This Security Statement is aimed at providing our users with more information about our security infrastructure and practices. Our privacy policy contains more information on how we handle data that we collect. 

Information Security Policy

JustFund maintains an Information Security Policy that defines employee’s responsibilities and acceptable use of information system resources. The organization receives acknowledgement from employees indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to JustFund’s information systems. This policy is periodically reviewed and updated as necessary.

Our security policies cover a wide array of security-related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.

Asset Management 

JustFund’s data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. JustFund authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by JustFund’s security policies.  

Personnel Security

JustFund employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to acknowledge JustFund’s code of conduct policy. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.  

Each JustFund employee is required to read, understand, and take a training course on the company’s code of conduct.  

Physical and Environmental Security

JustFund’s platform and your data is hosted on Amazon Web Services (AWS), a global leader in Infrastructure as a Service (IaaS). Amazon takes physical and network security seriously. Their data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data center floors requires two-factor authentication a minimum of two times.

Amazon maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. Their reports can be found on the AWS Compliance website https://aws.amazon.com/compliance and you can read more about the specifics of their approach at https://aws.amazon.com/security.

 

Operational Security 

Supplier and Vendor Relationships
JustFund likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that JustFund does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data. 

Auditing and Logging
We maintain audit logs on systems. These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorized individuals.  

Antivirus and Malware Protection
Antivirus and malicious code protection are centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans, virus detection, real-time file write activity and signature file updates. Laptop and remote users are covered under virus protection. 

System Backups
JustFund has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data (on-site and off-site). We also work to ensure that customer data is securely transferred or transported to and from backup locations. Periodic tests are conducted to test whether data can be safely recovered from backup devices.  

Network Security
Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilized to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.  

JustFund maintains separate development and production environments. Our firewalls establish security zones that control the flow of network traffic to these environments. These traffic flows are defined by strict firewall security policies.  

Data Protection
JustFund continually works to develop products that support the latest recommended secure cipher suites and protocols to encrypt traffic while in transit. We monitor the changing cryptographic landscape closely and work to upgrade our products to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients. 

Vulnerability Management
Security assessments are done to identify vulnerabilities and to determine the effectiveness of the patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for remediation.

Patch Management
JustFund strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Patch management processes are in place to implement security patch updates as they are released by vendors. Patches are tested prior to being deployed into production.

Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support. 

 

Access Controls

Role-Based Access
Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.  

Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords. 

JustFund employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. 

Software Development Lifecycle
We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. Quality assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.   

Incident Management
JustFund has a formalized Incident Response Plan and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.  

Data Protection
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures. Any non-public information JustFund may process, handle or store is encrypted at rest. We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.  

JustFund only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized in accordance with our privacy policy. We take all reasonable steps to protect information we receive from our users from loss, misuse or unauthorized access, disclosure, alteration and/or destruction.