Data security

    Customer data is our customers’ most valuable asset, and the protection of that data is Juniper Square’s number one priority. At Juniper Square, we take data security as seriously as you do. Juniper Square’s security program is based on industry best practices and industry-standard compliance frameworks including SOC 2 Type 2 trust principles and GDPR.

    The Juniper Square Information Security Team manages a mature privacy and security program that consists of strong policies and procedures, reliable service SLAs, regular risk assessments, continuous monitoring, improvement and incident response. All security processes have executive oversight.

    Privacy

    Juniper Square considers customer application data confidential unless defined otherwise. Juniper Square adheres to CCPA, GDPR, and other privacy standards. is applies to data access, handling, modification, retention, and destruction. Juniper Square requires NDAs, standard contractual clauses, and security/privacy standards with third parties that work with customer application data. Our privacy policy can be found at https://www.junipersquare.com/privacy-policy. Privacy inquiries can be made to privacy@junipersquare.com.

    Overview

    Because Juniper Square is a cloud-based software application, security is a shared responsibility between Juniper Square and our cloud service provider, Amazon Web Services (AWS). Broadly speaking, our cloud service provider is responsible for the physical security of its data centers and securing the underlying infrastructure that supports the cloud, while Juniper Square is responsible for securing the application and server configuration.

    Data security is also a shared responsibility between Juniper Square and our customers, a topic addressed in greater detail later on in this document.

    Juniper Square’s SOC 2, Type 2 Compliance

    Juniper Square undergoes annual assessments for Security and Availability trust principles of the System and Organization Controls (SOC) description criteria as established by the American Institute of Certified Public Accountants (AICPA). Juniper Square’s attestation was audited by a nationally recognized accounting firm with an established practice in assessing the service commitments and system requirements of service organizations relative to the applicable trust services criteria. Our auditors have determined that Juniper Square, in all material respects, complies with the criteria. Further information is available upon request, and the report may be shared with current and prospective customers upon execution of the requisite forms of NDA as required by Juniper Square’s auditors.

    Data Centers

    This section spells out the physical, administrative, and technical security measures taken by AWS with regard to its data centers that hold data of Juniper Square and its customers.

    Application and Infrastructure Security

    Juniper Square follows a standards-based software development life cycle (SDLC). Change control is managed for both application stability and security. Code reviews are done before releasing changes to production.

    Juniper Square leverages Amazon Web Services (AWS) for its production infrastructure. AWS provides industry leading reliability, scalability, and disaster-recovery capabilities. They are ISO27000 certified, GDPR-, CCPA-, and NIST-compliant, and undergo regular SOC1 and SOC2 assessments. e production network environment is segmented with stateful firewalls. All customer data is encrypted in transit and at rest. A web application firewall is used to mitigate distributed denial-of-service (DDoS) attacks.

    Cloud Infrastructure Utilized by Juniper Square

    The Juniper Square application is currently hosted primarily in the US-West-2 (Oregon) geographic region within AWS. All components of the application run in at least two data centers within this region concurrently, so that a failure of any single component, up to and including an entire data center, will not interrupt service.

    All data is replicated across multiple data centers across multiple regions for durability. In addition, the entire application is replicated in another region, US-East-1 (Virginia) which serves as a warm-standby enabling swift recovery from disasters that affect the entire region. In addition to AWS, Juniper Square also utilizes cloud-based services from third parties; examples are noted below. Some of these services are linked to specific product features which the customer may elect to use or not.

    • Mailgun – used for automated emails such as new task notifications, and to process inbound emails sent to the CRM for archiving
    • DocuSign – used to offer the option of signing subscription paperwork online
    • Google – used to provide maps and analytics within the application
    • Twilio – used to send SMS messages for users that enable two-factor authentication (2FA)
    • Lob – used to print and mail checks
    • Cloudflare – provides protection from network-level distributed denial-of-service (DDoS)
      attacks
    • Box.com – used to securely share confidential customer information during the onboarding
      process

    Juniper Square maintains a data processing risk assessment policy and reviews the security of any potential cloud-based service providers prior to engaging a provider.

    Physical and Environmental Security

    AWS data centers utilize state-of-the-art architecture, engineering, and business control practices, including:

    • Architecture. Data centers are housed in nondescript facilities.
    • Physical security. Physical access is strictly controlled both at the perimeter and at building
      ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
    • Staff access. AWS restricts data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
    • Fire detection and suppression. Automatic fire detection and suppression equipment is installed in all data centers.
    • Power. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week.
    • Communications. Each data center is redundantly connected to multiple tier-1 communications providers.
    • Climate and temperature. Climate control maintains a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages.
    • Management. AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
    • Storage device decommissioning. When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

    Technical Security Measures

    Juniper Square deploys a number of additional technical security measures beyond the data center, including:

    • Data transmitted between a user’s web browser and Juniper Square is encrypted in transit using Transport Layer Security (TLS, also known as SSL) technology.
    • Data, documents, and other media are encrypted at rest using 256-bit AES encryption.
    • Emails sent by staff users through Juniper Square are encrypted and transmitted to email
      servers securely via SMTP over TLS/SSL.
    • A strong password policy is enforced for all end-users, including both staff users of Juniper
      Square and investors who use the portal.
    • Two-factor authentication (2FA) is available for all customers and investors who use the portal.
    • After a limited number of failed login attempts, users are temporarily locked out from trying to
      sign in.
    • New versions of Juniper Square, including routine security patches to our underlying
      infrastructure, are released every 1-3 weeks, and Juniper Square personnel monitor security
      announcements for any urgent security patches.
    • Juniper Square infrastructure operates on a private network with restricted access from the
      Internet, exposing only HTTP, HTTPS, and LDAP interfaces.
    • Juniper Square continuously monitors, evaluates, and mitigates risks to data across the
      organization.
      • Security logs are centralized and monitored. Regular system, network, and application
        vulnerability tests are done with quick remediation to maintain a secure environment.
    • Juniper Square undergoes annual security audits and quarterly penetration testing provided by
      a reputable third-party security firm.

    Customer-Controlled Security Measures

    Using Juniper Square’s software, customers can take advantage of a number of features that help ensure the integrity and security of their data and improve compliance.

    Juniper Square Capabilities

    Customer-controlled security measures of Juniper Square include the following capabilities:

    • Restrict staff access to sensitive information via a role-based permissions model for staff users.
    • Specify which staff users are authorized to approve payments and manage entity bank accounts.
    • Enable view-only access rights for certain staff users to limit access to sensitive information,
      customizing permissions to various components of the product based on staff responsibility.
    • Restrict document access in the investor portal via a role-based permission model for investor
      portal users.
    • Securely encrypt sensitive PDFs, like tax forms, with a document password.
    • Utilize self-service password reset for investors.
    • Require recipients to log in to retrieve documents. These procedures secure email attachments
      against email forwarding, and work for prospects using the data room as well as current
      investors with portal access.
    • Automatically log an audit trail of every document shared with every investor, the date shared
      and by whom at your firm, and the date the recipient accessed the document.
    • Require NDA consent for data room access, or for individual documents, with Juniper Square
      gathering and managing electronic signatures to your form of NDA.
    • Manage employee equity participation plans with a restricted set of users limited to only those
      staff users who need to access the system to do their job.
    • Gather and manage investor consent to electronic delivery of tax forms.
    • Track important measures during the fundraising or offering process, like ERISA eligibility for
      current and prospective subscribers.
    • Host and gather user consent to your form of Terms of Use and Privacy Policy documents.
    • Provision and de-provision user access immediately, for both staff users and investor portal
      users.
    • Require two-factor authentication (2FA) for staff and/or portal users.

    Customer’s Role in Data Security

    In addition to measures taken by Juniper Square, the customer plays a critical role in securing their own data. This includes:

    • Following the procedures Juniper Square has designed to share sensitive data via a secure file sharing system, rather than email, during the onboarding process.
    • Ensuring users follow best practices when it comes to passwords (Juniper Square helps with this by enforcing strong passwords, but cannot prevent a user using the same password across multiple online services, a very significant source of vulnerability).
    • Restricting access to sensitive data to only those staff users who need access to do their job.
    • Maintaining adequate and appropriate security measures for sensitive investor data stored
      outside of Juniper Square.

    Administrative Security

    Business Controls

    • Files containing customer sensitive data are never exchanged by Juniper Square with customer via email, which is inherently insecure, and always through encrypted file shares that leverage TLS/SSL technology in transit and encryption on disk (current file share provider is Box.com).
    • Access to customer information stored in Juniper Square is limited to only those employees who need access to do their job. Access is regularly reviewed, and two-factor authentication is strictly enforced.
    • Juniper Square’s computers are all company-owned and adhere to our IT security policy. All storage is encrypted, and all Juniper Square employees are required to use a password manager that generates strong, unique passwords. Customer data may not be stored on computers other than Juniper Square’s secure workspace and AWS. In the event an employee is terminated, their company-owned laptop is surrendered immediately, and access to company resources, the company network, and company infrastructure is immediately revoked.
    • All employees must conduct Juniper Square work on company-owned and managed workstations. All workstations are managed by a mobile device management system to ensure that system configurations are unified and security policies enforced. Workstation OS and applications are patched regularly. All workstations have antivirus and full disk encryption.
    • Employees of Juniper Square undergo a rigorous screening process and are thoroughly reference- and background-checked. All Juniper Square new hires must sign our confidentiality agreement during onboarding.
    • Employees of Juniper Square receive mandatory training on Juniper Square’s Information Security Policy at the commencement of their employment, and refresher trainings are conducted with all employees at least yearly. Information Security Policies are highlighted on the company intranet. Failure to comply with security and privacy policies can lead to employee corrective action.
    • The Juniper Square Information Security Policy includes acceptable use, data classification and handling policies designed to protect your information and the integrity of the software.
    • Juniper Square maintains a rigorous data processing risk assessment policy and reviews the security of potential third-party service providers, including the nature of the data shared with the third party, the steps taken to secure such data and the potential risk of employing such third party. Third party vendors undergo an initial risk assessment and annual reviews to ensure that vendors meet or exceed security requirements
    • Juniper Square maintains an Errors & Omissions insurance policy with Lloyd’s of London which covers privacy and data breaches (aka “cyber”) with limits designed to ensure adequate coverage.

    Physical Security

    Juniper Square’s physical offices are located in San Francisco, CA and Austin, TX and are protected by security personnel. All employees reside in the United States or Canada. Access to Juniper Square’s offices are secured with individual card access, video surveillance, access logging and monitoring.

    • All visitors must sign-in to our visitor management system, and be accompanied by a Juniper Square employee while in our offices.
    • All Juniper Square employees undergo training on our physical security policy at the commencement of their employment, with training updates conducted at least yearly, which includes the following measures:
      • All Juniper Square office entrances must remain locked at all times.
      • Visitors must be announced and accompanied by an employee at all times.
      • Employees must secure their computers before stepping away.
      • Employees are trained to be aware of, and prevent, those who may attempt to tail employees into the office.
      • Guests are never allowed on Juniper Square’s network.

    Reliability and Redundancy

    Juniper Square understands how critical our service is to their business success. We have a historical uptime of 99.5%. Systems and services can be scaled quickly to meet changing business demands. A business continuity and disaster recovery plan is well defined and maintained. As mentioned above, data is replicated to a different geographical region within AWS to ensure reliability in the event of a localized disaster. Business Continuity Plan training, testing, and adjustments are done annually to ensure redundancy. Together this provides for a Recovery Time Objective (RTO) of 8 hrs and Recovery Point Objective (RPO) of 24hrs.