Security Practices
Updated September 16, 2025
Data Protection and Privacy
Where is my data hosted?
Your data is hosted in state-of-the-art secure cloud environments, including Amazon Web Services (AWS) and trusted SaaS platforms such as Google Workspace.
Where is my data hosted?
Your data is hosted in state-of-the-art secure cloud environments, including Amazon Web Services (AWS) and trusted SaaS platforms such as Google Workspace.
How is my data protected?
Data is encrypted in transit and at rest. JustFund enforces access controls, network security, and vulnerability management practices, with annual penetration testing and ongoing security monitoring.
How is my data protected?
Data is encrypted in transit and at rest. JustFund enforces access controls, network security, and vulnerability management practices, with annual penetration testing and ongoing security monitoring.
How often is data backed up?
Backups are part of JustFund’s Business Continuity and Security Maintenance program, tested annually and biannually to ensure availability and recoverability.
How often is data backed up?
Backups are part of JustFund’s Business Continuity and Security Maintenance program, tested annually and biannually to ensure availability and recoverability.
How long do you retain my data, and can I request deletion?
Data handling follows JustFund’s Data Classification and Privacy Policies. Users may request changes or deletion of their data, in accordance with privacy standards such as the GDPR and CCPA.
How long do you retain my data, and can I request deletion?
Data handling follows JustFund’s Data Classification and Privacy Policies. Users may request changes or deletion of their data, in accordance with privacy standards such as the GDPR and CCPA.
Can I request an export of our data?
Yes, this process is documented in our Privacy Terms.
Can I request an export of our data?
Yes, this process is documented in our Privacy Terms.
Access and Controls
Who has access to my data?
Access is limited to authorized employees, contractors, and vendors who require it for the performance of their roles. Multi-factor authentication (MFA) is in place, along with policies for password security and dormant account management.
Who has access to my data?
Access is limited to authorized employees, contractors, and vendors who require it for the performance of their roles. Multi-factor authentication (MFA) is in place, along with policies for password security and dormant account management.
Do you control and monitor employee access?
Yes. Access controls are reviewed regularly.
Do you control and monitor employee access?
Yes. Access controls are reviewed regularly.
Employee Training and Awareness
Are employees trained on security?
Yes. All employees receive annual security training.
Are employees trained on security?
Yes. All employees receive annual security training.
How are you prepared for phishing or social engineering?
Employees and Contractors receive monthly phishing awareness training. Annual disaster recovery simulations, such as Tabletop exercises, are scheduled to model attacks and test responses. Contractors are included in training programs.
How are you prepared for phishing or social engineering?
Employees and Contractors receive monthly phishing awareness training. Annual disaster recovery simulations, such as Tabletop exercises, are scheduled to model attacks and test responses. Contractors are included in training programs.
System and Application Security
Do you conduct security testing?
Yes. JustFund performs annual risk assessments, vulnerability scanning, and penetration testing. Security Key Risk Indicators (KRIs) are tracked quarterly.
Do you conduct security testing?
Yes. JustFund performs annual risk assessments, vulnerability scanning, and penetration testing. Security Key Risk Indicators (KRIs) are tracked quarterly.
How do you manage vendors?
Vendors are reviewed through a Third-Party Risk Management program, with controls to ensure they meet JustFund’s security standards.
How do you manage vendors?
Vendors are reviewed through a Third-Party Risk Management program, with controls to ensure they meet JustFund’s security standards.
Incident Response and Recovery
What happens if there is a data breach?
JustFund has an Incident Response Team (IRT) and procedures to detect, report, and respond to incidents. Significant issues are escalated to the Security Committee, Executive Committee, and, if necessary, the Board.
What happens if there is a data breach?
JustFund has an Incident Response Team (IRT) and procedures to detect, report, and respond to incidents. Significant issues are escalated to the Security Committee, Executive Committee, and, if necessary, the Board.
How quickly can you recover from outages?
Business Continuity Planning and backup testing ensure the timely restoration of systems. Security maintenance includes semiannual reviews of recovery readiness. JustFund’s Recovery Time Objective (RTO) is 8 hours, and Recovery Point Objective (RPO) is 24 hours.
How quickly can you recover from outages?
Business Continuity Planning and backup testing ensure the timely restoration of systems. Security maintenance includes semiannual reviews of recovery readiness. JustFund’s Recovery Time Objective (RTO) is 8 hours, and Recovery Point Objective (RPO) is 24 hours.
General Trust and Transparency
Who oversees security?
The Chief Information Security Officer (CISO) leads security, supported by the JustFund Security Committee (JSC). Both report regularly to the Executive Committee.
Who oversees security?
The Chief Information Security Officer (CISO) leads security, supported by the JustFund Security Committee (JSC). Both report regularly to the Executive Committee.
How often do you update policies?
All security policies are reviewed at least annually and updated as necessary to address new risks.
How often do you update policies?
All security policies are reviewed at least annually and updated as necessary to address new risks.