Security and data protection

 

 

General Information

GDPR Compliance

We attach great importance to data security and data protection and work in a GDPR-compliant manner, which is why hundreds of well-known customers rely on Just Social. This includes companies and organizations of all types and from all sectors:

  • Agencies
  • Banks
  • Service enterprises
  • Universities
  • Industrial enterprises
  • German Chambers of Industry and Commerce (IHKs)
  • Churches
  • Health insurance funds
  • Schools
  • Cities, municipalities, and rural districts
  • Charitable foundations
  • Professional associations
  • ...

Order Processing Contract (OPC)

Of course, you can conclude an agreement with us on regarding order processing (Auftragsverarbeitungsvertag: AV, AVV) on the basis of the basic EU GDPR pursuant to Art. 28 GDPR, which will apply from May 25, 2018, in accordance with the latest version.

You can easily do this electronically: This saves time and effort for all parties involved and still provides a legally secure data protection basis for our future cooperation.

Order Processing Contract

 

Audits and Certification

We have our systems and processes regularly checked and optimized by the “audatis” management consultancy with regard to data security and data protection. You can download the current certification here:

Show Data Protection Certificate

Audatis specializes in the areas of data protection and information security and advises renowned customers from various industries. Our Data Protection Officer Carsten Knoop is founder and Managing Director of Audatis and was previously Chief Information Security Officer (CISO) at Bertelsmann AG. He has many years of experience and excellent expertise in the field.

More Information About audatis

Penetration Tests

We have our software regularly checked by external IT security specialists, for example, through penetration tests. Based on the results, we continuously improve the security of our software together with our security experts.

ISO 27001 Certified Data Center

If we take over the hosting of Just Social, we will host your server system in a highly professional and ISO 27001-certified data center in Germany that meets the highest security standards:

  • Hosting according to German data protection law
  • GDPR compliance
  • Server location: Nuremberg
  • Certified pursuant to DIN ISO/IEC 27001
  • 24/7 video surveillance
  • Redundant power supply, grid connection, and air-conditioning
  • 99.6% minimum availability
  • DDoS protection
  • Environmental protection: 100% electricity from renewable sources
  • Multiple awards

ISO Certificate and More Information About our Data Center

 

 

Technical Information

On Premise or Private Cloud (Enterprise Version)

With the Enterprise version of Just Social, you get your own "piece of software" over which you have complete control: You can either host it yourself in a data center of your choice (self-hosted), let us host it there (remote maintenance), or leave all hosting to us in our ISO-certified data center (private cloud). In any case, your data will be in a secure place of your choice.

Operation Behind a Firewall (Enterprise Version)

The enterprise version of Just Social can of course also be operated protected by a firewall in your internal IT network. In this case, access to the Just Social System, analogous to your other IT systems behind a firewall, is only possible within your internal IT network or via VPN tunnel.

In our standard installation processes, it is intended to set up a packet filter so that external access is only possible to the corresponding services, usually via SSH for maintenance (port 22) and HTTP/HTTPS (port 80/443).

Monitoring

If we take over the hosting of your Just Social system, we monitor the status of the services and resources used through a monitoring system. We are notified automatically if thresholds are exceeded. For example, we monitor:

  • Just Social status (heartbeat)
  • Heartbeat of the individual Just Social microservices
  • Backup status
  • Disk space utilization
  • CPU utilization
  • Memory allocation (RAM)
  • Utilization of different queues and processes
  • Monitoring for anomalies and DDoS attacks

Security Updates

If we take over the hosting of your Just Social system, we install the latest security updates for the operating system on the server system on a daily basis.

Backups

If we take over the hosting of your Just Social system, we back up the data daily incrementally and in an encrypted form on a separate backup space. In addition, we create a complete encrypted backup of the data on a backup space on a weekly basis.

Encrypted Data Transmission

Just Social transmits all data to the client encrypted via SSL or HTTPS (TLS), so that a high degree of security is guaranteed. The algorithm used depends on the TLS key. Usually this is AES with 256-bit key length. Besides HTTPS, we use SMTP, SSH (for maintenance access), and FTP for the transmission of encrypted backups.

Password Encryption

User passwords are secured using a hash algorithm via bcrypt and a secret salt and stored in the database. Decryption is therefore not possible.

Minimum Password Requirements

Our minimum requirements for user passwords ensure a high level of security: They require at least 8 characters, 1 upper and 1 lower case letter, or 1 number or 1 special character.

Mandatory Information

The following mandatory information is required for using Just Social:

  • Name (first name, last name)
  • E-mail address

All other information is optional.

Authentication/Authorization

Every user interaction in JUST is subject to authentication and authorization checks. In the standard case, authentication takes place via username and password. If SSO is configured, this check is performed via the connection to your own Active Directory or a Microsoft AD FS/IDP server.

Chat Messages

Chat messages are stored in the database. The chat does not save status changes (online/offline).

Audit Security  (Enterprise Version)

All information deleted by users in Just Social is first moved to shadow tables. This means that the information is no longer visible to "normal" users in Just Social. Administrators can recover information from shadow tables at the database level.

The final deletion of the data takes place automatically via a cron job. The time frequency of the cron job (e.g., daily, monthly, yearly, every 5 or 10 years) can be adapted to the requirements of the respective customer.
This two-stage deletion concept makes Just Social both audit-proof and data protection-compliant.

IP Addresses and Server Logs

IP addresses and server logs are only stored for a limited time. The exact time depends on the log rotation (max 60 days). The following information is stored in the logs:

  • User IP address
  • Operating system and browser type
  • Date and time of access
  • Access methods, requested functions, amount of data transferred
  • Access status of the platform server
  • Name of the requested file (if applicable)
  • URL from which the data was requested (if applicable)

Cookies

Cookies are session-related and are deleted after the session has ended. These cookies do not contain any personal data. If the "stay logged in" option is selected, another cookie is generated which stores the logon data in encrypted form and is deleted during a subsequent logoff process.

We recognize the user by the following cookies: SSO, jwt, JUST_SESSION, LL. The content consists of user information and an expiration date and is encrypted (and decrypted) on the server side.

  • jsChatTabCount: Allows you to chat across multiple tabs or windows. Session cookie (is deleted, for example, when the browser is closed).
  • jc_locale: Saves the language setting of the user. Persistent cookie.
  • ll (last login): A hash is saved here. When the page is opened again as a user who is not logged in, this hash is compared with the database that has a corresponding mapping to the e-mail address (or username). This will pre-set the value of the e-mail address (user name) in the logon box accordingly. Persistent cookie.
  • JUST_SESSION: Logs the user in to make apps from Just Social. Session cookie (is deleted, for example, when the browser is closed).
  • jwt: Logs the user in to make apps from Just Social. Session cookie (is deleted, for example, when the browser is closed).
  • loadproxy: With cluster systems, this is set so that you always land on the same app server. (Validity: 1 day)
  • Optional: Additional cookies can be created by integrating tracking tools such as Piwik/Matomo or Google Analytics.

Cross-Site Scripting

Cross-site scripting is prevented by the use of our GWT framework and the WYSIWYG editor via Antisamy.

SQL Injection

The insertion of SQL queries is prevented by our use of prepared statements using mybatis, which is used for database access.

 

 

Mobile

Encrypted Data Transmission

Just Social transmits all data from all users' end devices to your server system encrypted via SSL or HTTPS (TLS), so that a high degree of security is guaranteed.

Central Data Storage

Just Social stores all data centrally on your server system, so that all your knowledge and information is in a single, secure place. This also applies to data sent or received via our mobile apps.

Minimal Data Storage (Under Development)

In contrast to private chat tools such as WhatsApp or Threema, Just Social stores all data centrally on a server system of your choice (see above). On the end devices of the users, data is stored only temporarily and to the extent necessary for the functioning of the apps.

Any storage of data may take place exclusively in the protected app area, so that images and files are not displayed in the central image galleries and file repositories of mobile phones.

MDM and EMM Solutions

Just Social is compatible with all common Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) solutions (e.g., MobileIron, Airwatch). These allow you, for example, to distribute and manage Just Social Apps on users' smartphones or to connect to the Just Social server system via VPN.

Remote Logout

If you lose your mobile phone, you can remotely log out of your mobile device via your desktop PC to prevent unwanted access to your Just Social apps.

Fingerprint or Code Input (Enterprise Version, Under Development)

Just Social apps can optionally refuse to be used on devices that do not have a device lock by fingerprint or code. In this case, not only the Just Social apps, but the entire device is protected against unwanted access. In addition, the data is then securely encrypted in the protected app area by the mobile operating systems – this is only the case if the device is locked.

Protection against Hacked Smartphones (Enterprise Version, Under Development)

Just Social Apps can optionally refuse to be used on devices that have a jailbreak (iOS) or are rooted (Android). This ensures that users cannot install malicious software that can access protected data from the Just Social apps.