Journyx Security Measures Q&A

March 24, 2025

At Journyx, we take security and the protection of customer data extremely seriously. How seriously, you ask? Here are some common questions we receive at Journyx about our cyber security practices, along with our answers to those burning questions.

Q: What security certifications and standards do you adhere to?
A: We understand the importance of industry-recognized security standards. That’s why Journyx adheres to, and undergos evaluations for, SOC 1 for our office operations, which assesses our System and Organization Controls; in fact, Journyx has had zero exceptions to our external audit for past five years. Our cloud service infrastructure evaluates to relevant ISO standards and SOC 2.

Journyx has had ZERO exceptions to their SOC 1 audit for the past five years

Q: Do you comply with regulations like GDPR?
A: Yes. Organizations located in, or that have users in the European Economic Area, can be assured that we comply with the General Data Protection Regulation (GDPR). GDPR focuses on privacy protections, and those protections require robust cyber security practices such as those we have implemented. We always recommend that you consult with your legal or compliance team to determine any other specific privacy regulations that may apply to your organization. We are happy to discuss those as well. We also comply with the Data Protection Framework not only for the European Economic Area, but also for the United Kingdom and Switzerland, and we comply with privacy regulations for other countries as well, such as Japan, Australia, Canada and others.

Q: Who owns the data that my organization uploads to your services?
A: You retain full ownership of your data. You own your data, and our agreements clearly state this. While you will grant us a limited license only to possess and use your data to provide you with our services, this license does not convey any other rights to your data. When we evaluate cloud providers in our own business, we would consider it a significant issue if a provider claimed ownership of our data or remained silent on this crucial aspect.

You retain full ownership of your company data

Q: Where will my data be physically located?
A: Journyx is transparent about where your data will physically reside. Today, we can host your data in the United States or in the European Union.

Q: Is my data encrypted?
A: Yes, all data entered by your users is encrypted both while in transit and at rest. For data in transit, we use strong encryption protocols like TLS (Transport Layer Security). When data is stored on our systems, it is encrypted using strong algorithms such as AES-256 to protect it even in the event of a breach. We also securely manage encryption keys.

Q: What measures do you have in place for data backup and disaster recovery?
A: Journyx has a documented disaster recovery plan that includes clear procedures for data backup, replication, and recovery in case of any incident, including breaches, disasters, or data loss. This plan involves regular testing, and we can provide information regarding our recovery time objectives (RTO) and recovery point objectives (RPO).

Q: How do you control access to sensitive systems and data?
A: Internally, we implement robust access control and identity management measures, including:

Multi-factor Authentication (MFA): MFA is required for access to sensitive systems and services.
Role-Based Access Control (RBAC): We utilize RBAC to ensure clear, granular permissions, allowing users to access only the data and systems necessary for their specific roles.
Single Sign-On (SSO): We support integration with SSO solutions (e.g., SAML, OAuth) to simplify access management and enhance security.

Q: Do you actively monitor your systems for security threats?
A: Yes, we maintain 24/7 security monitoring of our environment to detect potential threats or anomalies. We utilize automated tools to identify breaches or suspicious activities.

Journyx maintains 24/7 security monitoring

Q: What is your procedure in the event of a security breach?
A: We have a well-defined incident response plan in place. This plan includes procedures for containing the incident, eradicating the threat, recovering affected systems, and notifying our customers. Journyx is committed to notifying customers within a specific time frame (e.g., 24 hours) if a security breach occurs. Journyx has had no significant data breaches in the last five years.

Q: Do your employees receive security training?
A: Absolutely. Because human error can be a significant cause of breaches, we regularly and consistently train our employees on security best practices.

Q: How do you manage vulnerabilities in your systems?
A: Journyx’s proactive vulnerability management program includes:

Regular penetration testing and security audits.
Patch management policies to ensure the timely updating of our software and systems.

Q: What network security measures do you have in place?
A: Our network security includes:

Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) to prevent unauthorized network access.
The use of Virtual Private Networks (VPNs) or Private Networks for sensitive communication.
Managed Detection and Response (MDR) provides continuous monitoring of networks, endpoints, and cloud environments for potential threats.

Q: While security is paramount, so is uptime. What is Journyx product uptime?
A: Journyx product uptime has been 99.99% for the past five years. Also, when Journyx does product updates, scheduled downtime only averages 10 minutes.