Information Security Policy

1.0 Purpose
The purpose of this policy is to define information security policy within Jobvite.

2.0 Scope
This policy covers all security policies currently in place at Jobvite and performed by
any individual, group or department for the purposes of maintaining the security
posture, compliance, risk management, and change control of technologies in use at
Jobvite.
All security assessments and tasks are performed by delegated security personnel
either employed or contracted by Jobvite. All findings are considered confidential
and are to be distributed to persons on a need to know basis. Distribution of any
findings outside of Jobvite is strictly prohibited unless approved by the Chief
Technology Officer.

3.0 Policy
Architecture and Infrastructure
Jobvite has a multitenant architecture that logically separate customers data
through access control that is based on company, users and roles. Data is logically
isolated and segregated. Access to data is only available through the application.
Application has extensive ACL, RBAC, authentication and authorization mechanism
that allows access to data to only authorized users.
Jobvites architecture is distributed multi-tiered architecture based on Java and .Net
technology stacks. The first tier is the web server running on Apache and Microsoft
IIS. The middle tier runs on Open source Java Stack and the data store tier is a mix of
MSSQL, MySQL and No-SQL databases such as MongoDB. In addition to these tiers,
Jobvite architecture relies on a host of distributed services for processing of data,
analytics, APIs and integration.
The Jobvite production databases are on a trusted network (DMZ), separate from
the web servers.

Vulnerability Assessments
Every Quarter we run infrastructure vulnerability assessment tool to ensure that we
have a secure infrastructure that is not vulnerable to various attack vectors.
Our Managed Service Provider Amazon AWS takes responsibility for maintaining
the operating system and third party applications that form the base of our
platform. Amazon regularly reviews vendor and third party security bulletins and
patch updates to identify and recommend patches necessary for the system and
feeds those patches into the change control process.
For OS, MySQL, and MSSQL patching, Jobvite Operations team performs monthly
reviews and present the patches to update to Jobvite for your approval. For critical
updates, Jobvite Information Security team regularly reviews these patches and if
deemed urgent will notify the support team with their recommendations to apply
the critical updates.
In addition there are scanning and vulnerability detection services included with the
(subscribed by Jobvite) as outlined below:

Penetration Testing Host-based Intrusion Detection System (HIDS)

o Log analysis
o Integrity checking (file integrity checking)
o Windows registry monitoring
o Rootkit detection
o Real-time alerting
o Active response
o Conducted annually. Network-layer penetration testing is performed
once a year and after any significant infrastructure modification.
Vulnerability Scanning
o Internal & External performed quarterly

Application Security, Code Reviews and Releases

All new product launch, major, minor and emergency patch releases are subject to
full static and dynamic code analyzer before they are released. If any security issues
are detected, the code is modified to address identified issues and the code is pushed
to production only after clearance is received from the security team.
All code changes and new development are also analyzed and reviewed by Subject
Matter Experts (SME). Once the SMEs give clearance, code goes through rigorous QA
test cycles before it is released.

Organizational Security
Jobvite performs background checks on all employees and contractors.

Data Retention and Backup

Jobvite hosts its production environment in Amazon Web Services (AWS) in their US-East
Region, and our servers are spread across multiple availability zones (AZ) with the region
to address disaster recovery scenarios. Availability Zones equate to separate stand alone data
centers within the region, and there are four (4) availability zones in US-East. Jobvite
leverages all four AZs for disaster recovery, and can recover with little to no down time if a
maximum of two of the four availability zones fails

Disaster Recovery and Business Continuity

Redundancy
Jobvite has a redundant infrastructure. All servers, firewalls, switches, load
balancers and routers are redundant. If one fails, another server is available to
handle the load.

Antivirus
Jobvite has two antivirus layers. All inbound emails are filtered before they arrive at
Jobvites servers. Also, all of Jobvites Windows server have Symantec Endpoint
Protection antivirus installed.

Maintenance Window
Jobvites scheduled maintenance Window is Saturday night from 10 PM to 1 AM
PST.

Production Access
Production access is limited to key individuals. Their remote access to the
production environment is over a Juniper SSL VPN, so all management traffic is
encrypted. Developers who need access to production systems for troubleshooting

purposes are granted access for a definite period (usually 12 hours). After this
period the password is expired and they no longer have the access.

Password Policy
Password Complexity - - Upper and lower case, special character and a number.
Minimum Length - - 8 Characters
Account Lockout duration - - Once locked, can only be unlocked through password
reset.
Account Lockout Threshold - - 3 invalid logon attempts

Patching Schedule
1st weekend of the month Patch half of production
2nd weekend of the month Patch half of production
3rd weekend of the month Patch staging environment

SSAE--16
SSAE SOC 1/2/3 compliance is maintained though our hosting provider
Amazon Web Services. http://aws.amazon.com/compliance/

4.0 Risk
Security issues that are discovered during assessments is mitigated based upon the
following risk levels. Risk rating is based on the OWASP Risk Rating Methodology
High Any high risk issue must be fixed immediately or other mitigation
strategies must be put in place to limit exposure before deployment.
Applications with high risk issues are subject to being taken off-line or
denied release into the live environment.
Medium Medium risk issues are reviewed to determine what is required to
mitigate and scheduled accordingly. Applications with medium risk issues
may be taken off-line or denied release into the live environment based on
the number of issues and if multiple issues increase the risk to an
unacceptable level. Issues should be fixed in a patch/point release unless
other mitigation strategies will limit exposure.

Low Issue should be reviewed to determine what is required to correct the issue
and scheduled accordingly. Remediation validation testing will be required

to validate fix and/or mitigation strategies for any discovered issues of

Medium risk level or greater.

5.0 Responsibilities
Jobvite Security Engineering team is responsible for web application scoping,
assessment, determination of discovered issue risk, and reporting to Project
Management and application stakeholders.
Project Management and application stakeholders are responsible for the
appropriate assessment scheduling and remediation efforts based upon assessment
findings and Security Engineering recommendations.

6.0 Enforcement
Web application assessments are a requirement of the change control process and
are required to adhere to this policy unless found to be exempt. All application
releases must pass through the change control process. Any web applications that
do not adhere to this policy may be taken offline until such time that a formal
assessment can be performed at the discretion of the Chief Technology Officer.

7.0 Breach Notification

In case of a breach, Jobvite will notify the affected customers through email and
immediately work on a system response to the breach.

8.0 Data Base Encryption.

Some Data at the Database level is encrypted at REST.
Jobvite uses Single Key Encryption.
Encryption of Data in Transit SHA 256 + Salt

9.0 SSO
Jobvite supports the following SSO methods: Google, SAML 2,0, Oauth