Joust is committed to protecting customer records, files and other sensitive information acquired as a part of Joust's business operations. This Data Security Policy is designed to identify and mitigate the procedures and methods best suited to store and protect sensitive, personal and confidential information. This policy covers twelve data security components:
In addition to managing data and network segmentation and Joust’s overall security posture, a designated security professional determines the procedures for identity and access management and reviews this policy at least every 6 months to ensure data security procedures are current and sufficient.
Joust manages data security and accountability by classifying and categorizing different types of data in the Joust system, providing clear guidance on how different types of data should be handled, and through regular training for individuals with access to the Joust system. All Joust employees, contractors, and consultants are required to complete training on their roles and responsibilities as a part of Joust's Data Security Policy at onboarding; all employees and contractors will participate in ad hoc and annual sessions organized by security personnel.
Data produced, collected, verified, or retained by Joust falls into one of the following categories: confidential, internal, general, public. All employees should refer to training materials and other resources for detailed procedures on how each category of data is accessed, stored, shared and handled.
Joust has established procedures for the management and configurations of IP addresses, remote access, hardware and software acquisition and maintenance, and detecting network intrusions. The designated security manager is responsible for coordinating investigations into any possible computer or network security compromises, addressing security problems with any IT infrastructure, and setting access roles and rules as appropriate (including password procedures, two factor authorizations, and system privileges). The security manager is also charged with ensuring appropriate computer and communication system security procedures are followed by Joust staff.
Joust’s security manager regularly checks Joust’s systems for network vulnerabilities, intrusions, or other security issues that could effect the overall security of Joust’s data privacy. In addition to regular and ad hoc security reviews, all Joust staff are encouraged to report data and IT security concerns to the security manager for review and adjudication. The security manager is also charged with maintaining awareness of new and emerging IT and data security threats, and updating Joust’s procedures and security protocols as needed.
The security manager will supervise and implement all necessary software and security patches to maintain Joust’s security posture. The security manager will also regularly review third party source code libraries and consult with engineering staff on new security vulnerabilities and recommended patches.
Joust has clearly defined procedures for incident response. The security manager leads the evaluation team, determines the appropriate mitigation strategies, and supervises the resolution of the incident. The security manager will also consult Joust’s Business Continuity Plan and submit a Data Security Incident Response Report to Joust’s executive team with the full details of the event and its resolution. The security manager will also update any IT and data procedures as needed, and consult with other departments on necessary policy changes to maintain data security.
Every staff member is subject to Joust’s acceptable use policy and signs an agreement at onboarding. The Acceptable Use Policy is a part of the Data Security onboarding training and is reviewed during regular refresher trainings.
The security manager is charged with ongoing monitoring of access to Joust’s IT and data systems and performs regular audits to produce a quarterly report for Joust’s executive staff. The security manager is also responsible for regularly reviewing account privileges to ensure that they remain appropriate and consistent with a staff member’s portfolio and employment status.
We conduct annual internal risk assessments to identify, prioritize and reduce or mitigate known risks. High impact risks are remediated immediately upon discovery. The entire assessment process is thoroughly documented and audited annually by an independent party as part of our third party audit processes. Findings and remediation are reviewed, discussed and approved by our internal security team and leadership.
Joust makes use of third-party platforms to secure our operational environment and store users’ personal information, credit card data and bank information in regulatory compliant environments. These environments are hosted by our partner financial institutions and technology platforms, both of which assume custody of all data. Joust limits internal access to customer data by deploying a system of encrypted tokens to conduct all transactions. By collaborating with financial institutions and technology companies, we are able to achieve the highest security standards and comply with relevant federal regulations.
We continuously monitor our platform and supporting infrastructure against threats, including system level vulnerabilities, configuration vulnerabilities, malware/viruses, and all other forms of potential exposures. We also employ the latest threat analytics techniques to identify and contain security anomalies and ensure that our platform and infrastructure have end-to-end event correlation and traceability.
Our platform and infrastructure operate on top of one of the world’s most secure and reliable cloud service providers. Additionally, our platform and infrastructure are continuously monitored to protect your data and make it available when you need it.
Sensitive data is managed in the VGS Vault. VGS Vault encryption keys are stored and managed in a logically separate envelope, apart from the data. Role-based access control ensures that only the Vault application process business logic can access the encryption keys and initiate encrypt & decrypt operations. A data thief would not be able to make use of information stolen from a database without also having the key. Also, the VGS Vault’s backing data store cannot be accessed via the internet.
For data in motion, our security partners require Transport Layer Security 1.2 with Authenticated Encryption mode ciphers. Data at rest is protected using the latest Authenticated Encryption with Associated Data AEAD mode symmetric ciphers. Data tokenization can follow either the NIST SP800-38G (Format Preserving Encryption) standard or the ANSI X9.119-2-2017 (Tokenization) standard.
All employees receive regular information security and privacy training. Employees with access to production data receive additional training specific to their roles. Background checks are mandatory for employees with access to production data or production systems.
The custodians of our data have dedicated security staff, including a designated Security Officer and Certified Information Systems Security Professionals.
We regularly conduct both internal vulnerability assessments (including architecture reviews by security professionals) and external vulnerability assessments (including vulnerability assessments and penetration tests by certified PCI QSAs and other managed security services providers).
Detailed internal policies dictate how we handle security and privacy incidents, including detection, response, forensics, and notification. We incorporate security into Joust platform development processes at all stages. From initial architecture considerations to post-release, security is built into all aspects of our platform and development workflow.
We maintain a robust incident response program with well-documented incident response, escalation, and notification plans. Trained personnel are available on a 24/7 basis to monitor and respond to any alerts or events that may indicate more serious security incidents. Our response and escalation plans are tested on at least an annual basis and detailed customer post-mortems are available within 5 business days of any major incidents.
Decryption keys are completely segmented: stored within a highly secured environment separate from vaulted data and all access points touching these environments require multiple layers of authentication.
All users are required to authenticate every time they log into our system. Passwords are never stored directly in our database and all platform communication is conducted using TLS (Transport Layer Security) v1.2.
Our security partners monitor and review employee, customer, and vendor behavior to guard against suspicious or unauthorized activity. We work with independently certified 3rd parties to conduct vulnerability scans at least quarterly and extended penetration tests at least once a year.
Our first priority is to mitigate risk to your data and our systems. Where reasonable, we work to remediate issues and minimize customer impact and interaction.
Any new incidents or vulnerabilities are immediately escalated to our security team, reviewed for applicability, risk ranked, and assigned to be resolved by the appropriate personnel.
The latest applicable security patches and secure configurations are applied to all operating systems, containers, applications, infrastructure, etc. to mitigate exposure to vulnerabilities. Our environments are scanned regularly using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and misconfigurations of systems and sites.
Security principles and required security training help ensure that Joust engineers make the best security decisions possible during the design and revision process. We employ threat assessments on high-risk features to help us identify potential security issues as early in the development lifecycle as possible.
To prevent and address code-level vulnerabilities, we utilize secure coding patterns and static code analysis tools to identify and prevent security flaws. In addition to static code analysis, we leverage language and framework dependency checks to assess dependencies for known vulnerabilities.
Internal and external penetration tests are conducted annually by a qualified independent security organization. Any vulnerabilities found are documented and immediately remediated. Post-mortem analysis is performed to identify root cause and implement additional controls.
Prior to release, we validate that the functionality being developed and maintained meets our internal security requirements. Post-release, we utilize independent security service providers to analyze and monitor the product for potential security issues.
All new functionality requires extensive testing and peer-code review. Additionally, we provide explicit notice around any changes impacting customer experience or usage and are committed to working with our customers to minimize any negative impact from changes.
We use automated tools to alert us when downtime thresholds have been reached. Additionally, we continuously monitor our availability and uptime by reviewing and evaluating our current processing capacity and usage so that we can best manage capacity demand and meet our availability commitments and system requirements.
We maintain a robust and well-documented recovery plan. We run daily backups of any changes and conduct a full backup on a weekly basis. Backups are replicated across multiple availability zones. Disaster recovery drills are conducted on at least a bi-annual basis.