Jitbit Security and Privacy FAQ
The purpose of this article is to answer the most frequently asked questions we get from potential customers about privacy, security, our policies, and other related issues.
Before we begin it is important to note that Jitbit is:
- A remote-only company. We do not have offices so a lot of the usual questions about physical security are not applicable in our case.
- A small company. We understand that larger companies need policies and regulations for everything - we do not. Only a very limited number of people have access to the production servers.
Do you have a SOC 2, CSA, ISO, etc. certification? Have you undergone an SSAE 18 or other audits?
We do not have any third party security or other third-party certifications at the moment. Most of them cost $30k or more and require around a year to complete. We are a small company and prefer to spend our resources on making our product better, not dealing with legal formalities.
We understand that this is a deal-breaker for some companies. Security is and has always been one of our top priorities - we just don't have an official third-party confirmation at the moment.
Describe your company structure
Jitbit is a small remote-only company. We are bootstrapped - no external investments, we are funded only by our customers. We are profitable and have been in business since 2005. Our flagship product - Jitbit Helpdesk - has been in active development since 2009. We do not have any subsidiary relationships with other companies.
Other information, like the number of employees, annual turnover, etc. is not public. However, feel free to check out an interview with our founder.
Do you have existing customers in healthcare / higher education / government?
At this point, we have customers in most industries. Check out the customer list.
Are you HIPAA compliant?
Yes, we are. More information here.
Are you GDPR compliant?
Also yes. Here is more information.
Have you ever had a significant breach?
No, we have not.
Do you have a dedicated Information Security staff or office?
Yes, but they share other duties as well
Can you share any of your policies?
We cannot, sorry. They are not intended for public use. We do have policies for some things like breach notifications, disaster recovery, incident response plans, etc.
Will any third-parties have access to your data?
The only third-party that will have access to our servers is Amazon. We host everything on AWS in North Virginia. However they do not have access to your data, since it is encrypted. We have all the necessary paperwork signed with them. They do have a SOC 2 Type 2 report.
Data never leaves Amazon data centers at any point.
Do you logically separate customer data from other customers?
Data is separated in business logic.
Is data encrypted in transit and at rest?
Yes, data is encrypted at all times. Backups are also encrypted.
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.2/1.3
- Key length: 4096
- Strength: 256-bit
Describe your backup policy
It is described in detail here.
Network and app security
Can you share your infrastructure diagram?
No, sorry. It is not intended for public use.
Describe your network security measures
Only one IP address in the world has any kind of access to our servers - it is our secure VPN server. Only a very limited number of people have access to the VPN. Any other connections to anything besides the HTTP and FTP are blocked from the outside world by multiple firewalls.
Are you utilizing a web application firewall?
Yes, we do. It is a crucial part of our infrastructure.
Do you monitor for intrusions on a 24x7x365 basis?
Yes. We have a lot of alerts set up for everything and we get an instant notification when something suspicious is going on.
Do you update your servers regularly?
Yes, on the weekly basis.
Do you perform penetration testing?
Yes, regularly. Both third-party and in-house. An example report can be found here.
Have your developers been trained in secure coding techniques? Do you conduct code reviews? Do you have automatic tests?
Yes to all of those (and other related) questions. We do follow the current best practices in software development.
Can you provide an overall system and/or application architecture diagrams including a full description of the data communications architecture for all components of the system?
No. We believe that keeping things like this private leads to a more secure environment.
Are databases used in the system segregated from front-end systems?
Yes, they are on separate servers.