Welcome to Jigso’s security portal! This portal provides an overview of our commitment to security and compliance. You can find our certifications, security practices, and explore details on our controls.
SOC 2 Type II
GDPR Compliant
The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.
The company restricts privileged access to encryption keys to authorized users with a business need.
The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
System access restricted to authorized access only
The company's access control policy documents the requirements for the following access control functions:
The company restricts privileged access to databases to authorized users with a business need.
The company restricts privileged access to the firewall to authorized users with a business need.
The company restricts privileged access to the production network to authorized users with a business need.
The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.
The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.
An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
The company's network is segmented to prevent unauthorized access to customer data.
The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.
The company uses firewalls and configures them to prevent unauthorized access.
The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.
The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.
The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.
The company requires passwords for in-scope system components to be configured according to the company's policy.
The company requires employees to sign a confidentiality agreement during onboarding.
The company requires contractors to sign a confidentiality agreement at the time of engagement.
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.
The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.
The company performs background checks on new employees.
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
The company encrypts portable and removable media devices when used.
The company maintains a formal inventory of production system assets.
The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.
The company's formal policies outline the requirements for the following functions related to IT / Engineering:
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.
The company utilizes a web application firewall, or WAF, to protect against a wide range of potential threats or intrusions.By using an advanced behavioral analysis detection mechanism, both automated and manual intrusion techniques such as SQL Injections, Cross Site-Scripting, known vulnerabilities and DoS/DDoS attacks are detected and blocked. Zero-day exploits are mitigated by denying all traffic which does not conform to a strict, fine-grained rule-set of application specifications.
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.
The company's datastores housing sensitive customer data are encrypted at rest.
The company has a vendor management program in place. Components of this program include:
The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.
The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
The company tests their incident response plan at least annually.
The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.
The company's information security policies and procedures are documented and reviewed at least annually.
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.
The company maintains an organizational chart that describes the organizational structure and reporting lines.
The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
The company notifies customers of critical system changes that may affect their processing.
The company's data backup policy documents requirements for backup and recovery of customer data.
The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
The company restricts access to migrate changes to production to authorized personnel.
The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.
The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.
The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.
The company requires passwords for in-scope system components to be configured according to the company's policy.
The company requires employees to sign a confidentiality agreement during onboarding.
The company requires contractors to sign a confidentiality agreement at the time of engagement.
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.
The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.
The company performs background checks on new employees.
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
The company encrypts portable and removable media devices when used.
The company maintains a formal inventory of production system assets.
The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.
