JouleBug Security Overview

Our mission at JouleBug is to provide fun and engaging ways to help our customers better themselves, their community, and our planet. Putting our users first is critical to what we do, including how we protect their data. When it comes to security, we embrace the same principles that guide our mission: minimizing our footprint, engaging in active and responsible stewardship of our world, and communicating transparently. We have implemented industry standards as well as our own specific security practices and require the same high standards of all our vendors to keep your information secure.

This document is intended to provide an overview of our security processes as a company, those we require of our vendors, and the features of our application that work to keep your data safe.

At JouleBug, we believe in minimizing our footprint in all things. We embrace this value when it comes to the data we collect. We never engage in bulk data collection or mining. We never share any information we collect with any other organization or third party, for any reason.

We collect user’s email addresses for authentication purposes, prize delivery, post challenge surveys, and the occasional announcement. We employ OAuth 2.0, the industry-standard for authorization. Our application also supports use of the Microsoft Authentication Library (MSAL). We collect and store data on the activities that users log in the application. We collect and store pictures that users choose to share with the application. Additionally, we ask for a friendly name of the user’s choosing to permit interaction between users. By minimizing the data we collect, we reduce the risk exposure of our users and their organizations.

Sensitive data including security tokens and passwords are encrypted and stored in JouleBug’s production database, a Mongo database hosted by Amazon Web Services (AWS). These databases are located in Virginia and Frankfurt, Germany, permitting us to accommodate the needs of a greater number of clients. Pictures that users choose to share with the application are stored using Amazon S3. The data for each organization and user are hosted in our shared infrastructure and logically segregated to ensure that the information your organization shares with the application remains private to your organization. All user data is secured behind a two-factor authenticated VPN with AWS.

We control network traffic with Amazon Virtual Private Cloud (Amazon VPC) and security groups. The application servers are only accessible via a secure token, and there is no external visibility to data stores. We use AWS Identity and Access Management (IAM) to control user credentials and roles.

The JouleBug application transmits data over public networks using strong encryption, including data transmitted between JouleBug clients and the JouleBug service. Our application supports the HTTPS protocol TLS 1.2 with secure cipher suites to encrypt all traffic in transit, in keeping with industry standards.

At JouleBug we maintain the physical security of our premises with security cameras. Office visitors are required to sign in and out. All keys are tracked on issue and return. No user data is stored on site.

Access to IT systems are limited to approved employees with a valid business justification. All systems are secured with personal user credentials. We operate on a policy of “least privilege” to ensure that access is only granted to those employees who require such access, and mandate Multi-Factor Authentication and strong passwords.

We require our vendors to observe and document these same security processes. We require our vendors to document their process for granting system access to their employees, including security primer documents shared with their employees. We require our vendors to document their process for withdrawing access upon termination or reassignment of employees.

All user and organization data is stored with Amazon Web Services (AWS) behind a two-factor authentication VPN. Amazon provides for the physical protection of the servers and the related infrastructure including limiting access to authorized personnel, protecting servers from fire and environmental damage, and providing for contingency power in the event of power failure. AWS maintains many industry certifications, including ISO 9001, ISO 27001, ISO 27017, and ISO 27018. AICPA SOC 1, 2, and 3 reports are available.

We have worked to ensure that the application we provide is a secure place for users’ data. Upon signing up with our application, users are provided access to and must accept our Privacy Policy. Users must provide an access code, unique to your organization. This access code is verified by the application before an access token is issued. Access tokens can be revoked by admins and have an expiration time. This process ensures that you are in control of which users join your organization on JouleBug. All user passwords are encrypted in the application. We provide users the ability to view and change their email address in the application. In our continuing work to put the user first, we have provided the option of deleting their account and data easily from within the application itself.

We endeavor to keep your data safe at all times. Our application servers are automatically backed up daily, with some backups retained indefinitely. We monitor all logs related to our Amazon services using Amazon Cloudwatch and use Amazon Cloudtrail to monitor access to our Amazon infrastructure. AWS Config are used to monitor our security measures and penetration tests are available upon request. AWS maintains data securely with systems designed to withstand concurrent data loss from two facilities.