Last Updated: Feb 2020
The importance of protecting customer data cannot be understated. This page provides some insight on how we keep customer data secure, private, and accurate.
If you discover a vulnerability, please contact us at email@example.com so that we can arrange a secure communications channel. Once we receive your report, we will keep you informed while we remediate the issue as quickly as possible. Your report will be kept confidential and your personal details will not be shared with third parties without your consent.
We ask that you:
- Do not exploit any vulnerabilities discovered (in any way).
- Do not send confidential information unencrypted.
- Do not modify or delete production data.
- Do not cause outages or slowdowns (no automated tooling).
- Do not reveal or publish the vulnerability until we agree on a mutually-agreed timeframe.
Just Ask Max protects its boundaries with a combination of network security measures including but not limited to perimeter scans, firewalls, VPNs and encryption.
User passwords are stored using an irreversible cryptographic hash and two factor authentication.
Complex passwords are enforced for our administrative portals, and users have to choose complex passwords to our web application.
At rest: Disks where customer data may reside are encrypted using 256-bit AES disk encryption. In transit: Traffic to the Just Ask Max portals are encrypted in transit using TLS 1.2.
All our infrastructure is in the cloud and therefore our physical security is provided by AWS.
- Data-at-Rest encryption. In addition to server disks where customer data may reside, this includes every workstation and laptop. Encryption keys are stored separately from the data.
- Penetration Testing. Third-party penetration testing and validation of our security program.
- Vulnerability Management and Patch Management Program. We perform daily scans using industry-leading tooling on our internal and external networks as well as weekly scans of each of our web applications. Remediation and/or installation of patches is prioritized by severity, and our agile processes allow for immediate patching of our applications and infrastructure after appropriate testing.
- Authentication. Administrative and developer access requires two-factor authentication for remote access.
- Access Control. Access to systems is granted on a ‘need-to-know’ and ‘least-privilege’ basis, with employees acquiring access only to those systems necessary to perform their job functions.
- Change Control. Documented change requests are completed for bug fixes, enhancements and new development, as well as all changes to production infrastructure and configuration.
- Audit Logging. Our system operations are logged extensively, and the logs are stored encrypted for at least a 30-day period. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.