Security Statement

This statement exclusively covers JobScore’s policies and practices regarding information and data security. It does not recapitulate the law, nor does it define our Privacy Policy, nor does it attempt to define good conduct outside of the security context.

Operations and Hosting

JobScore is a software-as-a-service (SaaS) business. The company has a dedicated SaaS Operations team that is responsible for ensuring the safe and continuous operation of JobScore web services. Members of this team are carefully vetted for reliability and responsibility, and are trained to be knowledgeable and aware of sensitive information.

JobScore’s SaaS Operations infrastructure is physically and logically separated from JobScore corporate IT infrastructure and is managed by an independent SaaS Operations team. JobScore SaaS Solutions infrastructure is divided into multiple, geographically dispersed facilities operated by Amazon and internet access is protected by Cloudflare network services. Amazon AWS data centers have obtained ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley accreditation. You can read more about Amazon AWS compliance here.

Architecture, Uptime and Performance

The JobScore SaaS solution is multi-tenant, and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities live with JobScore, and clients are provided with functionality to manage their own users and roles at the application level.

JobScore’s business continuity planning (BCP) and disaster recovery (DR) activities prioritize critical functions supporting the delivery of service to our clients.  Our systems architecture employs redundancy through the entire infrastructure. No system or service has a single point of failure. Data is always written to at least two separate locations when stored. JobScore leverages load balancing on the front-end and replication on the back-end between servers distributed across multiple data centers in North America to ensure uninterrupted operations. Failover tests are performed at least annually as part of scheduled system maintenance.

JobScore employs a multi-tier distributed architecture that allows us to scale horizontally as the number of clients and volume of traffic increases.  JobScore uses multiple monitoring processes and tools to continuously track system resources, applications and capacity.  Systems are scaled up when predetermined capacity thresholds are reached.

Data Backup

JobScore stores all client data in the SaaS production environment on fully redundant storage systems. Daily and intraday data is backed up on a scheduled basis to a separate secured online storage service. Only JobScore SaaS Operations employees have access to backups.

Logging and Monitoring

JobScore employs industry standard enterprise application management solutions to monitor systems and measure uptime; instrument application performance and behavior; aggregate index and archive application and system logs and trigger alerts based on event logs; and to facilitate alerting, trend analysis, and risk assessment.

Production Access

JobScore employs a public cloud deployment model using both physical and virtualized resources for our SaaS solution. All software maintenance and configuration activities are conducted by JobScore employees remotely over a Virtual Private Network.

Only authorized staff have access to production networks and hosts. Development staff members have limited access to production services for debugging and customer support purposes.

Production Passwords and Credentials

All passwords and credentials that enable access to JobScore’s production systems and services are stored in secure systems that are only accessible to authorized staff.

Change Management

JobScore employs an automated configuration management system and uses continuous integration and automated deployment management tools to ensure that all changes to production servers, networks, and application software are applied in a deliberate and planned manner. Changes with operational impact are kept to a minimum are only applied during pre-announced maintenance windows. Every change to production, except in cases of emergency, go through the following stages:

  • The change is implemented and tested in a sandbox environment;
  • The change is committed and applied to a testing environment;
  • The change is reviewed by one or more authorized staff members, and the testing environment is vetted to ensure that the change is effective;
  • The change is applied to the production environment and verified
  • System and application logs are monitored post deploy for anomalies

General Security Practices

Only content intended for general consumption is publicly available.

All systems log to a central repository for analysis and change tracking.

Continuous backups of data are made and stored in redundant locations.

Only authorized personnel may access or restore any data from the backup data sets.

No production node or service is allowed to communicate with other services without credentials.

Configuration of production systems and services is applied automatically and is vetted for security deficits prior to deployment

JobScore continuously monitors and responds to active and emerging security threats, including the Open Web Applications Security Project (OWASP) top 10 and Community Emergency Response Teams (CERT) advisories.

Security updates are applied within seven (7) days in non-emergency cases or more rapidly in the case of an urgent threat.

Platform Security

JobScore’s platform also contains a number of security measures to ensure the secure performance of its services.

All web access to JobScore SaaS software runs over secure HTTPS connections that employ at minimum TLS1.0 and AES 128-bit encryption.

Access control lists define the behavior of any user of the platform, and limit them to authorized behaviors.

Extensive anti-fraud processes run continuously to detect malicious or harmful use of the platform. These processes are under continuous refinement.

All data have unpredictable identifiers (UUID4) that prevent any individual contributor from predicting or accidentally overwriting other storage entities.

All end user activity is extensively instrumented and logged to enable audit tracing for security and customer support purposes.

Data Storage Protocols

All JobScore and JobScore-client confidential documents, files, and data are stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Data and files may not be stored locally on laptops only. When a JobScore employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.

Data Security Policies and Training for Employees and Contractors

All employees are issued copies and acknowledge receipt of JobScore policies regarding information and data security.

Last modified: Jan 14, 2016