Vulnerability Detection
Automated scans of JobKred Lithium's production site are conducted a minimum of every 7 days. All changes are peer reviewed and vulnerability and security lists are actively monitored for CVE and other vulnerability disclosures with appropriate actions taken.
Data Centers and Location
JobKred Lithium production services are hosted on Amazon Web Services’ (“AWS”) EC2 platform. The physical servers are located in AWS’s EC2 data centers. As of this date, AWS (i) has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014, (ii) is certified as a PCI DSS 3.2 Level 1 Service Provider, and (iii) undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports). Additional details about AWS’ compliance programs, including FedRAMP compliance, can be found at AWS’ website.
All user content is stored within Singapore regions of AWS. JobKred Lithium’s production environment is hosted on an AWS EC2 platform. User content can also be found in JobKred Lithium backups, stored in AWS EC2, and S3.
We do not offer customers the option of hosting JobKred Lithium on a private server, or to otherwise use JobKred Lithium on a separate infrastructure.
Production Environment
We maintain separate and distinct production, staging, and development environments for JobKred Lithium.
To access JobKred Lithium’s production environment, authorized and trained members of JobKred Lithium's SRE and select Engineering team members (“Authorized Personnel”) authenticate to the VPN using unique strong passwords and then only access the production environment via ssh terminal connections. An IDS system is in place on all production servers, which includes real-time monitoring and alerting of any changes to the production system files or configuration and anomalous security events. For Authorized Personnel, any workstations running Windows or macOS must be running current and active anti-virus software. Those members are also trained not to replicate non-public user data stored in JobKred Lithium’s production environment onto their workstations or mobile devices.
Network Security
AWS Network ACL and Security Groups are used to restrict access to JobKred Lithium’s systems as appropriate to their role. Active monitoring of these security rules is in place with alerting mechanisms in place for any changes to the configuration. Public access is restricted to port 443 and 80 on the network load balancers for public traffic. JobKred Private Limited's Workplace Technology team protects our wireless networks by utilizing WPA2-AES authentication encryption. We authenticate to our wireless network through 802.1x utilizing our internal identity store. We scan for rogue wireless access points regularly, and maintain a list of rogue access points found.
Login Security
SAML 2.0 SSO is supported for JobKred Lithium Enterprise customers. All customers can enable 2FA on their accounts or use Google OAuth.
If logging in directly to JobKred Lithium using a username or email and password, JobKred Lithium requires a minimum of 8 characters. Repeated failed login attempts trigger an exponential lock period before a user can retry. Passwords are stored in a hashed form and will never be sent via email—upon account creation and password reset, JobKred Lithium will send a link to the email associated with the account that will enable the user to create a new password.
Password complexity and session length requirements cannot be customized within the app. However, these can be set within an IdP for an SSO-enforced team.
Access Control
All user data stored in JobKred Lithium is protected and access to such data by Authorized Personnel is based on the principle of least privilege. Only Authorized Personnel have direct access to JobKred Lithium’s production systems. Those who do have direct access to production systems are only permitted to view user data stored in JobKred Lithium in the aggregate, for troubleshooting purposes or as otherwise permitted in JobKred Lithium’s Privacy Policy.
JobKred Lithium maintains a list of Authorized Personnel with access to the production environment. These members undergo criminal background checks and are approved by JobKred Lithium’s Engineering management. JobKred Lithium also maintains a list of personnel who are permitted to access JobKred Lithium code, as well as the development and staging environments. These lists are reviewed quarterly and upon role change.
Trained members of the JobKred Private Limited and JobKred Lithium customer support teams also have case-specific, limited access to user data stored in JobKred Lithium through restricted access customer support tools. Customer support team members are not authorized to review non-public user data stored in JobKred Lithium for customer support purposes without explicit permission. When a JobKred Lithium user submits a support ticket, they have the option of authorizing the customer support team to view their data. The customer support team will only receive such access to the account if it is granted by the user, either by selecting the "Give support staff temporary access to your account" option when submitting a help request, or by clicking a link sent to the user's email by the support team. The account owner can revoke such access at any time.
Upon role change or leaving the company, the production credentials of Authorized Personnel are deactivated, and their sessions are forcibly logged out. Thereafter, all such accounts are removed or changed.
Public Content and Other Permissions
User data entered on public boards or included in public profile information may be viewed or accessed by anyone. In addition, notwithstanding anything to the contrary, data may be collected, shared, retained and used as described in JobKred Lithium’s Privacy Policy or customer’s agreement(s) with JobKred Lithium.
Third Party Access
User data may be shared by JobKred Lithium with third-party service providers (a user's email address for an email delivery provider, for example) pursuant to JobKred Lithium’s Privacy Policy and in compliance with JobKred Lithium’s applicable signed service agreements.
Physical Security
In some instances our offices share buildings with other companies. For that reason, we require mandatory visitor check-in with the building security team and that visitors wear identification badges. Additionally, visitors must check-in with our front desk and require an escort throughout the building at all times.
JobKred Lithium's production services are hosted on Amazon Web Services’ (“AWS”) EC2 platform. The physical servers are located in AWS’ secure data centers. We require that production critical data is never to be stored by those with privileged access on physical media outside of our data hosting provider's production environments. See above for information on AWS’ compliance programs.
Corporate Environment and Removable Media
Strict firewall rules prohibit access to necessary ports for the usage of JobKred Lithium (e.g., 443), to help ensure limited access to the production environment to our VPN network and authorized systems. Our corporate network has no additional access to the production environment, with Authorized Personnel required to connect to the VPN in order to access any special systems or environments.
Authorized Personnel with access to JobKred Lithium’s production environment are trained as noted above. In addition, employee workstations are required to time out and lock after a maximum of one minute once sleep or the screen saver begins. We do not have a clean desk policy.
Encryption In-Transit
JobKred Lithium uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the JobKred Lithium servers. There is no non-TLS option for connecting to JobKred Lithium. All connections are made securely over HTTPS.
Encryption At-Rest
Data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server. File attachments to JobKred Lithium cards are stored in Amazon’s S3 service. Attachments are only accessible using a secure HTTPS connection by authorized users. File attachments to JobKred Lithium cards uploaded after June 3, 2015 are encrypted using Amazon S3 server side 256-bit AES encryption. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. At an Enterprise customer’s request, attachments uploaded prior to June 3, 2015 can be retroactively encrypted within Amazon S3. All JobKred Lithium backups are encrypted with AES-256 encryption.
Encryption Keys
Encryption keys for JobKred Lithium attachments, stored in S3, are managed by Amazon. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Encryption keys for JobKred Lithium attachments managed by our team are rotated upon relevant changes of roles or employment status. Encryption keys managed by our team are not stored outside of JobKred Lithium’s production backup environment and are managed by our SRE team. JobKred Lithium backups are of the entire data set, so they are encrypted using a shared key.
Data Deletion - Termination of Agreement
Upon termination of a JobKred Lithium, if requested by the JobKred Lithium customer’s administrator, the user content that is stored on the terminated team’s boards, lists and cards will be completely removed from the live JobKred Lithium production database. All file attachments uploaded directly to JobKred Lithium will be removed from the live JobKred Lithium production database within 30 days. The team’s data will remain in encrypted JobKred Lithium database backups until those backups fall out of the 30-day backup retention window and are destroyed in accordance with our data retention policy. In the event that a database restore is necessary within 30 days of a requested data deletion, we will re-delete the data as soon as reasonably possible after the live production system is fully restored.
For clarity, if a customer continues to use JobKred Lithium pursuant to a free account or different plan following the termination of contract, such data may be retained for use in accordance with the terms and conditions applicable to such account or plan.
Data Deletion - User Personal Data
In the case of a JobKred Lithium user account being deleted, upon deletion, JobKred Lithium deletes the user’s personal data, including items like name, email address and location, within 30 days of the request. After 30 days, such personal data will remain in encrypted JobKred Lithium database backups until those backups fall out of the 30-day retention window and are completely destroyed.
Development, Patch and Configuration Management
All changes to the JobKred Lithium production system, code or system configuration changes, require review prior to deployment to the production environment. Thousands of automated unit tests are run against all production code prior to deployment. Production code is also subject to regularly conducted automated vulnerability scans. All changes to JobKred Lithium’s code are tested in a staging environment prior to deployment to production. Patches to the JobKred Lithium web client are deployed on a rolling basis, usually several times per week. JobKred Lithium production servers are managed via a centralized configuration system. All JobKred Lithium system changes are peer reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.
We restrict access as noted above and maintain separate lists of relevant roles with access to source code, development, staging, and production environments. These lists are reviewed quarterly and upon role change. We use source code management tools and repositories.
All production servers are running a LTS (Long Term Support) distribution of their operating system to ensure timely updates are available. CVE lists and notifications are actively monitored and any systems can be patched in a timeline relevant to the severity of the issue. A centralized configuration system is used for the management of production servers, and when needed a patch can be deployed within hours of its availability.
Event Logging
Certain user actions which manipulate user data are stored within JobKred Lithium and are available for the customer/user (e.g., when creating, updating or deleting skill ratings, job profiles etc.).
All JobKred Lithium API calls and application logs are kept for our internal purposes for at least 90 days without sensitive information (no full user tokens, no user generated content), and are available only for authorized employees as required by their role for monitoring of JobKred Lithium to ensure service availability and performance and to prevent abuse.
Data Within JobKred Lithium
JobKred Lithium validates files for well-formedness and the like, however, we have explicitly designed JobKred Lithium to support any type of content users may choose to store within JobKred Lithium. All attachments are stored and accessed from a completely separate domain to help prevent any potential access by such attachment to other user data or cookies.
User Team Management and Access
Admins for a JobKred Lithium Enterprise account will be set via the customer’s account manager. Admin, regular, and observer roles can be assigned within JobKred Lithium.
It is not possible to limit the geolocations allowed to access data within JobKred Lithium. Data can be accessed by users who have access to such data within the app from any geolocation. All third-party developer access to user data stored in JobKred Lithium is via the API which includes strict authorization checks. All Authorized Personnel go through strict security group/firewall rules which limits access to authorized instance roles on authorized ports required for them to fulfill their role.
Backup, Business Continuity, and Disaster Recovery Policy
Backup Policy
Data entered into JobKred Lithium is backed up regularly. All backups are encrypted and stored at multiple offsite locations to help ensure that they are available in the unlikely event that a restore is necessary.
Files uploaded to JobKred Lithium as card attachments are not backed up on the same schedule, and instead rely on Amazon S3’s internal redundancy mechanism.
Files associated with JobKred Lithium cards from a supported cloud storage provider are also subject to the storage provider’s own backup procedures and policies.
JobKred Lithium database backups are immediately encrypted with 256-bit AES encryption using GNU Privacy Guard (“GPG”) with a password-protected symmetric cipher. Encrypted backups can only be decrypted by members of the JobKred Lithium operations team who have received training and have been authorized to decrypt the backups.
Backup Interval
JobKred performs a full daily backup of database data during a fixed daily (24 hours) backup window. JobKred also uploads the transaction logs for DB instances to Amazon S3 every 5 minutes.
Backup Storage
All JobKred Lithium backups are retained on the following schedule:
Database backup are stored in S3 for 30 days.
Only authorized members of the JobKred Lithium operations team have access to the backup locations, so that they are able to monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary. After 30 days, the encrypted backup files are destroyed.
Attachments directly uploaded to JobKred Lithium are handled differently than the primary database backups. To backup file attachments, JobKred Lithium primarily relies on S3’s internal redundancy mechanism, which Amazon states provides 99.99% yearly data durability.
Data Portability
JobKred Lithium board data is available for export by board members in JSON format via the JobKred Lithium REST API. File attachments can be individually retrieved directly from Amazon S3 using the file’s unique hyperlink.
JobKred Lithium personal data is available for export by individual users in JSON format and can be found by clicking this link. The “Download Personal Data” button will export personal data and deliver it via an API endpoint in JSON format.
JobKred Lithium Premium and Enterprise plans offer a simplified data export process for all team data and attachments. Each Premium and Enterprise team includes one-click export of all Boards within the team. Optionally, file attachments uploaded directly to JobKred Lithium can be included in the export file. Within the export, each board’s data is included in both JSON and Comma Separated Values (“CSV”) format.
Business Continuity
The JobKred Lithium operations team has designed systems to keep the service running even if the underlying infrastructure experiences an outage or other significant issue. Every critical JobKred Lithium service has a secondary, replicated service running simultaneously with mirrored data in a different AWS availability zone than the primary server. Additionally, each JobKred Lithium database server has a replicated service running in a third availability zone with data that is mirrored on a one hour delay.
Because it is critical to have reliable access to your business’ important projects and data, JobKred Lithium has been architected to survive a single availability zone outage without significant service interruptions.
Disaster Recovery
In the unlikely event that two Amazon EC2 availability zones have long-term service interruptions, JobKred Lithium has been designed to recover with limited service interruption and a target maximum of 1 hour of data loss.
JobKred Lithium's SRE team regularly tests the various components of its Business Continuity architecture to ensure continued operations.
JobKred Lithium does not have an SLA or credit policy. JobKred Lithium had over 99.99% uptime in 2020 and 2021, and any downtime is documented at JobKred Lithium's status page.
Incidents and Response
A JobKred Lithium problem impacting a JobKred Lithium Enterprise customer will be assigned a Severity Level and handled according to the resolutions as follow:
Severity 1: JobKred Lithium is not available or is unusable.
Work begins within 1 hour from report, temporary resolution within 4 hours, final resolution within 7 hours. (Example:The site is not responding; all text on the site is being translated into elven runes.)
Severity 2: Service or performance is substantially degraded in a way that prevents normal use.
Work begins within 2 hours from report, temporary resolution within 48 hours, final resolution within 14 days. (Example: Search only finds cards with the search terms in the title; JobKred Lithium cannot be used with the new Firefox version that came out today.)
Severity 3: A service not essential to JobKred Lithium’s main functionality is unavailable or degraded.
Work begins within 72 hours from report, temporary resolution within 7 days, final resolution within 30 days. (Example: Activity indicators are not showing who is active; updates are taking 30 seconds to propagate to other board viewers.)
Severity 4: Minor or cosmetic issues with JobKred Lithium services, and all feature requests. Resolution at JobKred Lithium team’s discretion. (Example: Dashboard background images aren’t scaling properly; feature request for dependencies between cards.)
Employee Policies
Anti-Virus
JobKred Lithium has a centrally managed antivirus solution deployed across both our Windows and macOS environments. For Authorized Personnel, any workstations running Windows or macOS used for ssh terminal access to the production environment must be running update-to-date and active instances of our centrally deployed Crowdstrike Falcon antivirus software with real-time monitoring and at-least-daily updates.
Authorized Personnel may choose to run linux as their workstation operating system. Given the inadequate state of linux antivirus software and the lack of prevalence of viruses for that platform, our policy does not require those workstations to run antivirus. All of the existing controls for Authorized Personnel, including restricting access from those workstations to the production environment via ssh terminal connections only and with no replication of user data onto those workstations, still apply.
Remote Access
Many of JobKred Lithium’s team members work remotely. Strict firewall rules are in place thus limiting access to the production environment to our VPN network and authorized systems. Certain other controls described above, including Authorized Personnel and corporate environment controls, also apply to remote access as appropriate.
Security Awareness and Confidentiality
Security awareness and user data access policies are covered during our employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Our employees also sign a confidentiality agreement.
In the event that a security policy is breached by an employee, JobKred Lithium reserves the right to determine the appropriate response, which may include termination.
Background Checks
All our employees undergo an extensive interview process before hiring. Our employees with direct access to the production environment undergo a criminal background check. Other employees may undergo a check depending on their role (e.g., academic for legal roles or credit for finance roles). Appropriate NDAs are in place with third parties as appropriate.
Maintenance Policy
Planned Maintenance
When it is necessary to perform planned maintenance on JobKred Lithium services, the JobKred Lithium operations team will perform the work during one of two scheduled weekly maintenance windows. We will make reasonable efforts to announce maintenance procedures that could potentially impact users of JobKred Lithium by informing (via email) affected users within 24 hours prior to the event, or via other communication channels at least 30 minutes prior to the event.
Planned Maintenance Windows
Saturday from 3:00 AM Singapore Time through Saturday at 5:00 AM Singapore Time
These windows have been selected with the goal of minimizing service downtime, slowness, or other impact to the people and businesses that rely on JobKred Lithium.
We do our best to make outages as short as possible. Additionally, our maintenance schedule will frequently be evaluated to ensure that we keep user impact as low as reasonably possible. Should we need to reschedule these windows, the updated schedule will be announced on our Status Blog and Twitter accounts with reasonable advance notice.
Unplanned Maintenance
Due to unforeseen events, we may have to infrequently perform unplanned maintenance on JobKred Lithium infrastructure or software components. This maintenance might cause some or all of the JobKred Lithium services to be inaccessible by our users for a period of time. It is our goal to do this as infrequently as possible. Any unplanned or emergency maintenance that causes JobKred Lithium to be inaccessible will be announced on the JobKred Lithium Status Blog and in-app with as much advance notice as reasonably possible. As with planned maintenance, we do our best to minimize disruption caused by service outages.
It is not possible for us to customize the maintenance window, as our users are on a shared infrastructure. However, we've used this maintenance window extremely rarely—about once a year, for under 30 minutes each time.
Last updated Sep 2022.
