Welcome to JD Software

Security and Privacy

At JD Software, we take the security and privacy of our customers' data seriously. Our Security and Privacy teams are dedicated to establishing robust policies and controls, monitoring compliance with those controls, and demonstrating our security practices to third-party auditors to meet compliance standards.

Our Policies are Based on the Following Principles

  • Principle of Least Privilege: Access is restricted to individuals with a legitimate business need, ensuring that permissions are granted based on the principle of least privilege.
  • Defense in Depth: We implement layered security controls across all areas of our enterprise, ensuring that security is not reliant on a single defense mechanism.
  • Consistency in Security Controls: Security controls are applied consistently across all systems and processes to maintain a secure environment.
  • Continuous Improvement: We continuously refine our security controls to enhance effectiveness, increase auditability, and minimize operational friction.

Least Privilege

Defense-in-Depth

Consistency in Security Controls

Continuous Improvement

Data Protection

Data at Rest

All customer data stored within JD Software's infrastructure is encrypted at rest using industry-standard encryption techniques.

Data in Transit

JD Software uses TLS 1.2 or higher for all data transmitted over networks that may be considered insecure. We also implement HTTP Strict Transport Security (HSTS) to maximize the security of our customers' data during transmission. Our server TLS keys and certificates are managed through AWS and are deployed via AWS Application Load Balancers, ensuring secure and reliable handling of encrypted traffic.

Secret Management

Encryption keys are managed through AWS Key Management Service (KMS), which securely stores key material in Hardware Security Modules (HSMs). This setup prevents direct access to the keys by any individuals, including AWS and JD Software employees. The keys stored in HSMs are utilized for encryption and decryption through AWS KMS APIs. Application secrets are securely encrypted and stored using AWS Secrets Manager and Parameter Store, with access to these secrets being strictly controlled and monitored.

Comprehensive Security Assessments

  • Penetration Testing: JD Software partners with penetration testing firms to conduct thorough assessments of our product and cloud infrastructure on at least an annual basis. These tests cover all critical areas of our systems to ensure comprehensive security evaluations. We provide summary reports of these penetration tests to our customers upon request
  • Vulnerability Scanning: We implement comprehensive vulnerability scanning throughout our Secure Development Lifecycle (SDLC). This includes thorough code review during pull requests to identify potential security issues, software composition analysis (SCA) to detect known vulnerabilities in our software dependencies, dynamic analysis (DAST) to test running applications and address potential vulnerabilities, periodic network vulnerability scanning to uncover weaknesses, and external attack surface management (EASM) for continuous monitoring of external-facing assets to identify and address new potential vulnerabilities.

Enterprise Security

  • Endpoint Protection: All corporate devices used by JD Software employees are centrally managed and monitored. Devices are equipped with mobile device management (MDM) software, which enforces secure configurations such as disk encryption, screen lock settings, and automatic software updates
  • Secure Remote Access: Remote access to JD Software's internal resources is secured using advanced VPN technologies, ensuring that only authorized employees can access critical systems. We also use secure DNS servers to protect our employees and their devices while browsing the internet
  • Identity and Access Management: Access to JD Software's systems is managed based on employee roles. Access is granted only when necessary and is automatically revoked upon an employee's departure. Additional access requires explicit approval according to pre-defined application policies.
  • Security Education: JD Software is committed to maintaining a strong security culture. We provide comprehensive security training to all employees during onboarding and on an annual basis. This training covers key security principles, secure coding practices, and includes live sessions for new engineers. Regular threat briefings are shared with all employees to keep them informed about emerging security threats and best practices

Endpoint Protection

Secure Remote Access

Identity & Access Management

Comprehensive Security Education