Key Definitions



An application hosted by JupiterOne, either maintained and created by JupiterOne, or maintained and created by a Customer or Partner.

Application Level

Controls and security associated with an Application. In the case of PaaS Customers, JupiterOne does not have access to and cannot assure compliance with security standards and policies at the Application Level.


Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a customer complaint, or suspicion of employee wrongdoing.

Audit Controls

Technical mechanisms that track and record computer/system activities.

Audit Logs

Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.


Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.


Backend-as-a-Service. A set of APIs, and associated SDKs, for rapid mobile and web application development. APIs offer the ability to create users, do authentication, store data, and store files.


The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

Backup Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.


Means the acquisition, access, use, or disclosure of Customer data (PII) in a manner not authorized by JupiterOne or the affected Customer. For purpose of this definition, “compromises the security or privacy of the customer data” means poses a significant risk of financial, reputational, or other harm to the Customer or individual.


The process of removing identifiable information so that data is rendered to not be PII.

Disaster Recovery

The ability to recover a system and data after being made unavailable.

Disaster Recovery Service

A disaster recovery service for disaster recovery in the case of system unavailability. This includes both the technical and the non-technical (process) required to effectively stand up an application after an outage. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.


Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.


Contractually bound users of JupiterOne Platform and/or services.


The overall technical environment, including CSP account, all servers, network devices, and applications.


An event is defined as an occurrence that does not constitute a serious adverse effect on JupiterOne, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:

Hardware (or hard drive)

Any computing device able to create and store PII.



Immutable Infrastructure

An maintenance paradigm for cyber infrastructure where servers and services are never modified after they’re deployed. All changes result in new instances of the cyber infrastructure being deployed, and old instances are automatically decommissioned.


A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:

Intrusion Detection System (IDS)

A software tool use to automatically detect and notify in the event of possible unauthorized network and/or system access.

IDS Service

An Intrusion Detection Service for providing IDS notification to customers in the case of suspicious activity. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.

Law Enforcement Official

Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Logging Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.


API-based services to deliver and receive SMS messages.

Minimum Necessary Information

Protected PII information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.


For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.


For the purposes of this policy, the term “organization” shall mean JupiterOne.




Contractual bound 3rd party vendor with integration with the JupiterOne Platform. May offer Add-on services.


Personally Identifiable Information, such as email address, full name, social security number, or telephone number.


The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.


Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.

Trigger Event

Activities that may be indicative of a security breach that require further investigation.

Restricted Area

Those areas of the building(s) where confidential organizational information is stored, utilized, or accessible at any time.


A sign that an Incident may occur in the future. Examples of precursors include:


The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of customer data, other confidential or proprietary electronic information, and other system assets.

Risk Management Team

Individuals who are knowledgeable about the Organization’s Privacy and Security policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures.

Risk Assessment

Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place. Prioritizes risks and results in recommended possible actions/controls that could reduce or offset the determined risk.

Risk Management

Within this policy, it refers to two major process components: risk assessment and risk mitigation. This differs from the HIPAA Security Rule, which defines it as a risk mitigation process only. The definition used in this policy is consistent with the one used in documents published by the National Institute of Standards and Technology (NIST).

Risk Mitigation

A process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.



Security Incident

or just Incident): A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:


The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:

Threat Source

Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect customer data.

Threat Action

The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).

Unrestricted Area

Those areas of the building(s) where confidential and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.


Persons from other organizations marketing or selling products or services, or providing services to JupiterOne.


A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.


An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit data. Workstation devices may include, but are not limited to: laptop or desktop computers, personal digital assistants (PDAs), tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.


Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Zero-Day Vulnerability

A computer software vulnerability that is currently unknown to the software community and/or the software vendor shipping the vulnerable product or service. Since it is unknown, no patches or mitigation strategies are available and the vulnerability remains exploitable.