after each penetration test.

Application Security

Data Encryption – Traffic between the customer client and the Jigso platform is encrypted through TLS using a 128-bit AES cipher. Stored data is encrypted on a disk using a 256-bit AES cipher. Encryption between Jigso customers and the Jigso Application as well as between Jigso sites is enabled using an authenticated SSL tunnel.

Web Application Firewall – Jigso uses a WAF in order to protect against various forms of hacking and intrusion. By using an advanced behavioral analysis detection mechanism, both automated and manual intrusion techniques such as SQL Injections, Cross Site-Scripting, known vulnerabilities and DoS/DDoS attacks are detected and blocked. Zero-day exploits are mitigated by denying all traffic which does not conform to a strict, fine-grained rule-set of application specifications. Based on a large, comprehensive, and growing database of web-related vulnerabilities, mitigation for new attack patterns are continuously added. The system automatically blocks suspicious activities and issues alerts 24/7.

Segregation of Customer Data – Jigso employs a login system and authorization mechanism based on industry best practices which has been validated by third-party security consultants. During each user request, a validation process is performed through encrypted identifiers to ensure that only authorized users gain access to the specific data.

Operational Security

Secure Data Transfer – Any communication and data transfer between the different Jigso servers, the corporate network and the production environment is sent over encrypted connections, such as IPSec and SSH.

Access Restrictions – The data analysis processes are monitored and conducted by Jigso personnel for business needs only. Access to Jigso’s production environment is restricted to personnel belonging to the Operations team and requires multi-factor authentication.

Anti-Virus and Anti-Malware Protection – Jigso employs centrally managed endpoint anti-virus and anti-malware solutions for the entire infrastructure.

Configuration and Patch Management – Jigso employs a centrally managed configuration management system through which a predefined configuration is enforced on its servers, as well as the desired patch levels of the various software components.

Risk Management – Risks and threats are identified and evaluated by key Jigso stakeholders during a quarterly risk assessment meeting. Meeting minutes and action items for mitigation are documented, reviewed and escalated to senior management if deemed necessary.

Security Incident Response Management – Whenever a security incident of a physical or electronic nature is suspected or confirmed, Jigso's engineers are instructed to follow appropriate procedures detailed in the Security Incident Response Policy. Customers and legal authorities will be notified as recurred by Privacy regulations.

Log Management – Jigso has implemented a central read-only log repository which provides easy search and alerting capabilities. Actions in the Jigso system are logged and log data is reviewed on a regular basis. Jigso does not allow customers to access logs. However, in case of a court order or official investigation, Jigso provides the required information.

Disaster Recovery – Jigso has both a disaster recovery plan and a business continuity plan in place, and regularly tests them to ensure they are working properly. The disaster recovery plan includes a comprehensive and established series of actions to take before, during and after a disruptive event. It includes an alternative processing site and an approach to return to the primary processing site as quickly as possible. The business continuity plan includes a comprehensive approach to quickly restore computer systems upon the event of any service interruption.

Human Resource Security

Security Awareness Training – Jigso’s employees undergo an information security awareness training upon joining the company, as well as periodically in conformance to Jigso’s information security policy. The training ensures that each group of employees receives security training according to its technical knowledge and its needs.

Secure Coding Standards and Training – Jigso’s R&D team is regularly trained in secure coding practices and automatic static code analysis scanning is implemented.

Compliance

Jigso’s follows a commitment to information security at every level of our organization. Our security program is in accordance with industry-leading best practices. We conduct a variety of audits to ensure continuous compliance with those standards and practices:

SOC2 compliance, covering security, availability, confidentiality, and privacy provides Jigso users with the trust and assurance that Jigso has an effective control system to mitigate operational and compliance risks. It also demonstrates Jigso’s commitment to security.

Jigso hosts all of its software in Amazon Web Services (AWS) cloud platform. Amazon provides an extensive list of compliance and regulatory assurances, including SOC2 and ISO 27001.

Privacy, protecting our customers' data privacy is always a top priority for us. We understand the importance of protecting the critical business and personal information entrusted to Jigso's Platform.

Jigso has implemented a GDPR (General Data Protection Regulation) readiness program. This program includes putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA).

©2022 Jigso. All rights reserved. Designed by Moxie Method.

©2022 Jigso. All rights reserved.

Designed by Moxie Method.