Product Security

Product security is of paramount importance at Jurnee. Jurnee uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.

Jurnee performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Jurnee adoption. In this way, Jurnee is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike. Jurnee is continuously improving our DevOps practice in an iterative fashion.

Physical Security

The Jurnee production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Jurnee production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”

Authentication and Access Management

End users may log in to Jurnee using a login and password or via the “Sign-in with Google” service. This service will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Jurnee, such as your name and email address to pre-populate our sign up form.

All requests to the Jurnee API must be authenticated and require full user access via a bearer token allowing access to Jurnee service functionality.

Protection of Customer Data

Data submitted to the Jurnee service by authorized users is considered confidential. This data is protected in transit with SSL across public networks and encrypted at rest with LUKS. Customer Data is not authorized to exit the Jurnee production service environment, except in limited circumstances such as in support of a customer request.

All data transmitted between Jurnee and Jurnee users is protected using Transport Layer Security (TLS).

Databases run in our account’s private network, which isolates communication at the account or team level. Requests via the public internet is restricted to a whitelist of IP addresses.

Access to Customer Data is limited to functions with a business requirement to do so. Jurnee has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Jurnee enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. Jurnee has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.