We attach great importance to data security and data protection and work in compliance with GDPR, which is why hundreds of well-known customers rely on Just Social. This includes companies and organizations from all sectors and types:
Of course, you can conclude an order processing agreement (AV or AVV) with us on the basis of the EU General Data Protection Regulation applicable from May 25, 2018 in accordance with Art. 28 GDPR in accordance with the latest version.
You can easily do this electronically: This saves everyone involved effort and yet provides a legally secure data protection basis for our future cooperation.
We have our systems and processes regularly checked and optimized by the management consultancy audatis with regard to data security and data protection. You can download the latest certificate here:
View data protection certificate
audatis specializes in the areas of data protection and information security and advises renowned clients from various industries. Our data protection officer Carsten Knoop is founder and managing director of audatis and was previously Chief Information Security Officer (CISO) at Bertelsmann AG. He has many years of experience and excellent expertise in the field.
Just Social has been reviewed in the past by customer representatives, external pentesters. We now have the appropriate expertise in our team and employ a professional internal pentester. This has the following benefits:
Since our pentester is not a member of our development teams and also works for other customers as a side job, his independence is still maintained.
If we host Just Social, we host your server system in a highly professional and ISO 27001-certified data center in Germany that meets the highest security standards:
ISO certificate and further information about our data center
With the enterprise version of Just Social, you get your own “piece of software” over which you have complete control: You can either host it yourself in a data center of your choice (self-hosted), or let us host the entire hosting in our ISO-certified data center (private cloud). In any case, your data is in a secure location of your choice. Our standard processes for installing the private cloud include setting up a packet filter accordingly so that access from outside is only possible to the corresponding services, usually via SSH for maintenance (port 22) and HTTP/HTTPS (port 80/443). In addition, we have DDoS protection active.
If we take over the hosting of your Just Social system, we monitor the status of the services and resources used through a monitoring system. We are automatically notified when thresholds are exceeded. For example, we monitor:
If we take over the hosting of your Just Social system, we install the latest security updates for the operating system on the server system every day.
If we host your Just Social system, we back up the data daily and completely encrypted on a separate backup server.
Just Social transmits all data to the client in encrypted form via SSL or HTTPS (TLS), ensuring a high level of security. The algorithm used depends on the TLS key. This is usually AES with 256-bit key length. In addition to HTTPS, we use SSH for maintenance access.
Users' passwords are secured using a bcrypt hash algorithm and a secret salt and stored in the database. Decryption is therefore not possible.
Our minimum requirements for users' passwords ensure a high level of security: They require at least 8 characters, 1 letter and uppercase and lowercase letters, or 1 number or 1 special character.
The following mandatory information is mandatory to use Just Social:
All other details are optional.
Every user interaction in JUST is subject to authentication and authorization verification. In the standard case, authentication is carried out using a user name and password. If SSO is configured, this check is carried out by connecting to your own Active Directory or a Microsoft AD FS/IDP server.
Chat messages are stored in the database. The chat does not save status changes (online/offline).
All information that is deleted by users in Just Social is initially only marked as deleted and is no longer displayed. As a result, the information is no longer visible to “normal” users in Just Social. At the database level, administrators can recover the information from the.
The final deletion of data is done automatically via a cron job. The frequency of the cron job (e.g. daily, monthly, yearly, every 5 or 10 years) can be adapted to the requirements of the respective customer.
Thanks to this two-stage deletion concept, Just Social is both audit-proof and compliant with data protection regulations.
IP addresses and server logs are only stored for a limited period of time. The exact time depends on log rotation (max 60 days). The logs store the following information:
Cookies are small text files that are stored in the user's browser and are used for various purposes. The cookies that Just Social creates and uses are described below.
Just Social recognizes the user from the following cookies: just-id, rememberMe and trusted-device.
In addition to the personal cookies mentioned above, other technical cookies are created:
(*) If the browser's “restore last session” function is used when the browser is reopened, session cookies are also restored.
Cross-site scripting is prevented by using our GWT framework and in the WYSIWYG editor via Antisamy.
The insertion of SQL queries is prevented by our use of prepared statements using mybatis, which is used for database access.
Just Social transmits all data from all user devices to your server system in encrypted form via SSL or HTTPS (TLS), ensuring a high level of security.
Just Social basically stores all data centrally on your server system — so all knowledge is in a single, secure location. This also applies to data sent or received via our mobile apps.
In contrast to private chat tools such as WhatsApp or Threema, Just Social generally stores all data centrally on a server system of your choice (see above). Data is only stored temporarily and to the extent necessary for the apps to function on users' devices.
Any data may be stored exclusively in the protected app area, so that images and files are not displayed in the central image galleries and file storage areas of mobile phones.
Just Social is compatible with all common Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions (e.g. MobileIron, Airwatch). These allow you, for example, to distribute and manage Just Social apps on users' smartphones or connect to the Just Social server system via VPN.
If you lose your mobile phone, you can log out remotely via your desktop PC on your mobile device to prevent unwanted access to your Just Social apps.
The Just Social apps can optionally deny use on devices that do not have a device lock set up by fingerprint or code. In this case, not only the Just Social apps but the entire device are protected from unwanted access. In addition, the data is then securely encrypted by the mobile operating systems in the protected app area — this is only the case in the event of a device lock.
Just Social has a two-stage authorization concept:
Super administrators can administer the entire Just Social system and, among other things, have access to all content and containers (with the exception of chats). They have global rights for all functions, e.g. they can:
In order to meet the various requirements and at the same time ensure ease of use, Just Social consists of several apps, each specialized in a specific use case. In each of our apps, a central element (“container”) can be created, for which the respective creator of the container can grant permissions to read, write and manage:
App writer have permission within an app to create new containers, such as new drives, news channels or wikis.
container admins have read, write and manage rights within a container (e.g. drive, wiki, news channel), so that they can, for example, within a drive:
container writer have read and write rights within a content container (e.g. drive, wiki, news channel)
so that they can, for example, within a drive:
container reader have read rights within a content container (e.g. drive, wiki, news channel), so that they can, for example, within a drive:
In an emergency, the monitoring tool informs Just Software's support team that the customer's server is not available. The support team may handle the emergency in the following steps:
The concepts for all Just servers and internal systems are regularly checked and audited.
The AT 8.2 MaRisk standard states that before significant changes in the IT organization, the effects of
The planned changes must be reviewed:
“Before significant changes in the organizational and operational structure as well as in the IT systems, the institute must analyse the effects of the planned changes on control procedures and control intensity. ”
Since Just Software operates the Just Social system for the customer as a software-as-a-service (SaaS) in a private cloud, however, there are hardly any points of contact with the customer's IT (with the exception of user import). Therefore, a non-significant change in the customer's IT organization can be assumed, so that a detailed analysis can be dispensed with.
Just Social System Requirements
