Introduction - Our customers’ data is important to us
We care about security. Our customers trust us with a significant amount of sensitive employee data, and we recognize that Joyous’ security practices are important to them.
This document provides an overview of our policies and the mechanisms used to enable them. If you have any questions or encounter any issues, please contact us at firstname.lastname@example.org
“Joyous” - refers to Joyous Limited and its operating divisions, subsidiaries, affiliates, and branches.
“Customer Data” - refers to any data provided to Joyous by the Customer.
“Service” - refers to the Joyous platform and any other services or functionalities related to the Joyous platform.
“SOC 2 Report” - refers to a confidential Service Organization Control (SOC) 2 Type II report on the Service examining logical security controls, physical security controls, and system availability, as produced by a Third-party Auditor in relation to the Service.
“Third-party Auditor” - refers to a Joyous-appointed, qualified, and independent third-party auditor.
“Cloud Service Provider (CSP)” - refers to a third-party company that provides scalable computing resources, including compute, storage, platform, and application services to Joyous.
2. Information Security Program and Attestations
Joyous maintains an information security program that includes the adoption and enforcement of internal policies and procedures and is designed to
- satisfy this privacy and security overview;
- identify reasonably foreseeable security risks and unauthorized access to the Service; and
- minimize security risks, taking into account the state of the art, the costs of implementation, the nature, scope, content, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.
A Third-party Auditor is currently assessing the Joyous Service for compliance with the SOC 2 Type II availability, confidentiality, and security trust principles. The SOC 2 Type II report, when completed, will be available to customers upon request under signed NDA.
3. Access Controls
a) Logical and Data Access Controls
- Security Personnel Joyous’ security team is responsible for the ongoing monitoring of Joyous’ security infrastructure, review of the Service, and security incident response.
- Privilege Management Joyous personnel with access to Joyous customer accounts are required to authenticate themselves via logical access controls with multi-factor authentication in order to administer the Service.
- Internal Data Access Processes and Policies Joyous internal data access processes and policies follow the principles of least privilege and are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process data in the Service.
- Access Controls Joyous passwords are hashed and can’t be read by our own staff. If a password is lost, it can’t be retrieved - it must be reset. The creation, storage, and use of passwords and other secrets internal to Joyous are described in our Access Control Policy.
- Access Management Joyous controls remote access to critical systems so that access is only allowed from specified locations.
b) Data Center Access Controls
- As a SaaS provider, Joyous application servers, databases, storage, and backups are hosted in cloud service provider (CSP) environments. The CSPs used to provide the Services are ISO 27001 and SOC 2 Type II certified facilities.
4. Application Level Security
- Standards Compliance Joyous adheres to SOC 2 Type II principles.
- Data Integrity Measures are in place to prevent corruption of stored Customer Data. These include: access control, segregated production system, backups, change control procedures, and securing our infrastructure and connections to the database.
- Software Development Modifications to the software are guided by security and privacy by design principles. Security testing is part of the quality assurance process, including automated testing of each part of its API to test access controls, permissions, organizational separation, and logging. All development for the Service is based on Joyous’ Secure Development Policy.
5. Network Security
- Data Transmission All data transmission is conducted through secure transmission protocols, e.g. SFTP, TLS.
- Intrusion Detection Joyous uses a threat detection service that continuously monitors for malicious activity and unauthorized behavior on our networks.
6. Personnel Security
At Joyous, we encourage all employees to participate in helping secure our customer data and company assets. Joyous’ security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
- Employee training Joyous continuously trains employees on best security and privacy practices, including how to identify social engineering, phishing scams, and hackers. All new staff are provided security and privacy orientation training in their first week of employment.
- Background checks Where applicable by law, Joyous performs background screenings on personnel, including criminal history checks, at the time of hire.
- Confidentiality All Joyous employees and contract personnel are bound by Joyous’ internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
- Access Control Policy Joyous assigns clear roles and responsibilities for information security and uses identity and access management tools in accordance with our Access Control Policy. Access to data and infrastructure is restricted solely to Joyous operational personnel who have been granted express access by senior management and have a work need to access systems. Permissions and entitlements are periodically audited, and our exit process ensures termination of access when an employee leaves Joyous. Further access must be approved according to the policies set for each application.
- Equipment Employee laptops are updated with the latest upgrades, patches, and hot fixes as they become available. Joyous does not provide employees with other personal computing devices. Each laptop runs an end-user agent that enables verification of installed applications and centralized management of anti-malware. Joyous uses MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
- Employee Code of Conduct Joyous employees are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, and professional standards.
7. Operational Availability
We’ve built Joyous as a highly available product that services the operational feedback needs of our customers through scalability inherited from our CSP. We adhere to our service level agreements (SLAs) of 99.9% availability.
Business Continuity Joyous has implemented and regularly tests its business continuity planning/disaster recovery programs.
8. Customer Data
- Data Confidentiality and Separation Customer Data is stored in a multi-tenant environment and logically separated between organizations by multiple logic layers, ensuring complete isolation.
- Data Retention and Deletion Joyous will archive Customer Data in the Service production servers after employee termination. Where an employee requests that their data be deleted, it will be deleted (including feedback) subject to satisfactory verification of their identity unless there is a legal obligation or legal hold requiring that Joyous seek permission to do so.
- Encryption All data processed by Joyous is encrypted in-transit and at-rest.
- Restoring data from data loss All data is continuously mirrored in a database cluster so that operation continues without data loss in the event of a server failure. In addition, data is continuously backed up.
9. Disclosure, Response, Assurance, and Review
a) Incident Management and Response Plan Joyous maintains an established and documented Incident Management and Response process. This plan is reviewed, updated, and tested annually.
b) Security Assurance Automation
- Vulnerability Management Joyous will ensure newly discovered vulnerabilities in code dependencies are automatically identified and remediated.
- Endpoint Protection Joyous implements central control/reporting so that all Joyous employees’
- laptops are protected and their configuration validated. This includes anti-virus/anti-malware protection.
- Penetration Testing Joyous, through an external firm, will detect potential Internet-facing attack vectors. This includes manual penetration testing at least annually, combined with automated weekly testing.