At Julie Desk, we take security very seriously. As such, we have implemented measures to protect your data in compliance with the European GDPR. For further information on data management, please read our privacy policy.This page lists the most frequently requested information by our customers. If you do not find the answer to your questions or would like more information, please contact us.
Datacenters:    The data centers used by Julie Desk are managed by a subcontractor.
CertificationsJulie Desk servers are hosted on infrastructures complying with international standards ISO 27001, SOC 1 and 2 as well as PCI-DSS level 1.
RedundancyAll servers are connected with  2 independent network accesses. Emergency generators provide power in the event of a power outage. The data centers are themselves connected with at least 2 network accesses and 2 power lines.
On-site SecurityBadge access, 24/7 video surveillance, smoke detection and 24/7 technical staff.
LocalisationData centers are located in France and are managed by OVH.
Hosting segregationServers, IP and storage used for hosting the Julie Desk service are dedicated. We use virtualization solutions.
Service Level Agreement (SLA)The contract with our hosting provider includes SLAs that apply from 10 minutes of unavailability. An automatic monitoring system has also been set up to detect incidents and trigger the replacement of faulty resources.
Supervision Center   A supervision center is used to supervise requests sent to the service. This center is managed by a subcontractor.
Dedicated RessourcesThe following resources are dedicated to Julie Desk : room, workstations, network equipment (including firewall), teams.
Physical AccessAccess to the dedicated room requires biometric access. 24/7 video surveillance is installed.
Logical Restrictions Access is limited to strict supervision needs. Users do not have access to the administrator account on workstations, USB ports are deactivated, external internet access is filtered and access is only granted on internal applications to meeting organization. Access to Julie Desk applications requires the use of a site-to-site VPN accessible only from the dedicated room.
Business continuity
RedundancyServices and physical storages are distributed on several servers in different rooms. A high availability solution is in place to guarantee the continuity of service in the event of a component failure.
Continuity planA continuity plan has been developed to limit recovery time in the event of a major availability incident.
BackupsService data is backuped daily, weekly and monthly. The maximum retention period for backups is 1 month.
Recovery Point Objective (RPO24h
Recovery Time Objective (RTO)24h
Data exchange and encryption
Service solicitationMeeting requests are sent by email to a generic email address hosted on the Julie Desk's information system or a dedicated email address hosted on the customer's information system. The security of these exchanges is the same as a traditional email exchange.
Data synchronizationThe system synchronizes itself by downloading emails sent to the service and user's calendar items by connecting to the customer information systems. This communication is one way. This means communications are only initiated from Julie Desk to the Client. Those communications require the use of the HTTPS protocol.
Exchanges between serversThe system is distributed among several applications and servers. Inter-server data exchanges are encrypted and use SSH, SSL or HTTPS protocols depending on situations.
StorageThe service data is encrypted using the AES-256 protocol. Salt and initialization vectors are randomly generated and differ for each entry stored in the database.
Human supervisionHuman supervision access requires a VPN access and the use of HTTPS.
System Security
ArchitectureThe service is based on a multi-tier and multi-zone security architecture. Each server is dedicated to a specific task. Inter-zone communications are filtered by firewalls.
AntivirusAntivirus software is deployed throughout the infrastructure.
DDoS ProtectionA DDoS attack mitigation system is installed.
Updates
ApplicationsApplications are developed in-house and are updated via a continuous deployment process (several times a day). Each change is tested (automatically and manually) on an environment different from production before deployment.
SystemsSystems are updated at least once a month in normal conditions and as soon as possible in case of publication of critical exploits.
Monitoring
Intrusion detectionInfrastructure logs are sent in real time to a centralized server allowing the Security Incident Event Manager (SIEM) to correlate events and alert security staff.
ExceptionsAlerts are generated and sent upon exception occurrence on running applications.
Resources utilizationResource utilization metrics are tracked to predict future system usage.
Incident Management
DetectionAlerts and metric tracking have been configured to detect incidents.
ProcedureAn incident management plan has been prepared.
NotificationsThe concerned customers shall be notified as soon as possible of the occurrence of any security incident. Notification of data protection authorities has been included in the incident management procedure.
Processors
Processor verificationWe perform due diligence on processors with whom we work to ensure that they meet our security requirements. This includes certifications verification, compliance with applicable laws (e.g. European GDPR) and security management checks.
Service subcontractorsWe use subcontractors to provide hosting and human supervision of the meeting scheduling service. Any change of subcontractor used to provide the service is notified to customers.
Other providersWe use other subcontractors, in particular for the management of commercial relations with our customers (such as CRM, ticketing support system, emailing) or security management (external consultants, automated analysis, alerting).
Human Resources Management
RecruitmentProcedures for checking candidates' skills, identity and references have been set up in our recruitment processes.
Working contractsAll working contracts include a non-disclosure agreement (NDA).
System USe CharterA charter for the use of computer systems has been put in place.
Internal AwarenessProcedures have been put in place to raise security and personal data processing awareness. Initial awareness sessions are given upon employee arrival followed by weekly awareness sessions (5-10 min).
Authentication
AccessUser accesses are nominative and personal.
Single-sign on (SSO)A SSO system has been deployed for internal applications.
2-factorWe use 2-factor authentication for internal applications and systems (VPN with personal certificate and One Time Password).
Passwords Passwords
Access terminationAccesses of employees leaving the company are revoked as soon as they leave. When an employee’s job/position changes, accesses that are no longer required are revoked.
Principle of least privilegesPrinciple of least privileges
Audit & tests
User Access ReviewEvery 3 months.
Vulnerability testEvery 3 months or when major system changes occur.
Backup testEvery 3 months.
Continuity Plan TestEvery year
Incident Plan testEvery year
Transparency
Reporting and documentationWe can provide additional documentation on our processes and security management. This communication may require the signature of a non-disclosure agreement (NDA). Contact us for more information.
Large companies Security QuestionnairesWe can fill in specific security questionnaires in the case of large account integration. A dedicated security contact is then assigned. Contact us for more information.
AuditThe service is auditable by its customers. Contact us for more information.