Security Overview

Introduction

Journey software is critical to your business and we take security of customer data extremely seriously. We host Journey using comprehensively hardened infrastructure-as-a-service (IaaS) platforms from Amazon Web Services (AWS).

Product security

Authentication

Accessing any Journey data is restricted to authorized users that are authenticated using a user-generated password. These passwords are encrypted one-way with PBKDF2-SHA256 encryption method and kept securely on AWS database servers. All identity and access management is done directly with these servers and there is no way for Journey to know a user's password as they're encrypted at signup time.

Permissions

Journey supports multiple permission levels for internal users and client users. Permission level changes can only be made by admins (internal admin users and client admin users).

Physical security

Journey production data is processed and stored within world-renowned AWS data centers that use state-of-the-art multilayer access, alerting, and auditing measures. Journey does not own any physical servers. 100% of the data is processed and kept on servers provided by AWS.

System security

Servers and networking

All Journey servers and structured data stores use managed infrastructure services provided and secured by Amazon. Our web servers encrypt data in transit using the industry standard for HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Storage

All persistent data is encrypted at rest using industry-standard AES-256 algorithms and entirely kept on AWS data centers.

Operational security

Code Reviews and Production Deployment

All changes to source code are subject to automated testing and any that affect security require pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.

All code is deployed to a staging environment for quality assurance and automated tests must pass prior to updating production services.

Service Levels, Backups, and Recovery

Journey infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of load balancing and task queues. Journey uses highly redundant data stores, rapid recovery infrastructure, and point-in-time backups making unintentional loss of customer data very unlikely.

Application security

Server and Client Hardening

All Journey servers use AWS backed infrastructure which provide load balancing, auto-scaling, and application health monitoring to ensure Journeys are always running reliably.

The client side application uses several techniques to ensure Journeys are safe and that all requests are authentic, including using JSON-web token for managing sessions and using secure cookies.

Customer Payment Information

We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider.