J.E.S.I. Management Solutions Pty Ltd takes data security and privacy very seriously. Our JESI users are located all over the world and we want to provide with confidence, that our practices and policies we have implemented are aligned to global best practice and continuous improvement management and monitoring.
JESI is a Software Solution for companies to effectively monitor remote and isolated workers, creating a Safer connected network irrespective of where a worker maybe located. Using SMS or Online check in, users can confirm their Safe arrival. If a JESI Used does not confirm their safe arrival, JESI automates an Emergency Alert to predetermined contacts.
JESI is a cloud-based software solution that is accessible across the globe via any device that can connect to the Internet. The user does require data connectivity to view data, create, edit or delete a journey and generate an incident alert, however the user does NOT require data connectivity to generate an automated escalation alert. The User does require either data or mobile connectivity to confirm a safe check-in.
JESI was launched as a commercialized entity in March 2014 and has achieved significant growth across the globe and is recognized as industry best practice for managing a workforce who operate in remote and isolated environments. JESI aspires to being the number one Risk Management Solution for remote and isolated workers in the world. As such, our commitment to safeguarding our client and user’s data is critical and one that the company takes seriously.
As of the 20th October 2021, JESI Management Solutions Pty Ltd is ISO 27001 Accredited. This means that the company has data security processes align with global best-practice for information security management and demonstrates a robust and practical framework focused on the preservation of confidentiality and integrity.
In addition, JESI Management Solutions Pty Ltd engages 3rd Party Penetration Services on annual basis. These services identify vulnerabilities within the application and provide defensive capabilities to protect again malicious software attacks.
3. SECURITY CONTROLS
JESI outsources hosting of its product infrastructure with the world’s most recognised data-center provider, Microsoft Azure. Microsoft Azure has the capability to host data in multiple locations across the globe, however we have selected Australia (Sydney) as the primary location for JESI to be hosted. Australia has a strict regulatory security and privacy framework that is considered to be one of the best in the world AUS Privacy Principles. Microsoft Azure maintains an audited security program, including SOC-2 and ISO 27001 compliance. Microsoft Azure Compliance Programs. Microsoft Azure Cloud provides built in controls, auditing and managing identity, configuration and usage that support our ability to remain compliant with governance and regulatory requirements. Their extensive infrastructure guarantees system uptime of 99.95 to 100% and includes power, networking or security considerations. Access to Microsoft Azure physical centres are controlled with security guards and highly classified restrictions for Microsoft Azure Employees. View Microsoft Azure Data centres and controls
Security is implemented in Microsoft Azure Virtual Private Cloud (VPC) security groups, which applies address and port protection to limit what is accessible. This allows for greater control for network traffic from a public networks. We are continually reviewing and improving network security.
The tech tools used to manage the system configurations enables an automated and consistent methodology that safely and predictably; creates, changes, and improves infrastructure. It facilitates an automated and systematic approach to storing version controls, reducing errors, duplication, replication and significantly improves efficiencies.
Principles used are aligned to The Twelve-Factor App of storing configuration with the application.
JESI has fully automated build procedures that include automated monitoring, alerting and response technologies to continuously alert the JESI technical team when components of the software are not operating correctly. These alerts also include unexpected or malicious activities.
Our technical team operate a 24/7 rostering schedule that ensures timely responsiveness to automated alerts when required. The JESI system captures and stores log’s that incorporates other integrated third party technologies. These logs include authentication attempts, permission changes, infrastructure health, and requests performed, among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
At the user front end, all system interaction, page views, and other access to the JESI Software is also logged. All changes to the codebase require a testing and review process before being deployed.
Access to the JESI Infrastructure is tightly controlled by the Development Team through AWS Identity and Access Management policies & access keys. All access is tracked, logged, and date stamped.
Microsoft Azure provides several security capabilities and services for privacy and controlled network access. Network firewalls built into Microsoft Azure VPC, and web application firewall capabilities in Microsoft Azure Web Application Firewall (WAF) allow the creation of private networks, and control access to instances and applications. Microsoft Azure ensure secure connections by using encryption in transit across all services. Protections from Distributed Denial of Service (DDoS) attacks are automatically provided by Microsoft Azure.
Multiple layers of authorization rules are applied to all API interactions to ensure confidentiality between tenants. This ensures that data is not visible between tenants.
JESI continues to deliver product enhancements, additional features and other technical requirements. These varying types of deploys can be administered several times during the day, week, month and year.
Prior to deploying new or additional code, our technical team has a rigorous release process that incorporates functional testing, code reviews, testing and approval to release. If a failure occurs during a deploy, rollback is immediately and automatically engaged. The deploys released to the live production site occur without any disruption for JESI users.
Major feature or epic releases are controlled extensively in the staging environment and testing is generally undertaken by JESI Customer Solutions Representatives and if relevant, the engagement of JESI Clients.
The level of maturity associated with our current software development, future product development roadmap and company growth incorporates a future scheduled program that incorporates vulnerability scanning and penetration testing.
We have a comprehensive risk management matrix that is undertaken and maintained for all of the JESI technology tools.
Several JESI Products require customers to pay for the service by credit card. JESI does not store, process or collect credit card information submitted to us by customers. Our third party vendors are trusted and hold relevant PCI-compliant requirements. For purchases made directly online via trusted website, JESI uses Stripe and for online credit payments for invoicing, JESI uses Pin Payments.
All interactions with JESI are encrypted in-transit with TLS 1.1, or 1.2 and 2048 bit keys.
All database information is encrypted at rest. JESI does not permit collecting or storing of sensitive information like financial or health data through its service, as outlined in our End User Agreement.
The password process is encrypted and secure. A new JESI user is required to create a unique password that is not restrictive, however a 4 digit security code is generated that secures the user identity to their JESI profile. Additional security for the JESI user is by way of confirming their mobile number to their last name when first activating their JESI user profile. If the users mobile number is updated, the user is required to respond to the SMS by confirming with their last name. The same process is applied, when a forget or reset password is activated.
JESI Company Accounts incorporate 4 permission levels and the company/Client is responsible for administering the users permission based on their own internal access roles. For more information about user roles, please view JESI Company Account Permission Levels.
JESI has restrictive controls for JESI employees accessing data across the entire JESI infrastructure, to include but not limited to, technology tools that are directly related to the JESI software, internal corporate functions, production clients and other customer solution tools to manage user interaction. JESI employees are granted access to production data based on their role in the company through role based access controls or on an as-needed basis.
Engineers and members of the technical team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyse information that supports product development or support. Access to the product infrastructure is restricted and requires user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical team and our data-centre support team.
The JESI Customer Success Team have access based on their work responsibilities associated with supporting and servicing JESI Company Accounts. All access requests, logins, queries, page views and similar information are logged.
All JESI Employees are inducted in to the company and associated policies to include non-disclosure confidentiality agreements.
Customer data is retained for as long as required and in-line with respective company data retention policies. Data can be destroyed only upon a client’s written request.
JESI maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, JESI’s goal is to quickly and transparently isolate and address the issue.
Infrastructure is replicated and distributed across 2 distinct availability zones within Microsoft Azure, to allow full redundancy.
Full database backups occur as a minimum once a day and stored on a distributed file storage facility. Backups are tested and retained indefinitely or as required by company policy. Backups are encrypted and have strict access policies.
JESI Management Solutions Pty Ltd provides 24×7 coverage to respond quickly to all security and privacy events. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, third party alerts, customer requests, security events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.
Our Data Protection Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
JESI considers all data breaches serious and have several automated alert mechanisms in place to identify if a data breach has occurred within the JESI Hosted Environment. Primarily the alerts identify unauthorized access to the JESI hosted infrastructure and associated third party technology providers.
If a data breach has occurred, the initial analysis is to determine the extent of the breach, who may have been impacted, the type of breach and how to immediately quarantine or disable if necessary.
Once the breach has been effectively triaged, the JESI Data Protection Officer is appointed to communicate the data breach to those impacted, to advise what the breach was/is, who has been impacted, how they may be impacted and if at that time, a resolution to resolve the breach has been deployed or actioned. The timeframe for disclosure of the data breach to the respective parties is within 72 hours of the breach having been identified and assessed.
Post the outcome of the data breach, the JESI technical team initiate further investigations to identify the root cause, and implement modifications as required to prevent further breaches.
JESI maintains a Customer Relationship Management (CRM) that captures customer/client data that includes, Company Names, First/Last names, email, mobile and other phone numbers, communication correspondence, JESI proposals and other customer related information. Access to the CRM data is limited to a small set of JESI employees based on their roles, and access is limited to the individuals who need it to respond to customer support and related requests.
JESI uses other communication tools to keep prospective clients up to date with the company progress, enhancements, case studies and general JESI information. The data captured includes Company Names, First/Last, email, job title. There is an opt out/in feature available that allows self-subscribed or to unsubscribe. Subscribers on the list are added by self-subscribing via the JESI website.
Other JESI communication is to the JESI users, by way of the JESI Checkin Newsletter. The primary purpose of the JESI Checkin is to keep JESI users up to date with product enhancements, new features and other information that directly relates to the JESI Software.
JESI does not sell or share lists with any third parties.
JESI maintains a Technology Risk Register that provides oversight to a variety of third party technology tools that manage all associated functions with the JESI Software, Client Management, Communication and Corporate Governance. This process ensures that the third party technology tools that are used or integrated hold industry best practice with respect to privacy and security certifications.
Our primary Sub-processors include Microsoft Azure, Google and Twilio.
The General Data Protection Act (GDPR) is considered the most significant piece of European data protection legislation to be introduced in the European Union (EU) and is effective as of 25th May 2018. GDPR Requirements
As JESI is a provider of services for clients located in the EU, we have an obligation to ensure compliance. In our view the requirements are industry best practice and set a global benchmark in data security.
We have created a checklist that identifies our progress in meeting the GDRP requirements. JESI Checklist GDPR
JESI values transparency in the way we manage the security and privacy of our user’s data and are continuously improving our process and system security.
This document is intended to highlight the methods, approaches and process we have in place to demonstrate our commitment to providing best practice for both the JESI business, JESI Account Companies, Subscribers and Users.