Jitjatjo Security, Privacy, and Compliance

Organisational Security

Jitjatjo’s organisational policies on access control underpin our data protection. Access rights to both physical and logical assets are accorded following the principles of least privilege and need to know.

In order to ensure the continued security of Jitjatjo’s applications, our team has implemented a Informational Security Program that includes in-depth security risk assessments, penetration testing, software feature reviews, static and dynamic source code analyses, and application security training for our developers and administrators.

Platform and Network Security

Jitjatjo is proud to offer Security for the Intelligent Enterprise in this new age of rapidly increasing cyberthreats

Identity and Access Management

We have implemented fit for purpose identity & access methods such as Single-Sign-On (SSO), Multi-factor Authentication (MFA), Security Assertion Markup Language (SAML) and Security Certificates to protect the varying layers of our technology stack.

Network Security

Throughout the various tiers of our physical and logical networks we’ve implemented security solutions to reduce threat attack paths and protect the usability and integrity of our platform.

DDoS Protection is employed to ensure quality of service for normal traffic. A Distributed Denial Of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

Web Application Firewall (WAF) policies protect us from web exploits. We configure our WAF policies to control how traffic reaches our applications and to block common attack patterns, such as SQL injection or cross-site scripting.

Security Groups control the inbound and outbound flow of traffic to and from trusted networks. Direct access to our infrastructure is only authorised from pre-defined and authenticated networks. Network traffic leaving our infrastructure is only allowed for pre-defined protocols.

Network Access Control Lists control the flow of access at a protocol and subnet level. This provides a logical isolation of environments and network tiers, only allowing whitelisted networks.

Data Encryption

All data is encrypted, period. Whether it is an object stored (photos, documents, video, etc) or customer data residing in our database, it is encrypted at rest and in transit both on internal and external networks.

Disk volumes on our server infrastructure are also encrypted as a default.

Application Security

Security of our application is multi-faceted and multi-tiered. We conduct security scanning (SAST, DAST, and Vulnerability Scans) of our application on every code commit and before every release.

Static Application Security Testing (SAST), analyses source code before it is compiled to find security vulnerabilities. Dynamic Application Security Testing (DAST) examines the application as it's running to find vulnerabilities that an attacker could exploit.

Any vulnerabilities identified immediately raises an alert for our Information Security team to investigate and remediate.

Threat Detection and Security Monitoring

Our Security Operations Protocols continuously monitor and analyse activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise.

In some cases, the mean time to close off a threat is eliminated via security orchestration, automation and response. Threats (or potential threats) are detected, triaged and an appropriate response is automated to eliminate the threat.

Operational Security

Jitjatjo’s operating policies on access control underpin our data protection. Access rights to both physical and logical assets will be accorded following the principles of least privilege and need to know.

In order to ensure the continued security of Jitjatjo’s applications, our team has implemented a program that includes an in-depth security risk assessment, penetration testing, a review of Jitjatjo features, static and dynamic source code analyses, and application security training for our developers and administrators.

Security and Integrity of customer data also extends to the availability and access to that data.

Disaster Recovery

Since disasters happen rarely, management in other businesses often ignore the Disaster Recovery (DR) planning process. As Jitjatjo we not only plan for disasters and how to recover from them, we actually simulate disasters to harden our DR policies and resiliency, to maintain our competitive advantage.

Jitjatjo’s cloud infrastructure is architected to tolerate failures at all levels. Within a single region, the infrastructure hosting for critical services is Highly Available (HA) and able to sustain service availability in the event of an outage or issue to any Availability Zone (AZ) within the region. Databases, Caches, Servers, Load Balancers and Object storage are fault tolerant and deployed in a multi-AZ architecture. This resiliency and failover is automatic and requires no systems recovery or response plan. The architecture also extends availability and service continuity of Jitjatjo Network Apps across multiple regions to mitigate against a total failure of an entire region.

Security Development Lifecycle (SDL/SDLC)

At Jitjatjo, we use secure SDL practices to integrate security requirements and multiple layers of security testing in our software development and deployment processes.

Processing Relationship

As a data controller, we have carefully implemented the technical and organisational measures to demonstrate our obligation to protect all personal data.

We ensure that our customers and employees can exercise their rights regarding their personal data including access, erasure, rectification, restriction and data portability.

When working with our service providers, we only select data processors that provide sufficient guarantees that they will implement appropriate measures to ensure their processing meets the same requirements we have.

Privacy by Design

At Jitjatjo, we proactively embed privacy into the design and development of our applications, networked infrastructure, and business practices.

The 7 Foundational Principles of Privacy by Design:

1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality – Positive-Sum, not Zero-Sum
5. End-to-End Security – Full Lifecycle Protection
6. Visibility and Transparency – Keep it Open
7. Respect for User Privacy – Keep it User-Centric

We carefully consider the impacts to privacy when developing the design requirements of technologies and business practices. Our processes assess the impact to individuals' privacy and we prioritise anonymisation of data wherever possible.

Data Transparency

We provide transparency into the geographical regions where our enterprise clients data is stored and processed.

Global Data Privacy

As a global solutions provider, Jitjatjo’s clients must comply with a series of complex and seemingly never-ending slate of laws and regulations. Jitjatjo remains committed to global privacy standards.

Our applications are designed to allow you to achieve differentiated configurations to help you meet your country’s specific laws.

US Data Privacy (FTC, FCRA, HIPAA, CPRA, SHIELD)

There is no one comprehensive federal law that governs data privacy in the United States, rather there is a complex patchwork of sector-specific, medium-specific, and state-specific laws on data privacy.

Federal Trade Commission Act (FTC)

The Federal Trade Commission (FTC) Act has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." The FTC’s mission is to protect consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity. While the FTC does not explicitly regulate what information should be included in privacy policies, it uses its authority to issue regulations, enforces privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take action against organisations that:

• Fail to implement and maintain reasonable data security measures.
• Fail to abide by any applicable self-regulatory principles of the organisation's industry.
• Fail to follow a published privacy policy.
• Transfer personal information in a manner not disclosed on the privacy policy.
• Make inaccurate privacy and security representations (lying) to consumers and in privacy policies.
• Fail to provide sufficient security for personal data.
• Violate consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC's consumer privacy framework or national privacy laws and regulations.
• Engage in misleading advertising practices.

‍

Fair Credit Reporting Act (FCRA)

The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies, including background checks.

‍
Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA lays out three rules for protecting patient health information.

• Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI)
• Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form
• Breach Notification Rule a covered entity must notify the Health Secretary if it discovers a breach of unsecured protected health information.

‍

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) revises and expands the California Consumer Privacy Act (CCPA), creating new industry requirements, consumer privacy rights, and enforcement mechanisms. CPRA clarifies that people can opt out of both the sale and sharing of their personal information to third parties.

‍Right to Correct Inaccurate Information

‍When people exercise the right to access information and the information provided is inaccurate, they can request the business correct that information. The business is then required to use commercially reasonable efforts to correct that information if it receives a verifiable consumer request (some exceptions apply).

Right to Have Personal Information Collected Subject to Data Minimisation and Purpose Limitations

Businesses are required to minimise use, retention and sharing of personal information to what is reasonably necessary and proportionate to achieve the purposes for which the information was collected.

Right to Receive Notice from Businesses Planning on Using Sensitive Personal Information and Ask Them to Stop

Businesses are required to give people special notice if they plan to collect or use any sensitive personal information, and a person can ask businesses to stop selling, sharing and using it. This type of information includes:

• information revealing a social security, driver’s license, state ID card or passport number
• account log-in, financial account, debit card or credit card number in combination with the access code, password or credentials to them
• precise geolocation
• racial or ethnic origin, religious or philosophical beliefs, or union membership
• contents of mail, email and text messages
• genetic data
• biometric information for the purpose of identifying someone
• information collected and analysed concerning a person’s health, sex life or sexual orientation
  ‍

New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act. amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. The SHIELD Act requires any person or business owning or licensing computerised data that includes the private information of a resident of New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

EU Data Privacy (GDPR)

The General Data Protection Regulation (GDPR) legislation was formed to harmonize data privacy laws across Europe. Empowering all EU citizens’ data privacy in the process, and to reshape how organisations approach data privacy in a secure and transparent manner.

Jitjatjo is and will always be committed to the protection of our user's personal data. As a data collector and data processor, we understand our responsibility for data protection and have implemented the technical and organisational practices to ensure that personal data is processed in accordance to the strictest security controls.

All personal data processing must adhere to six principles, which are the responsibility of the data controller:

1. Lawfulness, fairness and transparency;
2. Limitation of processing to legitimate purposes;
3. Data minimization;
4. Accuracy;
5. Limitation on time period of storage;
6. Integrity and confidentiality.

Below is a summary of GDPR sections that are most applicable to users of Jitjatjo's services.

Data

From Jitjatjo's perspective, we recognise we collect, process, store and own the data and the relationship with EU citizens. We understand the information we process is classified as personal data and that being GDPR compliant requires the protection of the data subjects' information.

Data Subjects

As a human-powered labour platform and staffing marketplace, the person to whom GDPR applies can either be an employee of an enterprise client or someone applying to become an employee. An employee can be a user of an application that administers the platform, manages the workforce, is authorized by a business to create schedules, confirm bookings, or accept job assignments.

Lawful Basis

GDPR only allows collection of user data for a legal reason. Jitjatjo only collects data for verification purposes as per our terms of service and privacy policy and on consent by the data subject.

The Right To Be Forgotten

The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller (Jitjatjo) shall have the obligation to erase personal data without undue delay.

Data subjects may submit a Right to Erasure Request Form to a Jitjatjo representative.

UK Data Privacy

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR) - see above.

AU Data Privacy

The Privacy Act 1988 is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information.

• the collection, use and disclosure of personal information.
• an organisation or agency's governance and accountability.
• integrity and correction of personal information.
• the rights of individuals to access their personal information.

The Australian Privacy Principles (APPs) relate to the following areas:

1. Open and transparent management of personal information
2. Anonymity and pseudonymity
3. Collection of solicited personal information
4. Dealing with unsolicited personal information
5. Notification of the collection of personal information
6. Use or disclosure of personal information
7. Direct marketing
8. Cross-border disclosure of personal information
9. Adoption, use or disclosure of government related identifiers
10. Quality of personal information
11. Security of personal information
12. Access to personal information
13. Correction of personal information

HR/Employment Compliance

Ensuring new hires are eligible to work in the jurisdiction and their background is appropriately screened prior to commencing work are essential risk mitigation strategies for employers.