Security at JBoard

As a white-label job board platform, we recognize the importance of excellent security practices. While we are a small team, we take security seriously and strive to maintain robust security measures to protect our users and their data.

This document covers our security practices and policies.

General Security Practices

1. Access to our servers, source code, and third-party tools is protected by two-factor authentication whenever possible.
2. We employ strong, randomly generated passwords that are never reused.
3. Our employees and contractors are granted the minimum level of access necessary to perform their work, minimizing the risk of unauthorized access to sensitive information.
4. We utilize automated security vulnerability detection tools to notify us of known security issues in our dependencies. To mitigate potential risks, we prioritize applying patches and deploying updates quickly.
5. We do not transfer production data to external devices such as laptops, ensuring that sensitive information remains within our secure environment.

Authentication

At sign-up, each user creates a new account using their email and password. User passwords are securely hashed using BCrypt before being stored. Passwords are never stored in plain text and are filtered out of our application logs to ensure maximum security.

Encryption

• Communication Encryption: All communication between the JBoard app, job board websites, and our backend service is encrypted using TLS. We utilize Automated Certificate Management provided by Let’s Encrypt to maintain secure connections.
• Data Storage Encryption: User data is stored in Amazon Web Services (AWS) RDS, where it is encrypted at rest. The RDS database is accessible only from our application servers within the same network, ensuring secure and controlled access. 

Payments

At JBoard, we prioritize the security of payment processing for both our application and our customers' job boards through our integration with Stripe:

• Secure Payment Processing: Credit card information is directly submitted to Stripe using Stripe's secure elements API. This ensures that sensitive payment details are transmitted securely and never touch our servers.
• PCI Compliance: By leveraging Stripe's integration, we ensure that all payment transactions comply with the Payment Card Industry Data Security Standard (PCI-DSS), which mandates stringent security measures for handling credit card information.
• No Direct Access: The integration with Stripe is designed so that JBoard does not have the ability to access or process credit card information directly. This separation enhances the security of card processing, reducing the risk of data breaches.

Software Development Practices

• Our team adheres to secure coding standards and is educated about the OWASP Top 10 security risks, ensuring resilience against common vulnerabilities.
• At least one other developer reviews code written by any developer to maintain high-quality standards and identify potential security issues.
• Automated unit and integration tests are created when necessary to catch vulnerabilities early in the development process and ensure new code does not introduce security flaws.
• The team consistently adheres to the least privilege principle, ensuring that new functionality runs with the minimum level of privileges necessary, which reduces the impact of potential security breaches.

Vulnerability Detection

Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities. Vulnerable dependencies are patched and redeployed rapidly.

Penetration Testing

We use Detectify to periodically scan our application for OWASP Top 10 and other application vulnerabilities. Detectify provides us with regular updates on potential security issues, which we address promptly to maintain the security of our platform. While we have not conducted an external penetration test, we continuously monitor and improve our security measures based on Detectify's findings and our internal team's assessments. 

Data Flow

The data flow for JBoard involves several key components, ensuring secure and efficient interactions between the job board website, admin management platform, and our backend services:

• Job Board Website User Interactions: Users interact with the job board website (e.g., your-job-board.com) to search for jobs, create profiles, submit applications, and post job listings. This website communicates directly with our backend servers.
• Admin Management: Job board administrators use the admin management platform (app.jboard.io) to manage job board content and settings. This platform interacts with our backend services to fetch and update data.
• Customer API: We provide an API to our customers for integrating their own applications with our backend. The API handles requests such as retrieving job listings, job applications, and managing user profiles. All the API requests go directly to JBoard’s backend.

Hosting

Our backend services are hosted in the AWS North California(us-west-1) region. Amazon’s data center operations have been accredited under the following standards:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

Data Retention/Logging

Logs are stored in a private CloudWatch area; application errors are sent to Rollbar. These logs are retained for up to 60 days, after which they are permanently deleted.