SecurityContact: [email protected]

At JobzMall, we are committed to maintaining the highest standards of information security. Our company has achieved certifications in ISO 27001, SOC 2 Type II, CCPA, GDPR, EU-US Data Privacy Framework, and HIPAA, demonstrating our dedication to protecting sensitive data and ensuring the trust of our clients. In today’s digital landscape, where cyber threats are becoming increasingly sophisticated, we recognize the critical importance of prioritizing security measures and best practices.

How has this been accomplished?

To maintain compliance with security standards, we leverage advanced security and compliance automation platforms. These platforms integrate with our existing systems, providing a comprehensive view of our security posture and identifying potential issues. By automating the assessment and monitoring of various controls and procedures, we can ensure continuous adherence to relevant security protocols and industry standards. In the event of any compliance deviations, our platform promptly alerts us, enabling swift action to address the problem and maintain a secure environment for our customers and stakeholders.

What happens if something becomes out of compliance?

In instances of non-compliance, our system immediately notifies us, allowing for quick corrective action to restore compliance. This proactive approach ensures continuous adherence to security standards, safeguarding our operational integrity and client trust. This gives us the confidence that we are providing a secure environment for our clients and stakeholders and helps us to maintain our reputation as a reliable and trustworthy organization.

Procedures & Controls

Secure Policies & Procedures

Written information security policies and procedures ensure that the company has documented and tested controls in place to protect customer data and respond to security incidents effectively.

Vulnerability & Penetration Testing

Regular vulnerability and penetration testing help to identify and address potential security weaknesses before they can be exploited by attackers. JobzMall undergoes an external penetration test of our web application annually by a third party to identify any security vulnerabilities we may have, this will then allow us to raise these issues internally and remediate them immediately. An official report is created to JobzMall stating that the issues found are now fixed. We also conduct regular internal penetration tests. We also employ automated vulnerability scanning within our code and it's dependencies.

Data Encryption

Encryption of sensitive data helps to ensure that the data cannot be accessed or read by unauthorized parties. Having our database encrypted allows customers to feel safe when using our product as it safeguards data when in transit or at rest.

Multi-factor Authentication

Multi-factor authentication helps to prevent unauthorized access to the company's systems, which can help to protect customer data from theft or tampering.

Secure Development Lifecycle

Multi-factor authentication helps to prevent unauthorized access to the company's systems, which can help to protect customer data from theft or tampering. All changes to our codebase are protected with branch protection, meaning that to be able to push a new code change to production, the code change must have been approved by another engineer, as well as the code change has to pass a number of automated tests that check for security issues introduced by the code or it's dependencies, as well as end-to-end testing and more. This way, no bad actors internal or external to JobzMall are able to push malicious code due to our secure reviews process.

Monitoring

Ongoing monitoring of system access logs and network traffic helps to detect and respond to potential security incidents, reducing the likelihood of customer data being compromised.

Employee Training & Awareness

Regular training and awareness programs for employees help to ensure that they are equipped to handle customer data securely, reducing the likelihood of human error or intentional data breaches. We make it a priority that these are completed straight away for all new employees and completed annually for all existing employees.

Access Controls & Background Checks

Access controls and background checks for employees, third-party vendors and service providers help to ensure that they are trustworthy and can be relied upon to handle customer data securely. Background checks are performed on all new hires the company may conduct as a way for JobzMall to establish confidence in the employee we are choosing to hire. Additionally, only giving access to applications for particular applications is important in staying compliant. Every quarter we review application access and access levels for all employees to make sure they only have access to applications which are required to perform their job role.

Third-party Audits and Assessments

Regular third-party audits and assessments provide an independent validation of the effectiveness of the company's information security controls and procedures, providing customers with confidence that their data is being handled securely.

Intrusion Detection

JobzMall utilizes intrusion detection systems to continuously monitor our systems for potential threats that may occur at any time. Knowing at the early stages that a threat could be critical allows us to act quickly and efficiently to prevent any threats from causing short or long term issues.

Vulnerability Disclosure

At JobzMall, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Out of scope vulnerabilities:

• Clickjacking.
• Cross-Site Request Forgery (CSRF)
• Attacks requiring MITM or physical access to a user's device.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Email spoofing
• Missing DNSSEC, CAA, CSP headers
• Lack of Secure or HTTP only flag on non-sensitive cookies
• Deadlinks
• Anything related to DNS or email security
• Rate Limiting
• XSS (Cross-Site Scripting)

Note: JobzMall reserves the right to designate any reported vulnerability as out of scope.

What to do and what not to do

• Do not run automated scanners on our infrastructure or dashboard. If you wish to do this, contact us and we will set up a sandbox for you.
• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
• Do not reveal the problem to others until it has been resolved,
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and

How to report a vulnerability

You can report vulnerabilities by email to [email protected]. Once we have received your email, there may be a delay in getting back to you whilst our team triages the issue.

Please provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

• If you have followed the instructions above, we will not take any legal action against you in regard to the report
• We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
• We will keep you informed of the progress towards resolving the problem
• In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise)
• We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.