Security Overview

Last Updated: Feb 2020

The importance of protecting customer data cannot be understated. This page provides some insight on how we keep customer data secure, private, and accurate.

Responsible Disclosure

If you discover a vulnerability, please contact us at contact@justaskmax.com so that we can arrange a secure communications channel. Once we receive your report, we will keep you informed while we remediate the issue as quickly as possible. Your report will be kept confidential and your personal details will not be shared with third parties without your consent.

We ask that you:

  • Do not exploit any vulnerabilities discovered (in any way).
  • Do not send confidential information unencrypted.
  • Do not modify or delete production data.
  • Do not cause outages or slowdowns (no automated tooling).
  • Do not reveal or publish the vulnerability until we agree on a mutually-agreed timeframe.

Network Perimeter

Just Ask Max protects its boundaries with a combination of network security measures including but not limited to perimeter scans, firewalls, VPNs and encryption.

Account Security

User passwords are stored using an irreversible cryptographic hash and two factor authentication.

Complex passwords are enforced for our administrative portals, and users have to choose complex passwords to our web application.

Encryption

At rest: Disks where customer data may reside are encrypted using 256-bit AES disk encryption. In transit: Traffic to the Just Ask Max portals are encrypted in transit using TLS 1.2.

Physical Security

All our infrastructure is in the cloud and therefore our physical security is provided by AWS.

Operational Security

  • Data-at-Rest encryption. In addition to server disks where customer data may reside, this includes every workstation and laptop. Encryption keys are stored separately from the data.
  • Penetration Testing. Third-party penetration testing and validation of our security program.
  • Vulnerability Management and Patch Management Program. We perform daily scans using industry-leading tooling on our internal and external networks as well as weekly scans of each of our web applications. Remediation and/or installation of patches is prioritized by severity, and our agile processes allow for immediate patching of our applications and infrastructure after appropriate testing.
  • Authentication. Administrative and developer access requires two-factor authentication for remote access.
  • Access Control. Access to systems is granted on a ‘need-to-know’ and ‘least-privilege’ basis, with employees acquiring access only to those systems necessary to perform their job functions.
  • Change Control. Documented change requests are completed for bug fixes, enhancements and new development, as well as all changes to production infrastructure and configuration.
  • Audit Logging. Our system operations are logged extensively, and the logs are stored encrypted for at least a 30-day period. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.

Organisational Security

We have a comprehensive set of information security policies in place, and employees are required to read and sign key policies upon hire and yearly thereafter.

All employees undergo regular security awareness training and phishing simulations. Where the role requires it, employees are vetted using third party background checks.

All employees sign a confidentiality agreement.

Compliance

Just Ask Max is Cyber Essentials certified, working towards Cyber Essentials Plus and ISO27001 accreditation. Just Ask Max has undergone third-party attestation of its GDPR compliance.