Security at Jottacloud

Customer trust and confidence is critical to anything we do at Jottacloud.

Updated over a week ago

Overview

Keeping our customers' data secure is the most important thing that we do at Jottacloud. We respect your privacy, and we make significant efforts to protect your data.

Keeping Jottacloud secure is fundamental to our business.

Best practices

Incident Response Plan

  • We have implemented a formal procedure for security events and have educated all our staff on our policies.

  • When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.

  • After a security event is fixed we write up a post-mortem analysis.

  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.

Build Process Automation

  • We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.

  • We typically deploy code multiple times a day, so we have high confidence that we can get a security fix out quickly when required.

Infrastructure

  • All of our services run in our own data center's. We run our own routers, load balancers and physical servers.

  • We use both our own internal DNS servers and external DNS servers.

  • Our data centers are located in Norway. Jottacloud services have been built with disaster recovery in mind.

  • All of our servers are within our own private network with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

Service Levels

Our uptime is 99.9% or higher. See our status here.

Data

  • All customer data is stored in Norway. Read our Privacy Guarantee here.

  • We do not have individual datastore for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. 

  • All data is encrypted at rest on server

Data Transfer

  • All data sent to or from Jottacloud is encrypted in transit using 256 bit encryption.

  • Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

Authentication

  • Jottacloud is served 100% over https. 

  • We have two-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.

Permissions and Admin Controls

  • Jottacloud enables permission levels to be set for any employees with access to Jottacloud admin tools.

Application Monitoring

  • On an application level, we produce audit logs for all activity

  • All access to Jottacloud applications is logged and audited

Compliance

Jottacloud complies with European and Norwegian privacy laws and GDPR.

PCI Obligations

Jottacloud is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe.

Did this answer your question?