A SOC 1 report is an audit report that's scope includes both business process and information technology control objectives and testing. A SOC 1 must be issued by a CPA firm that specializes in auditing IT security and business process controls. SOC 1 reports are considered attestation reports.

The short answer is that a Type 1 report just provides a report of procedures / controls an organization has put in place as of a point in time. A Type 2 report has an audit period and provides evidence of how an organization operated its controls over a period of time.

No Security incident has happened as of yet.

This risk assessment report identifies threats and vulnerabilities applicable to. System Name. . It also evaluates the likelihood that vulnerability can be exploited, assesses the impact associated with these threats and vulnerabilities, and identifies the overall risk level.

A penetration test report provides a comprehensive summary of the system's vulnerabilities. In addition, it includes recommendations for patching, hardening, and restricting the functionality of systems when necessary. The objective is to identify problem areas and implement a solution.

You can request our penetration test report from the document section.

A SOC 2 Type 2 report audits the Trust Service Criteria over several months or more to ensure long-term control. This makes it more secure than a Type 1 and shows that providers can protect information over an extended time period.

You can request our SOC 2 TYPE 2 report from document section.

As a Software-as-a-Service (SaaS) provider, JIFFY.ai places a high emphasis on data security and compliance. Our customer base includes organizations in heavily regulated industries such as financial services, insurance, travel, and healthcare, which necessitate strict adherence to security and privacy requirements. To meet these needs, Jiffy continually raises the bar on security.

• To ensure compliance with industry standards, JIFFY.ai undergoes annual System and Organization Controls (SOC) 2 Type II examinations. Additionally, JIFFY.ai has achieved multiple certifications to demonstrate our commitment to security best practices.
• JIFFY.ai is ISO 27001 certified, which ensures security best practices and a managed approach to business information protection.  JIFFY.ai also has achieved General Data Protection Regulation (GDPR) compliance.
• JIFFY.ai is also committed to maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and security of sensitive healthcare information.
• In addition to the SOC 2 Type II examination, JIFFY.ai also undergoes annual SOC 1 Type II examination to ensure compliance with industry standards.

A Data Retention Policy is a set of guidelines that dictate how long different types of data should be kept and when they should be deleted. It helps organizations manage their data efficiently, ensuring compliance with legal requirements, protecting sensitive information, and optimizing storage costs. The policy typically outlines retention periods based on data type, regulatory requirements, and business needs.

Data backup is the process of creating copies of data to protect against loss or damage. These copies can be stored on various media such as external hard drives, cloud storage, or other offsite locations.

Data recovery is the process of retrieving lost, corrupted, or inaccessible data from backups. This ensures that data can be restored and used in case of hardware failures, accidental deletions, or cyberattacks.

In essence, backup is the safeguard, and recovery is the restoration.

Data classification is the process of organizing data into categories for its most effective and efficient use. It involves identifying the type, sensitivity, and importance of the data.

Data handling refers to the processes and practices involved in managing data, including how it is collected, stored, accessed, shared, and protected, to ensure its integrity, confidentiality, and availability.

JIFFY.ai is committed to ensuring the security and confidentiality of customer data in its cloud environment. In addition to using Amazon Web Services (AWS) for infrastructure, JIFFY.ai implements strict measures to ensure the safety of customer data.

AWS provides robust encryption at the infrastructure level for the server disk, S3 buckets, and databases. This encryption uses AES-256 encryption, which is a widely-used and secure encryption algorithm.

JIFFY.ai also leverages the AWS Key Management Service (KMS) to manage encryption keys, adding an extra layer of security to its data. Maximum security is ensured by the automatic generation and rotation of encryption keys.

In addition to encryption and key management, JIFFY.ai benefits from the following security features provided by AWS:

• Virtual Private Cloud (VPC): This service provides isolated network environments to ensure that data is secure and isolated from other users and tenants in the cloud.
• Identity and Access Management (IAM): AWS IAM provides fine-grained control over access to AWS resources, ensuring that only authorized users can access sensitive data.
• Compliance: AWS is compliant with various industry standards and regulations such as SOC 2, HIPAA, PCI DSS, and ISO 27001, providing customers with the assurance that their data is secure and meets compliance requirements.

JIFFY.ai's approach to information security governance is designed to ensure the security and privacy of the data that its systems maintain. The approach is structured around the ISO 27001 framework, which is a widely recognized international standard for information security management. The key components of JIFFY.ai's approach include:

• Employees: JIFFY.ai provides regular information security training to all employees, and employees in data-handling positions receive additional role-based training specific to their roles.
• Security Staff: JIFFY.ai has dedicated security staff who support the system and are responsible for maintaining the security and privacy of the data.
• Counsel: JIFFY.ai has a team of legal experts including Privacy Counsel, Compliance and Government Contracts Attorneys who are responsible for ensuring compliance with global privacy laws, international regulatory regimes and federal procurement regulations.
• Assessments: JIFFY.ai regularly conducts internal vulnerability assessments (such as architecture reviews by security professionals, vulnerability scans) and third-party certifications to ensure that its systems are secure and compliant.
• Policies and Procedures: JIFFY.ai has detailed internal policies and procedures that dictate how it handles various aspects of security and compliance governance, ensuring that all its actions align with industry standards and regulations.

Overall, JIFFY.ai's approach to information security governance is comprehensive, including all the tools, people and business processes to protect the data and maintain the trust of its customers.

JIFFY.ai has robust security processes in place to ensure the security of customers' data. The process includes the following phases:

• Design phase: JIFFY.ai engineers are trained on security principles and receive security training to make informed security decisions. Security representatives are involved in sprint reviews to help define security requirements. Threat assessments are conducted on high-risk features to identify potential security issues early in the development process.
• Development phase: Security requirements for high-risk features are incorporated into feature development. JIFFY.ai uses secure coding patterns and anti-patterns to address standard vulnerability types, and employs static code analysis tools to identify security flaws. Secure code development is controlled through a secure code repository.
• Testing phase: JIFFY.ai's internal QA team and independent security consultants use scanners and proprietary tools (Veracode/Beagle DAST) along with manual security testing to identify potential security issues.
• Prior to release: JIFFY.ai's security leadership team provides sign-off for each release once all security bugs are closed or have an approved exception based on the risk score. New functionality is verified to ensure security requirements have been met. Code is tested and approved before release. Automated VAPT is integrated into the deployment pipelines.

Overall, JIFFY.ai has implemented a comprehensive and systematic approach to security that covers all aspects of development, testing and release to ensure that their customers data is protected and secured.

A Business Continuity Plan (BCP) is a strategy that outlines procedures and instructions an organization must follow in the face of disaster, ensuring that critical operations continue with minimal disruption. It includes identifying key business areas, critical functions, interdependencies, and required resources, and typically covers risk management, disaster recovery, and contingency planning.

JIFFY.ai implements industry-accepted best practices to harden the underlying systems that support the various software layers of the service. For instance, hosts are configured with non-default software configurations, minimal processes, user accounts, and network protocols. Additionally, hosts log their activity in a remote, central location for safekeeping.

To ensure the security of our devices, JIFFY.ai has performed a review of device configurations against industry best practices and required standards for government markets, such as DISA Security Technical Implementation Guides (STIGs) or Center for Internet Security (CIS) Benchmarks.

JIFFY.ai's Change Management processes dictate that system changes and maintenance are documented in the internal ticketing system. Changes require approval, testing, and security impact analysis prior to deployment. Additionally, any changes that constitute a significant change, per JIFFY.ai's significant change definition, require a requirements analysis and an impact assessment to determine the impact on the JIFFY.ai SaaS Cloud environment.

To further enhance security, JIFFY.ai has adopted the Continuous Deployment model to avoid human errors for both provisioning and release.

JIFFY.ai has implemented robust logical access controls for the production network to ensure secure access to the network and data. These controls include:

• Access to the production network is granted only after manager approval and based on a clear business justification. Users who are no longer with the company are removed from the network in a timely manner.
• Multi-factor authentication processes are used to verify the identity of users requesting access to internal systems.
• Secure VPN / ZTNA act as secure gateways between the authentication perimeter and platform network, providing an additional layer of protection for the network.
• Segregation of duties and least privilege models are enforced to ensure that employees are only granted the level of access to the production network that is necessary for them to perform their assigned job functions, based on their role.
• Infrastructure logging is enabled to capture system activity, and logs are forwarded to a central logging system for monitoring and analysis.
• By implementing these controls, JIFFY.ai ensures that only authorized users can access the production network and that their access is limited to the minimum necessary to perform their job functions, reducing the risk of unauthorized access, misuse or abuse.

• Workloads segregated in a dedicated VPC.
• Customer network can be integrated through secure channels like site-site VPN or private links.
• Dedicated ALB/WAF for tenants with custom policies.
• Service isolation enforcement with Istio service mesh.

• AES-based encryption based on AWS KMS for data at rest.
• Encryption is enabled and enforced for data in motion.
• All the internal Server components are authenticated using a JWT token. 
• Credentials/tokens are stored in secure vault
• Configurations are stored in Hashicorp Consul

• Platform level roles and privileges to manage the application life cycle.
• Customer applications can define their own roles for fine grained access control.
• User authentication and authorization can be integrated with the customer’s identity provider.

The JIFFY.ai application and platform are continuously monitored for reliability and performance by a dedicated team of experts. The Site Reliability Team (SRE) monitors the service 24/7 and has specialized personnel in various disciplines to handle first- and second-tier support, with technical engineers providing escalation support as needed. Overall system monitoring is provided by a variety of tools, and alerts are aggregated to ensure that issues, warnings, and problems are promptly addressed by the SRE team. Automated monitoring tools route alerts to the appropriate personnel, including on-call support staff and engineers, to ensure rapid response to events of significance. Additionally, JIFFY.ai has incorporated extensive monitoring and instrumentation into the application itself to accurately report its health and performance to the SRE team for proactive maintenance and troubleshooting.

To safeguard against unwanted network traffic, external network gateways and firewalls are configured to deny all traffic by default and only allow exceptions through after thorough filtering. Stateful packet inspections (SPI) firewalls are used to inspect all network packets and prevent unauthorized connections. Intrusion detection sensors are strategically placed throughout the network to monitor traffic and report any suspicious events to a security logging and alerting system for logging, alerts, and reporting.

To ensure secure routing and traffic flow, JIFFY.ai platform applies policies that encrypt customer traffic as it enters the platform, and only decrypts it at the load balancer.

JIFFY.ai Cloud Platform also implements Denial-of-Service (DoS) protection using a multi-layered approach that includes high availability, traffic monitoring and anomaly detection to ensure the availability and security of the network.

The JIFFY.ai Cloud Platform employs several advanced security measures to protect network data transmissions between the customer and the JIFFY.ai SaaS. This includes the use of Transport Layer Security (TLS) cryptographic protocols, with a preference for the secure TLS 1.2 protocol. Additionally, HTTP Strict Transport Security (HSTS) is enabled by default to further secure network data transmissions.

At Jiffy, customer data privacy and security are top priorities. The company aims to protect customer privacy as an integral part of their mission and earn customer trust. Jiffy strives to be a leader in the industry by implementing a world-class privacy program and providing secure infrastructure and tools to help customers comply with global privacy and data protection regulations.

Privacy Statement: https://jiffy.ai/jiffy-privacy-policy/