At Jumio, we strive to ensure that information security and data protection is embedded into our internal processes and technology from the beginning of everything we do. We are able to achieve this through the effort of our people working together across our business. Our strong posture has been validated through external certifications that we achieved as a result of Jumio’s constant effort and focus on our information security and data protection programs.
Jumio operates in multiple jurisdictions, and compliance with local laws and regulations is paramount for us to lead a successful business. Our legal team has identified the legal requirements and regulations that are applicable to our operations, and we have implemented controls that help to achieve the required level of compliance.
Our customers are increasingly interested in our level of compliance with security standards and frameworks. We are proud to have achieved ISO/IEC 27001:2013, PCI DSS and SOC2 Type 2 certifications, and our security is in a continuous process of improvement regardless of certifications that we hold or strive to achieve.
ISO/IEC 27001:2013 certification demonstrates that Jumio successfully operates a systematic approach to securing the data of our customers as well as our corporate information, and our commitment to continuous risk management.
We regularly review our security objectives, security risks and the performance of our controls, which helps us design new processes and improve the existing ones.
Our people, processes and technology are independently assessed as meeting the standards set forth by the International Organization for Standardization.
PCI DSS Level 1 compliance demonstrates that Jumio has a robust PCI DSS compliant operating model. Our ongoing PCI DSS Level 1 compliance is validated on an annual basis by a skilled external audit team against the requirements of the standard.
We also believe that personal information is as important as credit card and payment data, and this is why we treat it with the same care and apply the same security safeguards to all data of our customers.
SOC2 Type 2
Jumio Transaction Monitoring system has obtained SOC2 Type 2 certification, which demonstrates the ongoing performance of the system’s controls.
Jumio was able to achieve the SOC2 certification for the Jumio Transaction Monitoring system due to the information security model that we have designed and implemented across the entire organization as well as our long history of the ongoing compliance with other standards and regulations, such as PCI DSS and ISO27001. Achieving this milestone gives us confidence that our engineering practices can undergo the same attestation for all Jumio products in due time, since all our security and engineering practices follow the same information security model and governance.
We receive the same type of personal information from our Healthcare customers as from every other customer, and we do not require any other medical records to process the personal information within Jumio’s isolated environment to provide our identity verification services. While the personal information at the disposition of a Healthcare customer is considered protected health information due to various medical records associated with personal data of individuals, Jumio receives personal information decoupled from any medical records, and it is therefore not considered protected health information as defined by 45 CFR 160.103. In relation to HIPAA, Jumio is not considered a covered entity or a Business Associate.
Since we would like to give our clients as much confidence in our compliance processes as possible, Jumio has created “Other Arrangements” as permitted under parts 164.314 & 164.504 including a Healthcare data processing schedule and a linked HIPAA regulatory mapping and responsibilities overview guide, which ensures equivalence to that imposed on a business associate, and often exceeds the requirements and obligations as set out under the Security Rule, Privacy Rule and Breach Notification Rule.