Data Security Review Requests

​At Jomablue, we invest heavily in providing a secure product for our customers. This investment begins the moment we start working on a feature, using a ‘secure by design’ methodology. This approach ensures that data security is at the front of our processes and not an afterthought.

While many of the things we do to deliver a secure environment are published in this article, there are additional steps we take that are considered confidential and/or commercially sensitive, which we do not publicly disclose.

Request a Security Review from Jomablue

If you wish Jomablue to assist you with a security review, we ask you to be aware we follow a process to manage the engagement.

1. Any requests for engagement around security reviews are to be sent to privacy@jomablue.com. If Jomablue team members receive a request directly they are trained to forward requests to the Privacy team.
   
2. Team members outside our Data Protection & Privacy requests cannot commit to timeframes for completing any review requests.
   
3. Engagement with security reviews will only be undertaken with the end customer or final data owner, not any intermediary or agencies. Communication must be directly with security review personnel rather than via other parties.
   
4. Upon receipt of a security questionnaire and contact details of the end customer security reviewer, we will confirm receipt of the request via email.
   
5. Customers requesting a security review will be provided with a Jomablue-issued mutual NDA.
   
6. Jomablue will provide a comprehensive 120-point Q&A document at no charge.
   
7. Any requirement to provide custom responses will be a paid engagement at AUD240.00 (excluding GST) per hour with a minimum of 2 hours, billed on actual hours spent on engagement. Contract values greater than AUD20,000.00 per annum will receive 3 consulting hours FOC. Custom responses must be requested earlier than 1 month prior to the instance/subscription live date.
   
8. If the information requested is considered by our team to be sensitive or confidential, we may require a secure transfer method (rather than a plain text email). In these cases, we will ask for a PGP key to be issued by the security reviewer within the receiving organisation. This is at our discretion to ask for a PGP key. This is the only method of secure transfer we support.

Notes:

Penetration tests commissioned by Jomablue are run by external consultants and performed regularly. Extracts or a summary may be provided in some circumstances at the discretion of our team.

1. The Table of Contents from internal Jomablue articles may be shared in some cases, however complete internal documents are not.
2. PGP is an industry-standard for signing and encrypting sensitive data. Jomablue requires customers PGP public key in order to share sensitive or corporate information.
3. Password protection is not the same as encryption using PGP keys. Passwords can easily be shared and distributed without consideration. PGP provides protection of the files in transit as well as defines receipt and ownership of the contents. From a trusted perspective, this provides Jomablue with a single person responsible within our customers' organisation for the protection of the data contained within.Additionally, the PGP must be created from the customer email domain using a non-generic account. For example, max.piper@acme.com will be accepted; hello@acme.com or max@gmail.com won’t be accepted.

If you are sharing any sensitive data, such as lists of data with Jomablue, we strongly encourage the use of PGP. Our Public Key can be found here: https://keys.openpgp.org/vks/v1/by-fingerprint/FDF7FD60A6C493C6D10E85B331189E62CC7DDA29.