Journiq
Volume Legalia · Security

Security at Journiq

Security is a first-class concern at Journiq. This page summarizes the technical and organizational measures we use to protect the platform and the data our customers entrust to us.

Overview

Journiq operates a multi-tenant SaaS platform that delivers messaging and engagement workloads at scale. Our security program is designed around three principles: defense in depth, least privilege, and continuous verification.

Infrastructure

  • Production workloads run in hardened cloud environments with isolated VPCs per environment.
  • Compute is immutable — every deploy ships a fresh image; no in-place mutations.
  • Datastores are isolated per service; no shared admin credentials across environments.
  • Network ingress is restricted to documented load balancers; egress is allow-listed.

Encryption

  • In transit: TLS 1.2+ for all public endpoints; modern cipher suites only.
  • At rest: AES-256 encryption for primary datastores, object storage, and backups.
  • Secrets: Stored in a managed KMS-backed secrets vault; rotated regularly and never written to source.

Access Control

  • SSO with mandatory hardware-backed MFA for all employee accounts.
  • Production access is just-in-time, time-bound, and audit-logged.
  • Customer data access requires documented justification and is reviewed.
  • Quarterly access reviews; immediate revocation on role change or offboarding.

Application Security

  • SAST and dependency scanning on every pull request.
  • Mandatory peer code review before merge.
  • Annual third-party penetration tests; findings tracked to closure.
  • OWASP Top 10 controls baked into framework defaults (CSRF, XSS, SQLi, SSRF).
  • API rate limits and per-tenant quotas enforced at the edge.

Monitoring & Logging

  • Centralized, tamper-evident audit logs for authentication, admin, and data access events.
  • 24/7 alerting on anomalous activity, infrastructure health, and security signals.
  • Logs retained for at least 12 months for forensic and compliance use.

Resilience & Backups

  • Datastores replicated across availability zones with automated failover.
  • Encrypted, point-in-time backups taken daily and tested on a regular schedule.
  • Documented disaster-recovery plan with target RPO ≤ 1 hour and RTO ≤ 4 hours for core services.

Vendor Management

Subprocessors are reviewed before onboarding and at least annually thereafter. Each vendor signs a Data Processing Agreement and is assessed for relevant certifications (SOC 2, ISO 27001) and regional commitments.

People & Training

  • Background checks on all new employees (where permitted by law).
  • Mandatory security and privacy training at hire and annually thereafter.
  • Role-based training for engineers (secure coding) and customer-facing staff.

Incident Response

Journiq maintains a documented incident-response runbook covering detection, containment, eradication, recovery, and post-mortem. We will notify affected customers without undue delay and within the timelines required by applicable law and our contractual commitments. Post-mortems are shared with affected customers on request.

Reporting Vulnerabilities

We welcome reports from the security community. Please email security@getjourniq.com with a clear description of the issue, steps to reproduce, and any proof-of-concept material. We commit to acknowledging valid reports within 3 business days. Please refrain from public disclosure until we have had a reasonable opportunity to remediate.

Building something that needs a deeper review? Customers on Enterprise plans can request our security questionnaire, SOC 2 report (under NDA), and a vendor due-diligence call.