|Julie Desk servers are hosted on infrastructures complying with international standards ISO 27001, SOC 1 and 2 as well as PCI-DSS level 1.
|All servers are connected with 2 independent network accesses. Emergency generators provide power in the event of a power outage. The data centers are themselves connected with at least 2 network accesses and 2 power lines.
|Badge access, 24/7 video surveillance, smoke detection and 24/7 technical staff.
|Data centers are located in France and are managed by OVH.
|Servers, IP and storage used for hosting the Julie Desk service are dedicated. We use virtualization solutions.
|Service Level Agreement (SLA)
|The contract with our hosting provider includes SLAs that apply from 10 minutes of unavailability. An automatic monitoring system has also been set up to detect incidents and trigger the replacement of faulty resources.
|The following resources are dedicated to Julie Desk : room, workstations, network equipment (including firewall), teams.
|Access to the dedicated room requires biometric access. 24/7 video surveillance is installed.
|Access is limited to strict supervision needs. Users do not have access to the administrator account on workstations, USB ports are deactivated, external internet access is filtered and access is only granted on internal applications to meeting organization. Access to Julie Desk applications requires the use of a site-to-site VPN accessible only from the dedicated room.
|Services and physical storages are distributed on several servers in different rooms. A high availability solution is in place to guarantee the continuity of service in the event of a component failure.
|A continuity plan has been developed to limit recovery time in the event of a major availability incident.
|Service data is backuped daily, weekly and monthly. The maximum retention period for backups is 1 month.
|Recovery Point Objective (RPO
|Recovery Time Objective (RTO)
|Meeting requests are sent by email to a generic email address hosted on the Julie Desk's information system or a dedicated email address hosted on the customer's information system. The security of these exchanges is the same as a traditional email exchange.
|The system synchronizes itself by downloading emails sent to the service and user's calendar items by connecting to the customer information systems. This communication is one way. This means communications are only initiated from Julie Desk to the Client. Those communications require the use of the HTTPS protocol.
|Exchanges between servers
|The system is distributed among several applications and servers. Inter-server data exchanges are encrypted and use SSH, SSL or HTTPS protocols depending on situations.
|The service data is encrypted using the AES-256 protocol. Salt and initialization vectors are randomly generated and differ for each entry stored in the database.
|Human supervision access requires a VPN access and the use of HTTPS.
|The service is based on a multi-tier and multi-zone security architecture. Each server is dedicated to a specific task. Inter-zone communications are filtered by firewalls.
|Antivirus software is deployed throughout the infrastructure.
|A DDoS attack mitigation system is installed.
|Applications are developed in-house and are updated via a continuous deployment process (several times a day). Each change is tested (automatically and manually) on an environment different from production before deployment.
|Systems are updated at least once a month in normal conditions and as soon as possible in case of publication of critical exploits.
|Infrastructure logs are sent in real time to a centralized server allowing the Security Incident Event Manager (SIEM) to correlate events and alert security staff.
|Alerts are generated and sent upon exception occurrence on running applications.
|Resource utilization metrics are tracked to predict future system usage.
|Alerts and metric tracking have been configured to detect incidents.
|An incident management plan has been prepared.
|The concerned customers shall be notified as soon as possible of the occurrence of any security incident. Notification of data protection authorities has been included in the incident management procedure.
|We perform due diligence on processors with whom we work to ensure that they meet our security requirements. This includes certifications verification, compliance with applicable laws (e.g. European GDPR) and security management checks.
|We use subcontractors to provide hosting and human supervision of the meeting scheduling service. Any change of subcontractor used to provide the service is notified to customers.
|We use other subcontractors, in particular for the management of commercial relations with our customers (such as CRM, ticketing support system, emailing) or security management (external consultants, automated analysis, alerting).
|Procedures for checking candidates' skills, identity and references have been set up in our recruitment processes.
|All working contracts include a non-disclosure agreement (NDA).
|System USe Charter
|A charter for the use of computer systems has been put in place.
|Procedures have been put in place to raise security and personal data processing awareness. Initial awareness sessions are given upon employee arrival followed by weekly awareness sessions (5-10 min).
|User accesses are nominative and personal.
|Single-sign on (SSO)
|A SSO system has been deployed for internal applications.
|We use 2-factor authentication for internal applications and systems (VPN with personal certificate and One Time Password).
|Accesses of employees leaving the company are revoked as soon as they leave. When an employee’s job/position changes, accesses that are no longer required are revoked.
|Principle of least privileges
|Principle of least privileges
|Reporting and documentation
|We can provide additional documentation on our processes and security management. This communication may require the signature of a non-disclosure agreement (NDA). Contact us for more information.
|Large companies Security Questionnaires
|We can fill in specific security questionnaires in the case of large account integration. A dedicated security contact is then assigned. Contact us for more information.
|The service is auditable by its customers. Contact us for more information.