Jitjatjo Security, Privacy, and Compliance
Integrity and Trust are core values that form the foundation of our platform to ensure Network by Jitjatjo keeps data secure, private, and compliant.
At Jitjatjo, the data security of our enterprise clients and their employees is paramount. Our team of Information Security experts employs rigorous security measures at the organisational, architectural, and operational levels to ensure that all data, applications, and infrastructure are protected.
We’ve implemented industry-leading safeguards, continuous monitoring, and regular threat assessments to ensure that sensitive data is processed in accordance to the strictest security controls.
Jitjatjo’s organisational policies on access control underpin our data protection. Access rights to both physical and logical assets are accorded following the principles of least privilege and need to know.
In order to ensure the continued security of Jitjatjo’s applications, our team has implemented a Informational Security Program that includes in-depth security risk assessments, penetration testing, software feature reviews, static and dynamic source code analyses, and application security training for our developers and administrators.
Platform and Network Security
Jitjatjo is proud to offer Security for the Intelligent Enterprise in this new age of rapidly increasing cyberthreats
Identity and Access Management
We have implemented fit for purpose identity & access methods such as Single-Sign-On (SSO), Multi-factor Authentication (MFA), Security Assertion Markup Language (SAML) and Security Certificates to protect the varying layers of our technology stack.
Throughout the various tiers of our physical and logical networks we’ve implemented security solutions to reduce threat attack paths and protect the usability and integrity of our platform.
DDoS Protection is employed to ensure quality of service for normal traffic. A Distributed Denial Of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
Web Application Firewall (WAF) policies protect us from web exploits. We configure our WAF policies to control how traffic reaches our applications and to block common attack patterns, such as SQL injection or cross-site scripting.
Security Groups control the inbound and outbound flow of traffic to and from trusted networks. Direct access to our infrastructure is only authorised from pre-defined and authenticated networks. Network traffic leaving our infrastructure is only allowed for pre-defined protocols.
Network Access Control Lists control the flow of access at a protocol and subnet level. This provides a logical isolation of environments and network tiers, only allowing whitelisted networks.
All data is encrypted, period. Whether it is an object stored (photos, documents, video, etc) or customer data residing in our database, it is encrypted at rest and in transit both on internal and external networks.
Disk volumes on our server infrastructure are also encrypted as a default.
Security of our application is multi-faceted and multi-tiered. We conduct security scanning (SAST, DAST, and Vulnerability Scans) of our application on every code commit and before every release.
Static Application Security Testing (SAST), analyses source code before it is compiled to find security vulnerabilities. Dynamic Application Security Testing (DAST) examines the application as it's running to find vulnerabilities that an attacker could exploit.
Any vulnerabilities identified immediately raises an alert for our Information Security team to investigate and remediate.
Threat Detection and Security Monitoring
Our Security Operations Protocols continuously monitor and analyse activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise.
In some cases, the mean time to close off a threat is eliminated via security orchestration, automation and response. Threats (or potential threats) are detected, triaged and an appropriate response is automated to eliminate the threat.
Jitjatjo’s operating policies on access control underpin our data protection. Access rights to both physical and logical assets will be accorded following the principles of least privilege and need to know.
In order to ensure the continued security of Jitjatjo’s applications, our team has implemented a program that includes an in-depth security risk assessment, penetration testing, a review of Jitjatjo features, static and dynamic source code analyses, and application security training for our developers and administrators.
Security and Integrity of customer data also extends to the availability and access to that data.
Since disasters happen rarely, management in other businesses often ignore the Disaster Recovery (DR) planning process. As Jitjatjo we not only plan for disasters and how to recover from them, we actually simulate disasters to harden our DR policies and resiliency, to maintain our competitive advantage.
Jitjatjo’s cloud infrastructure is architected to tolerate failures at all levels. Within a single region, the infrastructure hosting for critical services is Highly Available (HA) and able to sustain service availability in the event of an outage or issue to any Availability Zone (AZ) within the region. Databases, Caches, Servers, Load Balancers and Object storage are fault tolerant and deployed in a multi-AZ architecture. This resiliency and failover is automatic and requires no systems recovery or response plan. The architecture also extends availability and service continuity of Jitjatjo Network Apps across multiple regions to mitigate against a total failure of an entire region.
Security Development Lifecycle (SDL/SDLC)
At Jitjatjo, we use secure SDL practices to integrate security requirements and multiple layers of security testing in our software development and deployment processes.
At Jitjatjo, data protection and privacy is at the core of how we design and develop our technology. We have integrated data protection and privacy features into our engineering, practices, and procedures.
Data privacy regulations are complex, vary from country to country, state to state, and impose stringent requirements. When choosing an Human Capital Management (HCM) or Workforce/Talent Management application, businesses should select one that enables clients to comply with their data protection obligations and protect the privacy of their data.
Additionally, we provide our customers with the necessary resources and information to help them understand and validate the privacy and compliance requirements for their organisation, as well as show how Jitjatjo can help support their compliance efforts on a global scale.
As a data controller, we have carefully implemented the technical and organisational measures to demonstrate our obligation to protect all personal data.
We ensure that our customers and employees can exercise their rights regarding their personal data including access, erasure, rectification, restriction and data portability.
When working with our service providers, we only select data processors that provide sufficient guarantees that they will implement appropriate measures to ensure their processing meets the same requirements we have.
Privacy by Design
At Jitjatjo, we proactively embed privacy into the design and development of our applications, networked infrastructure, and business practices.
The 7 Foundational Principles of Privacy by Design:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality – Positive-Sum, not Zero-Sum
- End-to-End Security – Full Lifecycle Protection
- Visibility and Transparency – Keep it Open
- Respect for User Privacy – Keep it User-Centric
We carefully consider the impacts to privacy when developing the design requirements of technologies and business practices. Our processes assess the impact to individuals' privacy and we prioritise anonymisation of data wherever possible.
We provide transparency into the geographical regions where our enterprise clients data is stored and processed.
Global Data Privacy
As a global solutions provider, Jitjatjo’s clients must comply with a series of complex and seemingly never-ending slate of laws and regulations. Jitjatjo remains committed to global privacy standards.
Our applications are designed to allow you to achieve differentiated configurations to help you meet your country’s specific laws.
US Data Privacy (FTC, FCRA, HIPAA, CPRA, SHIELD)
There is no one comprehensive federal law that governs data privacy in the United States, rather there is a complex patchwork of sector-specific, medium-specific, and state-specific laws on data privacy.
Federal Trade Commission Act (FTC)
The Federal Trade Commission (FTC) Act has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." The FTC’s mission is to protect consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity. While the FTC does not explicitly regulate what information should be included in privacy policies, it uses its authority to issue regulations, enforces privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take action against organisations that:
- Fail to implement and maintain reasonable data security measures.
- Fail to abide by any applicable self-regulatory principles of the organisation's industry.
- Make inaccurate privacy and security representations (lying) to consumers and in privacy policies.
- Fail to provide sufficient security for personal data.
- Violate consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC's consumer privacy framework or national privacy laws and regulations.
- Engage in misleading advertising practices.
Fair Credit Reporting Act (FCRA)
The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies, including background checks.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA lays out three rules for protecting patient health information.
- Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI)
- Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form
- Breach Notification Rule a covered entity must notify the Health Secretary if it discovers a breach of unsecured protected health information.
California Privacy Rights Act (CPRA)
The California Privacy Rights Act (CPRA) revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights, and enforcement mechanisms. CPRA clarifies that people can opt out of both the sale and sharing of their personal information to third parties.
Right to Correct Inaccurate Information
When people exercise the right to access information and the information provided is inaccurate, they can request the business correct that information. The business is then required to use commercially reasonable efforts to correct that information if it receives a verifiable consumer request (some exceptions apply).
Right to Have Personal Information Collected Subject to Data Minimisation and Purpose Limitations
Businesses are required to minimise use, retention and sharing of personal information to what is reasonably necessary and proportionate to achieve the purposes for which the information was collected.
Right to Receive Notice from Businesses Planning on Using Sensitive Personal Information and Ask Them to Stop
Businesses are required to give people special notice if they plan to collect or use any sensitive personal information, and a person can ask businesses to stop selling, sharing and using it. This type of information includes:
- information revealing a social security, driver’s license, state ID card or passport number
- account log-in, financial account, debit card or credit card number in combination with the access code, password or credentials to them
- precise geolocation
- racial or ethnic origin, religious or philosophical beliefs, or union membership
- contents of mail, email and text messages
- genetic data
- biometric information for the purpose of identifying someone
- information collected and analysed concerning a person’s health, sex life or sexual orientation
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act. amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. The SHIELD Act requires any person or business owning or licensing computerised data that includes the private information of a resident of New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.
EU Data Privacy (GDPR)
The General Data Protection Regulation (GDPR) legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizens’ data privacy in the process, and to reshape how organisations approach data privacy in a secure and transparent manner.
Jitjatjo is and will always be committed to the protection of our user's personal data. As a data collector and data processor, we understand our responsibility for data protection and have implemented the technical and organisational practices to ensure that personal data is processed in accordance to the strictest security controls.
All personal data processing must adhere to six principles, which are the responsibility of the data controller:
- Lawfulness, fairness and transparency;
- Limitation of processing to legitimate purposes;
- Data minimization;
- Limitation on time period of storage;
- Integrity and confidentiality.
Below is a summary of GDPR sections that are most applicable to users of Jitjatjo's services.
From Jitjatjo's perspective, we recognise we collect, process, store and own the data and the relationship with EU citizens. We understand the information we process is classified as personal data and that being GDPR compliant requires the protection of the data subjects' information.
As a human-powered labour platform and staffing marketplace, the person to whom GDPR applies can either be an employee of an enterprise client or someone applying to become an employee. An employee can be a user of an application that administers the platform, manages the workforce, is authorized by a business to create schedules, confirm bookings, or accept job assignments.
The Right To Be Forgotten
The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller (Jitjatjo) shall have the obligation to erase personal data without undue delay.
Data subjects may submit a Right to Erasure Request Form to a Jitjatjo representative.
UK Data Privacy
The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR) - see above.
AU Data Privacy
The Privacy Act 1988 is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information.
- the collection, use and disclosure of personal information.
- an organisation or agency's governance and accountability.
- integrity and correction of personal information.
- the rights of individuals to access their personal information.
The Australian Privacy Principles (APPs) relate to the following areas:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Compliance, Certifications and Standards
Jitjatjo's technology enhances compliance with multi-juridictional Employment Regulations and Information Security standards to ensure our customer’ data remains secure and compliant.
Ensuring new hires are eligible to work in the jurisdiction and their background is appropriately screened prior to commencing work are essential risk mitigation strategies for employers.
US Employment Eligibility Verification (E-Verify)
We use E-Verify to confirm the eligibility of employees to work in the United States by electronically matching information provided by new hires against records available to the Social Security Administration (SSA) and the Department of Homeland Security (DHS).
Background Screening (US)
Checkr leverages AI-powered technology to produce fast and reliable data for regulatory and criminal background checks, by compiling national and local records of reportable criminal records.Drug and health screenings are also delivered in record time through an extensive network of labs
Background Screening (AU)
NCC is an Australian Criminal Intelligence Commission (ACIC) accredited agency integrated with the Department of Immigration’s Visa Entitlement system, enabling rapid access to accredited police, Visa and right to work checks.
Background Screening (UK)
Sterling works closely with the Disclosure and Barring Service (DBS), Disclosure Scotland, AccessNI, ensuring Criminal Record Checks and Right to Work checks are rapidly and accurately completed.
Third-Party Audits and Certifications
Cloud Security Alliance STAR
The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) consolidates current information regarding security risks and controls into one industry-standard questionnaire (CSA STAR CAIQ).
Cyber Essentials PLUS
Cyber Essentials is a UK government-backed scheme to help organizations protect against cyber-security threats by setting out baseline technical controls.
Jitjatjo employs HIPAA trained and certified staff and we comply with the HIPAA security standard.
ISO 27001 is a globally recognised, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS). We have chosen to implement the standard to benefit our customers and give them confidence that their data is secure.
Jitjatjo only works with payment providers that are PCI-DSS certified.
NIST CSF and NIST 800-171
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidance for organisations to improve their ability to prevent, detect, and respond to cybersecurity risks. The NIST 800-171 standard relates to protecting Controlled Unclassified Information in non-federal Information Systems and Organizations. Jitjatjo complies with NIST CSF security standards.
Center for Internet Security
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. CIS Hardened Images® are securely configured according to applicable CIS Benchmarks™.