At Julie Desk, we take security very seriously. As such, we have implemented measures to protect your data in compliance with the European GDPR.
For further information on data management, please read our privacy policy.
This page lists the most frequently requested information by our customers. If you do not find the answer to your questions or would like more information, please contact us.
Table of content
-
- Certifications
- Datacenters
- Supervision Center
- Business continuity
- Data exchange and encryption
- System Security
- Updates
- Monitoring
- Incident Management
- Processors
- Human Resources Management
- Authentication
- Audit & Tests
- Transparency
Certifications
The Julie Desk service is currently preparing for ISO 27001 certification.
Datacenters
The data centers used by Julie Desk are managed by a subcontractor.
| Certifications |
Julie Desk servers are hosted on infrastructures complying with international standards ISO 27001, SOC 1 and 2 as well as PCI-DSS level 1. |
| Redundancy |
All servers are connected with 2 independent network accesses. Emergency generators provide power in the event of a power outage. The data centers are themselves connected with at least 2 network accesses and 2 power lines. |
| On-Site Security |
Badge access, 24/7 video surveillance, smoke detection and 24/7 technical staff. |
| Localisation |
Data centers are located in France and are managed by OVH. |
| Hosting segregation |
Servers, IP and storage used for hosting the Julie Desk service are dedicated. We use virtualization solutions. |
| Service Level Agreement (SLA) |
The contract with our hosting provider includes SLAs that apply from 10 minutes of unavailability. An automatic monitoring system has also been set up to detect incidents and trigger the replacement of faulty resources. |
Supervision Center
A supervision center is used to supervise requests sent to the service. This center is managed by a subcontractor.
| Dedicated Resources |
The following resources are dedicated to Julie Desk : room, workstations, network equipment (including firewall), teams. |
| Physical Access |
Access to the dedicated room requires biometric access. 24/7 video surveillance is installed. |
| Logical Restrictions |
Access is limited to strict supervision needs. Users do not have access to the administrator account on workstations, USB ports are deactivated, external internet access is filtered and access is only granted on internal applications to meeting organization. Access to Julie Desk applications requires the use of a site-to-site VPN accessible only from the dedicated room. |
Business continuity
| Redundancy |
Services and physical storages are distributed on several servers in different rooms. A high availability solution is in place to guarantee the continuity of service in the event of a component failure. |
| Backups |
Service data is backuped daily, weekly and monthly. The maximum retention period for backups is 1 month. |
| Continuity plan |
A continuity plan has been developed to limit recovery time in the event of a major availability incident. |
| Recovery Point Objective (RPO) |
24h. |
| Recovery Time Objective (RTO) |
24h. |
Data exchange and encryption
| Service Solicitation |
Meeting requests are sent by email to a generic email address hosted on the Julie Desk’s information system or a dedicated email address hosted on the customer’s information system. The security of these exchanges is the same as a traditional email exchange. |
| Data Synchronization |
The system synchronizes itself by downloading emails sent to the service and user’s calendar items by connecting to the customer information systems. This communication is one way. This means communications are only initiated from Julie Desk to the Client. Those communications requires the use of the HTTPS protocol. |
| Exchanges between servers |
The system is distributed among several applications and servers. Inter-server data exchanges are encrypted and use SSH, SSL or HTTPS protocols depending on situations. |
| Storage |
The service data is encrypted using the AES-256 protocol. Salt and initialization vectors are randomly generated and differ for each entry stored in the database. |
| Human Supervision |
Human supervision access requires a VPN access and the use of HTTPS. |
System Security
| Architecture |
The service is based on a multi-tier and multi-zone security architecture. Each server is dedicated to a specific task. Inter-zone communications are filtered by firewalls. |
| Antivirus |
Antivirus software is deployed throughout the infrastructure. |
| DDoS Protection |
A DDoS attack mitigation system is installed. |
Updates
| Applications |
Applications are developed in-house and are updated via a continuous deployment process (several times a day). Each change is tested (automatically and manually) on an environment different from production before deployment. |
| Systems |
Systems are updated at least once a month in normal conditions and as soon as possible in case of publication of critical exploits. |
Monitoring
| Intrusion Detection |
Infrastructure logs are sent in real time to a centralized server allowing the Security Incident Event Manager (SIEM) to correlate events and alert security staff. |
| Exceptions |
Alerts are generated and sent upon exception occurrence on running applications. |
| Resources utilization |
Resource utilization metrics are tracked to predict future system usage. |
Incident Management
| Detection |
Alerts and metric tracking have been configured to detect incidents. |
| Procedure |
An incident management plan has been prepared. |
| Notifications |
The concerned customers shall be notified as soon as possible of the occurrence of any security incident. Notification of data protection authorities has been included in the incident management procedure. |
Processors
| Processor Verification |
We perform due diligence on processors with whom we work to ensure that they meet our security requirements. This includes certifications verification, compliance with applicable laws (e.g. European GDPR) and security management checks. |
| Service subcontractors |
We use subcontractors to provide hosting and human supervision of the meeting scheduling service. Any change of subcontractor used to provide the service is notified to customers. |
Other providers
|
We use other subcontractors, in particular for the management of commercial relations with our customers (such as CRM, ticketing support system, emailing) or security management (external consultants, automated analysis, alerting). |
Human Resources Management
| Recruitment |
Procedures for checking candidates’ skills, identity and references have been set up in our recruitment processes. |
| Working contracts |
All working contracts include a non-disclosure agreement (NDA). |
| System Use Charter |
A charter for the use of computer systems has been put in place. |
| Internal Awareness |
Procedures have been put in place to raise security and personal data processing awareness. Initial awareness sessions are given upon employee arrival followed by weekly awareness sessions (5-10 min). |
Authentication
| Access |
User accesses are nominative and personal. |
| Single-sign on (SSO) |
A SSO system has been deployed for internal applications. |
| 2-factor |
We use 2-factor authentication for internal applications and systems (VPN with personal certificate and One Time Password). |
| Passwords |
We do not allow passwords less than 8 characters long and all passwords must contain at least 3 of the following: number, lower case, upper case, special characters. |
| Principle of least privileges |
The principle of least privileges is applied. Access is given to those who need it and only to those who need it. |
| Access termination |
Accesses of employees leaving the company are revoked as soon as they leave. When an employee’s job/position changes, accesses that are no longer required are revoked. |
Audit & tests
| User Access Review |
Every 3 months. |
| Vulnerability Test |
Every 3 months or when major system changes occur. |
| Backup Test |
Every 3 months. |
| Continuity Plan Test |
Every year. |
| Incident Plan Test |
Every year. |
Transparency
| Reporting and documentation |
We can provide additional documentation on our processes and security management. This communication may require the signature of a non-disclosure agreement (NDA). Contact us for more information. |
| Large companies Security Questionnaires |
We can fill in specific security questionnaires in the case of large account integration. A dedicated security contact is then assigned. Contact us for more information. |
| Audit |
The service is auditable by its customers. Contact us for more information. |
For further information, please refer to the following ressources : Terms & Conditions, Confidentiality policy and our cookies policy.
