Part of our DNA.
Security & data protection.

Introduction

We love software and everything that goes with it – especially security and data protection.

We work in compliance with GDPR, host our servers in Germany, offer optional on-premises hosting, conduct regular pentests and are ISO27001 certified.

That's why customers from sensitive sectors in particular trust Just Social: from local authorities and governments to hospitals and utilities to banks and insurance companies.

Thank you for your trust: we really appreciate it.
Warm regards from St. Pauli, Your Just Social Team

ISO-
Zertifi­zierungen

ISO 27001: ISMS

We operate an Information Security Management System (ISMS) in accordance with ISO 27001 standards and have it audited annually by TÜV Rheinland. You can download our current certificate here.

ISO 27001: Data centre

We host our customer systems exclusively in Germany, near Nuremberg, in an ISO 27001-certified data centre. You can download the current certificate from TÜV NORD here.

ISO 27701: Protection of sensitive data

Our data centre complies with international data protection requirements and has implemented measures to protect personal data in accordance with ISO 27701. You can download the current certificate here.

ISO 9001: Quality management

The processes at our data centre are certified under a quality management system (QMS) in accordance with ISO 9001 and are audited annually by TÜV NORD. You can download the current certificate here.

ISO 14001: Sustainability

Our data centre operates in an environmentally conscious and sustainable manner and records, evaluates and complies with all environmental requirements in accordance with ISO 14001. You can download the current certificate from TÜV NORD here.

GDPR compliance

Hosting in Germany

We host all customer systems exclusively in our ISO 27001-certified data centre in Germany (Nuremberg) and store all data there in compliance with the GDPR.

Datenschutzrecht und AV-Vertrag

We are subject exclusively to German and European jurisdiction, including data protection law, and conclude AV contracts with our customers in accordance with Art. 28 GDPR.

Data minimisation & data avoidance

No personal data other than your first and last name is required to use Just Social. The remaining data is generally business-related. Consequently, hardly any sensitive data within the meaning of the GDPR is processed or stored.

Privacy by Design & by Default

We take data protection into account right from the design phase. Just Social is preset to be data protection-friendly by default, so that, for example, information only becomes visible once it has been explicitly released for a user group.

Trained staff

All our employees are trained in data protection, security and confidentiality as part of our Information Security Management System (ISMS) and are contractually bound (declaration of commitment).

Mobile Apps

Mandatory device lock

By default, Just Social apps only work if device lock (e.g. PIN code, fingerprint or Face ID) is set up on the smartphone, so that the entire device is protected against unauthorised access.

Encrypted data storage

We store the data on mobile devices exclusively in the encrypted app area, provided that the mandatory device lock (e.g. PIN code, fingerprint or Face ID) for using Just Social is activated.

Protection of images and videos

Images and videos uploaded to Just Social are not stored in the general memory of smartphones, meaning they are not displayed in the central media galleries – thus providing better protection on private devices.

Central data storage

Just Social stores all data centrally on your server system in our data centre in Germany. This also applies to data sent or received via our mobile apps.

Remote logout

If you lose your mobile phone, you can log out of your mobile device remotely from your desktop PC to prevent unauthorised access to your Just Social apps.

Support for MDMs / EMMs

Just Social is compatible with all common Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) solutions for centrally controlled distribution of apps to smartphones (e.g. MobileIron, Airwatch).

E2E encrypted push notifications

The push notifications sent to our mobile apps are end-to-end encrypted, meaning that they cannot be read by the corresponding Apple (APNS) and Google (FCM) services.

Encryption

Encrypted data transmission

Just Social transmits all data in encrypted HTTPS format. The supported encryption protocol is 1.3. We manage SSL certificates via Lets Encrypt as standard and renew them automatically every two months.

Password encryption

User passwords are stored in encrypted form in the database. The minimum requirements are configurable. Standard: 8 characters, 1 letter and upper and lower case or 1 number or 1 special character.

Daily backups (encrypted)

If we host the Just Social system, we back up the data daily in encrypted and immutable form (immutable backup) on a separate backup server and georedundantly using Borg Backup.

Encrypted data storage

We store data on mobile devices exclusively in the encrypted app area, provided that the mandatory device lock (e.g. PIN code, fingerprint or Face ID) for using Just Social is activated.

E2E encrypted push notifications

The push notifications sent to our mobile apps are end-to-end encrypted, meaning that they cannot be read by the corresponding Apple (APNS) and Google (FCM) services.

Penetration testing, processes & team

Regular pentesting

Our software undergoes regular penetration testing. We employ a professional, certified internal penetration tester who operates independently of our software development team and does not limit himself to black box testing.

Code reviews, tests & OWAP checks

Security is deeply integrated into our software development, e.g. through mandatory code reviews, automated testing, OWASP dependency checks and many other measures, tools and frameworks.

IT Security Team, DSB & ISB

Our Data Protection Officer (DPO), Information Security Officer (ISO) and our IT security team (Care Bears) consist of experienced IT security experts who are supported by audatis and CMS Hasche Sigle as needed.

Permissions & Access

Two-factor authentication (2FA)

Just Social offers you the option of two-factor authentication (2FA) via TOTP, which you can activate either optionally or mandatorily for all users to increase the protection of your data.

SSO

Just Social offers you the option of single sign-on (SSO) via OpenID Connect (OIDC) with Azure/Entra or ADFS, so that your users only have to log in once on their device.

Powerful authorisation concept

Just Social has a two-tier authorisation concept: global administrators manage users and basic settings. Users and user groups can be granted rights to read, write and manage content (e.g. chat groups).

User analytics and tracking

If desired, you can analyse the use of your Just Social system anonymously and in compliance with GDPR via Matomo and evaluate the number of page views (general and per page), visits (total and unique) and much more.

Logging

For security reasons, we store IP addresses and server logs for a maximum of 60 days for all accesses to the Just Social system. In addition to the IP address, the date, time, operating system, browser type and data volume are also stored.

Updates & Support

Updates & Upgrades

We are constantly developing Just Social and release a major version with new features every month. In between, we install updates as needed and perform security updates on the operating system twice a day.

Availability >99,5%

We guarantee high availability of your Just Social system of >99.5%. Clustering the server system allows for even higher availability and, above all, better performance in the event of a very large number of users.

Support with heart from St. Pauli

At the start of the project, you will meet your contact persons from our Customer Success Team in St. Pauli in person. Our team has years of experience and is well versed in all matters relating to Just Social.

Service Level Agreement (SLA)

Our Customer Success Team provides fast and competent support that our customers love. Upon request, we guarantee fast response and recovery times in our SLA. Feel free to contact us.

Logging

For security reasons, we store IP addresses and server logs for a maximum of 60 days for all accesses to the Just Social system. In addition to the IP address, the date, time, operating system, browser type and data volume are also stored.

Cookies

Cookies

Cookies sind kleine Textdateien, die im Browser des Benutzers gespeichert werden und zu unterschiedlichen Zwecken verwendet werden. Nachfolgend werden die Cookies beschrieben die Just Social erzeugt und verwendet.

Verwendung in Just Social

Just Social erkennt den Nutzer an folgenden Cookies wieder: just-id, remember und trusted-device.

just-id

Enthält die serverseitig verschlüsselte, interne Id des Nutzers und loggt den Nutzer in Just Social ein. Es handelt sich um einen Session Cookie (wird z.B. beim Schließen des Browsers gelöscht (*)). Außerdem wird dieser Cookie bei der Abmeldung von Just Social gelöscht.

remember

Enthält ein serverseitig verschlüsseltes Token, das für die Anmeldung benutzt wird. Diese Cookie wird erzeugt wenn die Option „Eingeloggt bleiben“ bei der Anmeldung bei Just Social ausgewählt wird. Es handelt sich um einen langlebigen Cookie (wird nach 30 Tagen gelöscht). Außerdem wird dieser Cookie bei der Abmeldung von Just Social gelöscht.

trusted-device

Enthält ein serverseitig verschlüsseltes Token. Der Cookie wird nach einer erfolgreichen Anmeldung gespeichert. Dies ermöglicht dem entsprechenden Gerät auch dann Anmeldeversuche durchzuführen, wenn der Account des Nutzers durch zu viele fehlgeschlagene vorausgegangene Anmeldungsversuche temporär gesperrt ist. Es handelt sich um einen langlebigen Cookie (wird nach einem Monat gelöscht). Dieser Cookie wird bei der Abmeldung von Just Social nicht gelöscht.

jc_locale

Speichert die Spracheinstellung des Nutzers. Es handelt sich um einen langlebigen Cookie (wird nach einem Jahr gelöscht).

loadproxy

Bei Cluster-Systemen wird dieser gesetzt, damit der Nutzer immer auf demselben App-Server landet. Es handelt sich um einen Session Cookie (wird z.B. beim Schließen des Browsers gelöscht).

XSRF-TOKEN

Hier wird eine zufälliger Wert gespeichert, der sogenannte Cross-Site-Request-Forgery Angriffe verhindert. Es handelt sich um einen Session Cookie (wird z.B. beim Schließen des Browsers gelöscht).

Optionale Cookies

Durch die Einbindung von Matomo (Piwik) können weitere Cookies angelegt werden. Die Einbindung dieses Trackingtools unterliegt der Entscheidung des jeweiligen Plattformbetreibers.
Just Pirate Heart Logo (Pixel Herz mit gekreuzten Knochen)
Hamburg, St. Pauli
+49 40 22739650info@just.social
Just Pirate Heart Logo (Pixel Herz mit gekreuzten Knochen)
Hamburg, St. Pauli
+49 40 22739650info@just.social
de
en
Product
HomeGuideCustomers
Facts
FeaturesPricingSecurity
Links
SupportAbout usJobsInstagram
Law
AV contractImprintData protection