Security standards

These Security Standards are effective as of 1st January 2023.

Data

We define data as the following:

We believe in transparency as a guiding principle in the context of security so we aim to be clear and open about the way we handle data privacy and security.

• Detailed information about the way we treat personal information and how it is used you can find in our Privacy Policy

• Detailed information about our third-party service providers is available here

Confidentiality

According to our Terms, we take steps to ensure the confidentiality of your data and your account. Any staff or contracted third parties who can view Customer Data are contractually obligated to keep that information confidential.

GDPR (the European Union General Data Protection Regulation 2016/679)

Joinin is a service you can use to host virtual events and invite users to attend those events. There are two ways in which the GDPR applies:

1. the GDPR can apply between us and a citizen of the European Economic Area where a direct enquiry is made with us (we are the controller).

2. the GDPR will also apply to us as a result of an entity that hosts an event controlling the personal data of and/or inviting persons who are based in the European Economic Area to participate in any event (they are the controller and we are the processor). In our services, we have provided tools to allow for the entity hosting an event to comply with the GDPR to its end users.

In respect of where data will reside, we are based in Australia and our servers are based in Australia (see Infrastructure). Whilst we have taken steps to comply with the GDPR, we rely on the various exceptions, including a data protection addendum with the entity hosting the event which incorporates the Standard Contractual Clauses set by the European Commission for an EU controller to a non-EU or EEA processor, to transfer the data to Australia for processing. To better understand how we handle data, please see our Privacy Policy.

Data export

Joinin provides Content Data export capabilities. Event organisers are able to export questions, comments and polls via admin interfaces.

Data deletion

Customers can delete Content Data on demand by deleting an event via admin interfaces. Upon Customer request it is additionally possible to delete Purchase Data and Payment Data. This request is processed within 24-72 hours.

Infrastructure

Joinin is hosted on cloud based infrastructure by Linode. Our infrastructure is currently located in the Sydney and US-East regions. We might expand our infrastructure to different regions within Linode infrastructure in the future, but we would adequately notify you about the change.

The environment that hosts Joinin services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the Linode security website https://www.linode.com/legal-security/

Compliance

Our hosting providers are ISO certified (see Infrastructure). Joinin is working toward ISO certification but at this time is not certified. We do our best to keep the pace with industry standards by performing continuous security scans as a natural part of our development lifecycle and by involving respected third parties where necessary.

Data storage

Data is stored in one of two infrastructure regions.

AP-Southeast (Sydney)

• Technical Data

• Contact Data

• Purchase Data

• Content Data. Everything not listed below in US-East.

US-East (Newark)

• Specific Content Data:

  • Event media. Images, video and presentations used in the Studio.

  • Event recordings

Data encryption

Joinin products support the latest recommended secure cipher suites and protocols to encrypt web traffic. Our infrastructure is accessible only by our operations team. All activity is logged.

We work promptly to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older versions of commonly used browsers.

Availability

Our infrastructure runs on systems that are fault tolerant of failures of individual servers. You can monitor availability at our status page.

Disaster recovery

Our operation team reviews disaster recovery measures on an annual basis. We have backup and restoration procedures which allow for recovery from a major disaster. Customer Data and our source code are automatically backed up on a regular basis.


Monitoring and logging

Joinin is monitored on multiple levels. We use infrastructure and application monitoring tools in combination with specialised tools for analysis and visualisation. Joinin maintains extensive logging in the production environment which contains information relating to security, monitoring, availability, access, and other metrics.

Software development lifecycle

Our development process is based on the values and principles you can find in agile methodologies. We do frequent releases and continuously optimise our workflow according to our current needs and lessons learned.

During development of a new feature the quality assurance team provides continuous feedback to the development team. We perform checks in a manual and automated manner and any new code is reviewed by other members of the development team. Prior to releasing to a production environment, new code is deployed in a pre-production environment where we run a set of tests.

In case anything goes wrong, our development process enables us to revert to the previous version or release a patch for a minor issue in as little as 10 minutes.

Incident management and response

Our development and security teams are responsible for incident management and response. Our primary goals on a daily basis are to:

• Proactively review security-related logs and search for any sign of a security incident or vulnerable part of the system;

• React to security incidents according to our response policy.

In the event of a security breach we will promptly notify you of any unauthorised access to Customer Data. Joinin has incident management policies and procedures in place to handle such an event.

Security FAQ

Do you collect IP addresses of the participants?

Yes, we collect IP addresses as part of the Technical Data. See our Privacy Policy to learn more about what we collect and why we need it. As part of our focus on privacy we are unable to share Technical Data with you.

How long do you store collected data?

We store Customer Data for the duration of the agreement between Joinin and you. As long as your account exists we need the data to be able to provide you with our services. You can delete the Content Data for a particular event at any time by deleting that event. You can delete your entire account and terminate the agreement at any time.

Who is the owner of the data?

All information and Content Data uploaded remain yours - the owner of the event is the owner of the data.

Why does Joinin accept non-complex passwords for account admins?

Security experts at National Institute of Standards and Technology (NIST) aren’t that convinced about the usefulness of “strong passwords” anymore. We recommend to our clients to set a password that they feel is secure enough to protect their data. That is the reason we don't establish any restrictions on non-complex passwords.

Can I know more?

This page was dedicated to answering questions covering security policies and practices when it comes to the protection of your data at Joinin. If we haven’t managed to answer your questions, please feel free to reach out to us.