Application security at Juro

At Juro, we understand that security is foundational to building trust with customers.

We know you entrust us with your most valuable business information. That’s why safeguarding the confidentiality, integrity and availability of your data is our top priority.

This article outlines the stringent application security measures and controls implemented to protect your data. We continuously iterate on our security program as technologies and threat landscapes evolve.

Physical security

Customer data in Juro is hosted on Amazon Web Services (AWS) servers located in Ireland. AWS controls physical access to its data centers.

The information in this section is provided by AWS and was last updated on 6 October 2023. Up-to-date information can be obtained directly from AWS.

AWS data center access

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. This same process applies for third-party access, which only approved AWS employees can request.

These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires.

Once granted admittance, individuals are restricted to areas specified in their permissions. Third parties granted visitor badge access must present identification when arriving on site and be signed in and escorted by authorized staff.

Monitoring and logging

AWS regularly reviews access to data centers. AWS automatically revokes access when an employee’s record is terminated in AWS’s HR system.

AWS also revokes access when an employee or contractor’s access expires in accordance with the approved request duration, even if they are still an AWS employee.

Physical access to AWS data centers is logged, monitored, and retained. AWS correlates information gained from logical and physical monitoring systems to enhance security on an as-needed basis.

AWS monitors its data centers using its global Security Operations Centers, which are responsible for monitoring, triaging, and executing security programs.

They provide 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analyzing and dispatching responses.

Surveillance and detection

Physical access points to AWS server rooms are recorded by CCTV. Images are retained by AWS according to legal and compliance requirements.

Physical access to AWS data centers is controlled at building ingress points by professional security staff using surveillance, detection systems, and other electronic means.

Authorized staff use multi-factor authentication to access data centers. Entrances to AWS server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.

Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate AWS personnel of security incidents.

Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit.

These devices will sound alarms if the door is forced open without authentication or held open.

Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis and response.

Network security

At Juro, we deploy robust network security protections designed to safeguard customer data from external threats. To read more about our network security program, head to our dedicated resource on network and infrastructure security.

Access controls

Strict access controls are implemented at Juro to ensure only authorized personnel can access customer data based on their role. This takes the form of:

1. ‍Role-based access. Access to Juro systems and third-party accounts is granted on a need-to-use basis. In most cases, Juro scopes application access based on job role and team
2. Multi-factor authentication. Each Juro employee has a unique user ID and password. All assets, applications and vetted third-party platforms may be required to have two-factor authentication configured. For Juro’s primary identity provider two-factor authentication is required to log in
3. Access reviews. Juro conducts a user access review at least once every 12 months, and logs any findings and changes from the review

Software security

Juro employs rigorous software security practices to build resilience against vulnerabilities into the platform.

Secure code review

Peer review of code is built into every stage of Juro’s software development lifecycle, including security review.

Juro has in place secure coding guidance for its engineering teams, which establishes baseline security requirements for coding practices at Juro. Juro’s guidance is built on the Open Worldwide Application Security Project (OWASP) Secure Coding Practices Version 2.0.

The guidance covers a range of topics, and is designed to address the main sources of vulnerabilities in all applications deployed across the Juro platform.

Principle of least privilege

The principle of least privilege is one of Juro’s core security principles.

In short, it means that only those who need to have access to information are granted access to that information. When Juro grants access, Juro only grants the bare minimum access.

This applies to customer data stored in Juro. For example, a programmer whose main function is updating lines of legacy code doesn’t need access to customer data.

Code scanning

Juro conducts weekly static application security testing (SAST) or static analysis. SAST is a testing methodology that analyzes source code to find security vulnerabilities in an application before the code is compiled.

In addition to SAST, Juro also conducts dynamic application security testing (DAST) daily.

DAST is a method of application security testing in which the application is scanned while it’s running. An application’s responses to these simulations help identify whether the application is vulnerable and could be susceptible to a real attack.

Juro monitors the outcomes of these scans to ensure that vulnerabilities are prioritised and mitigated in accordance with Juro’s vulnerability management program.

Responsible disclosure

Juro operates a responsible disclosure policy. Under this policy, Juro encourages individuals (generally, security researchers) to report vulnerabilities they identify in the Juro application before disclosing those vulnerabilities to the public.

The policy sets out the parameters in which Juro will cooperate with these individuals to encourage early, frank disclosure. This allows Juro to remedy issues quickly and efficiently.

If you think you've found a vulnerability, contact us at security@juro.com and we'll investigate.

Security monitoring

Robust security monitoring and analytics capabilities allow Juro to rapidly detect and respond to threats. We perform continuous scans in every phase of our software development lifecycle to ensure a robust and highly secure deployment, in the event that a vulnerability is detected, an alert will automatically be sent to our security team to proactively address the issue.

Incident response

Juro maintains rigorous incident response plans designed to swiftly identify, mitigate and recover from security incidents. This includes:

1. A documented incident response plan

Juro maintains and regularly reviews a documented incident response plan. Under this plan, Juro seeks to identify, mitigate the effects of, and recover from security incidents quickly, efficiently and safely.

This incident response plan sits alongside other more granular plans that apply in certain scenarios - for example, a personal data breach.

Juro’s incident response plan also includes mandatory post-incident reviews so that processes, systems and procedures can be adapted to reduce the chances of similar incidents occurring in future.

2. A dedicated application security team

Juro has a dedicated application security team within its engineering function. That team’s mission is to put in place and maintain a program of best-in-class security practices, awareness and training, designed to prevent systems from being compromised.

3. A robust process for notifying affected customers

Juro has in place documented processes to enable Juro to notify affected customers in the event of an incident where required to do so by law. On onboarding, Juro collects specific customer contact details for this purpose, to ensure swift engagement in the event of an incident.

4. A detailed cyber insurance policy

Juro maintains a cyber insurance policy with a market-leading underwriter. As part of this policy, Juro can leverage access to significant external expertise and resources to respond quickly and professionally in the event of a cyber incident.

Compliance

Juro’s security program is about much more than compliance - it’s primarily designed to keep customers’ information safe, in many cases going above and beyond what is strictly required by the law or by any particular certification.

However, we do also comply with some of the most rigorous attestations and regulatory requirements in the world.

SOC 2 Type II

Juro maintains a SOC 2 Type II attestation to provide comfort to its customers about the security safeguards Juro has in place.

Each year, our security program and systems are inspected by independent assessors to measure our compliance against rigorous standards across five trust service principles:

• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy

Data protection laws

Juro complies with UK and EU data protection laws, and is also a compliant service provider under the California Consumer Privacy Act. You can find out more about this in our articles on our commitment to the UK GDPR, EU GDPR and CCPA.

Juro maintains a Cyber Essentials certification from IASME to evidence its compliance with the security principle under the UK GDPR and EU GDPR.

Oversight and accountability

Juro’s information security program is overseen by our Chief Technology Officer, who is accountable to our Chief Executive Officer and to our board of directors. As Data Protection Officer, Juro’s General Counsel oversees compliance of the information security program with applicable data protection laws.

Get in touch if you have any questions on our application security policies or procedures - talk to your sales representative, or fill out the form below.