JupiterOne recognizes that media containing customer data may be reused when appropriate steps are taken to ensure that all stored data has been effectively rendered inaccessible. Destruction/disposal of customer data shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for data involved in any open investigation, audit, or litigation.
JupiterOne utilizes virtual storage repositories such as AWS EBS volumes and S3 buckets to store production data. Volumes and repositories utilized by JupiterOne and JupiterOne Customers are encrypted. JupiterOne does not use, own, or manage any mobile devices, removable storage media, or backup tapes that have access to production customer data.
JupiterOne policy requires that:
(a) All media, including mobile and removable media, storing JupiterOne company data must be encrypted according to the defined data handling requirements.
(c) All destruction/disposal of cloud-based storage media containing critical data will be done in accordance with federal and state laws and regulations and pursuant to the JupiterOne’s written retention policy/schedule.
(d) All critical data must rendered inaccessible in a forensically sound manner prior to storage media reuse or disposal.
The Security Team is responsible for ensuring storage media containing critical / sensitive data (such as customer data) is disposed securely in the following manner:
The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services. This may include
If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
All Subcontractors are subject to all the technical and policy restrictions of JupiterOne staff - no Confidential or higher information may ever be stored on their end-user devices or removable media. At the end of their contract, all Subcontractors must demonstrate that they have wiped or securely removed all non-Public JupiterOne data used in the course of their work.
In the cases of a JupiterOne Customer terminating a contract with JupiterOne and no longer utilizing JupiterOne Services, data will be returned or disposed per contract agreement or JupiterOne Platform use terms and conditions. In all cases it is solely the responsibility of the JupiterOne Customer to maintain the safeguards required of their data once the data is transmitted out of JupiterOne environments.
Per JupiterOne corporate policy, Confidential and Critical data may not be stored on external devices such as USB flash drives. This includes and is not limited to customer data.
Usage of USB flash drives for temporary transfer of Confidential and Critical data may be allowed on a case by case basis, when the following process is followed:
JupiterOne provides company-issued laptops and workstations to all employees. JupiterOne currently does not require employees bringing their own computing devices.
The end-user computing devices are self managed. Each JupiterOne employee is responsible for:
configuring their laptop/workstation to meet the configuration and management requirements; and
ensuring the latest security patches are installed and auto-update is enabled.
The Security Team provides automated scripts for end-user system configurations and/or technical assistance as needed. Such configurations are monitored continuously using the JupiterOne Platform.