Privacy and Security
Janrain empowers its customers to meet their respective privacy and data security obligations by offering privacy enabling technology, secure data systems, and choices in accordance with privacy principles which are common among the myriad number of privacy laws and frameworks to which personal information may be subject.
We continue to develop flexible tools to help our customers meet their privacy obligations and, just as importantly, the privacy expectations of their diverse customers. We also support our customers’ compliance with applicable laws, and meet our own compliance obligations, through policies, internal practices, and resources focused on data security and privacy.
Data Security Features
Janrain’s hosted operations, which includes all capabilities of the Janrain Customer Profile Management platform, run on Amazon’s AWS EC2 infrastructure, which provides all of Janrain’s services with all the advantages of Amazon’s infrastructure security and data privacy practices. AWS EC2 has successfully completed multiple SAS70 Type II audits, publishes a Service Organization Controls 1 (SOC 1) report under both the SSAE 16 and the ISAE 3402 standards, has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS).
SSL Certificate Management
Janrain provisions, manages, and renews all Secure Sockets Layer (SSL) certificates on the customer’s behalf to secure all communication with Janrain’s services. These certificates are guaranteed to be at least 2048-bit, for lasting security.
Protecting Data in Motion
All social and conventional (user ID/password) logins and retrieval queries are encrypted using SSL. Janrain Social Login does not store user data at any point during authentication and, like all Janrain services, passes all user data over SSL only. Janrain Single Sign-On, which passes user authentication state data (and, optionally, identity information) between sites within a predefined circle of trust, manages a hardened whitelist that is verified at the time of transaction prior to passing any sensitive user data. In order to protect personally identifiable information (PII) and all other data, access to user data retrieved via Janrain is possible only with a valid access token, which is delivered to our customer during authentication.
Protecting Data at Rest
Due to Janrain’s customer profile data storage capabilities, Janrain has taken several steps to ensure that customer and user profile data is protected while at rest.
- OAuth 2.0 compliance: Janrain is fully compliant with OAuth 2.0 standards, enabling customers to easily provide their partners, customer service representatives, and other members of their organization with selective access to user data while continuing to protect sensitive user information. Dashboard access is enforced via roles.
- Data Isolation: Each Janrain customer deployment and corresponding data is isolated in its own logically discrete production environment.
- Schema Validation: Janrain validates customer schemas at deployment time to ensure sensitive data elements such as passwords are not stored in the clear.
In addition, encryption of data at rest is available as an add-on service.
Restricting Physical Access
Only authorized operations personnel who have passed the necessary background checks have access to Janrain’s production servers. Access credentials to production systems are never shared between any two Janrain employees. Janrain maintains audit trails for all production access.
Additional Security Measures
Additional safeguards deployed for the protection of hosted data include (a) industry standard firewalls for all data entering internal data network from any external source; (b) industry standard virus protection programs and techniques to prevent harmful software code from affecting the Services or User Data; and (c) performance monitoring to proactively detect and remediate brute force and denial of service attacks. Janrain has submitted to independent security audits, vulnerability scans, and intrusion detection procedures. In addition, Janrain contractually requires its employees to maintain the confidentiality of customer information and end user data and trains its employees on security, confidentiality, and privacy matters.
ISO 27001 Certification
Janrain adheres to ISO 27001 as its security program reference model. This standard covers requirements and details associated with the following security topics:
- A documented security policy
- Organization of information security
- Information asset management
- Human resources security
- Physical and environmental security
- Security controls in systems and networks
- Access control
- Security built in to applications
- Incident management plans•
- Business continuity management
- Compliance with laws and regulations
- Risk assessment and mitigation
The company has also established a formal program to maintain the certification. The certification was performed by BrightLine, an ANAB accredited Certification Body based in the United States. The details of Janrain’s ISMS certification are publicly available at https://www.brightline.com/certificate-directory/Bl9wr7iIJi8z/. Janrain is committed to ensuring that its employee security practices are also guided by this standard.
Addressing Common Privacy Concerns
Our customers offer their website visitors (or end users) registration, login, and profile management services via Janrain. Consequently, our customers have the relationship with end users who may submit personal data to our customers through the use of the Janrain’s services. For customers using Janrain’s Customer Profile Management platform, Janrain may receive and store such personal data on behalf of our customers, but Janrain does not determine how our customers use such data, and our access to it is restricted by our customer contracts. With respect to such personal data, our customers are data controllers and Janrain acts as a data processor. Understandably, addressing some common privacy concerns requires cooperation between Janrain and its customers. Here’s how we do it:
Providing Notice and Choice
Janrain customers are responsible for providing their end users with timely notice and choice regarding the purposes for which their personal information may be collected and used. Janrain technology enables its customers to provide end users with both notice and choice regarding the sharing of personal data at the time of website registration: Personal data may be passed at registration only with an end user’s consent via identity providers’ permission screens, or otherwise voluntarily provided by the end user at registration and any subsequent logins at Janrain customers’ websites. Janrain and its customers contractually agree to comply with applicable laws in providing and using Janrain services respectively.
Providing Data Access, Maintaining Data Integrity, and Enabling Data Deletion in Place
Customers may, at any time, access all their end user data hosted by Janrain, while end users using social logins have the ability to update their personal data. In addition, customers may request the permanent deletion of all end user personal data or of a single record. Janrain’s hosted registration offering provides tools that let customers create user profile pages where end users can manage the privacy settings of select data fields and optionally delete their personal data. Janrain maintains an audit trail detailing changes to personal information. When a record is deleted, this audit trail and all historical data is purged automatically, except for backup data which is subsequently purged automatically.
Maintaining Appropriate Security Safeguards
As further described above, Janrain and its hosted services provider maintain a secure infrastructure and appropriate technical and operational safeguards to help protect the security, confidentiality, and integrity of data submitted to Janrain. For their part, Janrain’s customers are responsible for using Janrain services in a manner that maintains the security and integrity of such data.
Global Data Storage Options
Janrain customers have the option to select the physical location of their users’ personal data to meet concerns regarding the trans-border transmission of personal information. Customers may choose from hosted services located in North America, Europe, and Asia. For example, customers located in the European Union (EU) may choose to have data hosted in Janrain’s Ireland-based hosted operations, ensuring that personal data of EU citizens remains within the EU.
Safe Harbor Certification
Janrain has self-certified itself as Safe Harbor compliant and complies with the U.S.-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework and their respective privacy principles regarding the collection, use, and retention of personal information from EU member countries and Switzerland respectively. In addition, Janrain has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Janrain’s role under the European Union Data Protection Directive (95/46/EC) is that of a data processor. Janrain processes user data only in accordance with our customer instructions and only as necessary to provide services to our customers. As the data controllers, our customers determine the purposes of the processing of their respective user data.
Compliance Enabling Technology
Janrain leverages identity providers (IDPs) who support the Provider Authentication Policy Extension (PAPE) to offer turnkey authentication that is compliant with the Federal Identity, Credential, and Access Management (FICAM) framework of the Federal Chief Information Officers Council.
- Supported IDPs: Google, PayPal, and VeriSign.
- When FICAM support is requested by a website at user login, all API calls to IDPs request that FICAM policies are applied to the authentication and returned user data.
- User data can be filtered to remove personally identifiable information stored in the user’s social or commerce identity before completing the authentication transaction.
Authentication with IDPs supporting PAPE and FICAM support also acts as an enabling technology for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by filtering out personally identifiable information (PII) data as described above. OAuth 2.0 data access scopes further protect PII by restricting access to particular data fields by unauthorized persons. Data is encrypted in transit. As an add-on service, customers may order data encrypted at rest.
None of the Janrain products collect or store credit card data on behalf of the user or our customers or pass cardholder data between websites. Consequently, Janrain services reside outside the purview of the PCI DSS.
In general, Janrain does not collect or store personal information from end users under the age of 13. Janrain simply passes secure user information to customer sites. Customers are responsible for adhering to the Children’s Online Privacy Protection Act of 1998 (COPPA) at user registration and thereafter. To facilitate COPPA compliance by a customer, Janrain offers a specialized version of its registration solution for child registration, which includes a workflow that eliminates the collection of personally identifiable information for users under 13 years of age.
References and Additional Information
For details on AWS certifications and accreditation, please visit http://aws.amazon.com/security/.
To learn more about the Safe Harbor program and find Janrain’s certification on the Safe Harbor list, please visit http://www.export.gov/safeharbor/.