Introduction
First and foremost, Jigso's Jigso AI is never trained using the data of its users. Jigso provides a secure, reliable and resilient SaaS platform, which has been designed from the ground up based on industry best practices. Jigso’s security standards and practices are backed by a multi-layered approach that incorporates best practices for preventing security breaches, as well as ensuring data integrity, availability, confidentiality and privacy.
Compliance
Jigso follows a commitment to information security at every level of our organization. Our security program is in accordance withindustry-leading best practices. We conduct a variety of audits to ensure continuous compliance with those standards and practices:
SOC2 compliance covering security, availability, confidentiality, and privacy provides Jigso users with the trust and assurance thatJigso has an effective control system to mitigate operational and compliance risks. It also demonstrates Jigso’s commitment to security.
Privacy protecting our customers' data privacy is always a top priority for us. We understand the importance of protecting the criticalbusiness and personal information entrusted to Jigso's Platform.
Jigso has implemented a GDPR (General Data Protection Regulation) readiness program. This program includes putting measures inplace to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions, PrivacyPolicy, and Data Processing Addendum (DPA).
Data Center Infrastructure
Jigso hosts the Software-as-a-Service production environments in the Amazon Web Services Virtual Private Cloud global infrastructure.Servers at the data center are located in a secured location with security measures implemented to protect against environmental risksor disaster. Amazon Web Services (AWS) designs and manages its infrastructure in alignment with the following regulations, standards,and best-practices: ISO 27001, SOC 1/SSAE 16 (former SAS70), SOC 2, SOC 3, PCI DSS Level 1, HIPAA, FedRAMP.
AWS constantly updates its compliance programs. For a full and up to date list click here.
Infrastructure Security
End-to-End Network Isolation – VPC is designed to be logically separated from other cloud customers and to prevent data within the cloud being intercepted.
External & Internal enforcement points - All servers are protected by restricted AWS Security Groups allowing only the minimal required communications to and between the servers. The configuration of AWS Security Groups is restricted to authorized personnel.
Subnet Segregation – Jigso’s environment is separated into public and private zones, with storage and database in the private zones.Additionally, office and production environments are completely segregated.
Vulnerability Management and Other Risks – Vulnerability scans are performed continuously. Their reports are sent to relevant personnel for risk analysis & remediation. Additionally monitoring tools and services are deployed to prevent intrusions or DDOS attacks. Penetration tests are performed on an annual basis by an information security consultancy group, and any high-risk or critical vulnerabilities are mitigated ASAP. Servers are hardened according to industry best practices.
Application Security
Data Encryption – Traffic between the customer client and the Jigso platform is encrypted through TLS using a 128-bit AES cipher.Stored data is encrypted on a disk using a 256-bit AES cipher. Encryption between Jigso customers and the Jigso Application as well asbetween Jigso sites is enabled using an authenticated SSL tunnel.
Web Application Firewall - Jigso uses a WAF in order to protect against various forms of hacking and intrusion. By using an advanced behavioral analysis detection mechanism, both automated and manual intrusion techniques such as SQL Injections, Cross Site-Scripting, known vulnerabilities and DoS/DDoS attacks are detected and blocked. Zero-day exploits are mitigated by denying all traffic which does not conform to a strict, fine-grained rule-set of application specifications.
Operational Security
Secure Data Transfer – Any communication and data transfer between the different Jigso servers, the corporate network and the production environment is sent over encrypted connections, such as IPSec and SSH.
Access Restrictions - Access to Jigso’s production environment is restricted to personnel belonging to the Operations team and requires multi-factor authentication.
Configuration and Patch Management – Jigso employs a centrally managed configuration management system through which a predefined configuration is enforced on its servers, as well as the desired patch levels of the various software components.
Risk Management – Risks and threats are identified and evaluated by key Jigso stakeholders during a quarterly risk assessment meeting.
Security Incident Response Management – Whenever a security incident of a physical or electronic nature is suspected or confirmed, Jigso's engineers are instructed to follow appropriate procedures detailed in the Security Incident Response Policy.Customers and legal authorities will be notified as recurred by Privacy regulations.
Disaster Recovery – Jigso has both a disaster recovery plan and a business continuity plan in place, and regularly tests them to ensure they are working properly.
Human Resource Security
Security Awareness Training – Jigso’s employees undergo an information security awareness training upon joining the company, aswell as periodically in conformance to Jigso’s information security policy. The training ensures that each group of employees receivessecurity training according to its technical knowledge and its needs.
Secure Coding Standards and Training - Jigso’s R&D team is regularly trained in secure coding practices and automatic static code analysis scanning is implemented.
