Security Policy

SEC 1. PURPOSE AND SCOPE

This Security Policy describes the TECHNICAL AND ORGANISATIONAL MEASURES we maintain to protect the Service and the data we process, and the responsibilities that apply to customers using JN Short. It covers the core platform (short links, QR codes, bio pages, hosted files where enabled, and APIs), our corporate environment, and integrations necessary to operate the Service. Capitalised terms have the meaning in the Terms of Service (the “Terms”).

 

SEC 2. SECURITY COMMITMENTS AND PRACTICES

2.1 Governance & Risk Management. We operate a security and privacy governance programme aligned with recognised industry practices. Senior leadership reviews risk, policies and incident learnings on a regular cadence.

 

2.2 Data Segregation & Tenant Isolation. Customer data is logically segregated in a multi‑tenant architecture. Production, staging and development environments are SEGREGATED. Access to production is restricted to authorised personnel with a NEED‑TO‑KNOW and is logged.

 

2.3 Encryption.

(a) IN TRANSIT: Data is protected with TLS (TLS 1.2+). HSTS is used on applicable domains. Outbound connections to third parties require encryption where supported.

(b) AT REST: Data at rest in primary data stores and backups is encrypted using strong industry‑standard ciphers (e.g., AES‑256 where supported by the managed service).

(c) KEY MANAGEMENT: Encryption keys are managed using a secure key‑management system with access controls and rotation procedures.

 

2.4 Access Control & Least Privilege. We apply LEAST‑PRIVILEGE principles, role‑based access control (RBAC), JUST‑IN‑TIME or time‑bound access where possible, and enforce MULTI‑FACTOR AUTHENTICATION for privileged access. Access rights are reviewed on a regular schedule and revoked upon role change or departure.

 

2.5 Secure Development & Change Management. We use version control, peer review, CI/CD with automated tests, and CHANGE MANAGEMENT procedures (including approvals and rollback plans) for production changes. Dependencies are tracked and updated. Secrets are stored in a secrets‑management system and not in source code.

 

2.6 Vulnerability & Patch Management. We conduct continuous vulnerability scanning of applications and infrastructure and remediate according to SEVERITY:

— CRITICAL/HIGH: TARGET REMEDIATION as soon as practicable, typically within 72 HOURS for critical and 30 DAYS for high severity.

— MEDIUM/LOW: Addressed in the normal release cycle based on risk.

We may commission independent security testing and adjust timelines where a compensating control is in place.

 

2.7 Logging, Monitoring & Alerting. SECURITY‑RELEVANT EVENTS (e.g., authentication, privilege changes, configuration changes, sensitive operations) are logged to a centralised log store. Monitoring and alerting detect anomalous activity. Logs are protected against tampering and retained for a defined period consistent with our retention schedules and lawful purposes.

 

2.8 Backups, Business Continuity & Disaster Recovery. We perform ENCRYPTED BACKUPS on rolling schedules and periodically test restoration. Service design includes redundancy for critical components. Our target recovery objectives are: RPO (RECOVERY POINT OBJECTIVE) typically up to 24 HOURS; RTO (RECOVERY TIME OBJECTIVE) targeted under 24 HOURS for core services, subject to incident specifics.

 

2.9 Third‑Party Providers & Subprocessors. We use reputable cloud and service providers bound by data‑processing and security obligations. We assess material providers for security posture and service reliability.

 

2.10 Physical & Cloud Infrastructure Security. We rely on leading data‑centre and cloud providers with industry‑standard physical safeguards (e.g., access controls, CCTV, environmental protections). Network security includes segregation, hardened configurations and managed firewalls/security groups.

 

2.11 Incident Response. We maintain an INCIDENT RESPONSE PLAN covering preparation, identification, containment, eradication, recovery and post‑incident review. SECURITY INCIDENTS ARE TRIAGED BY SEVERITY and handled by our response team. Where we are CONTROLLER, we notify affected users when required by law. Where we are PROCESSOR, WE WILL NOTIFY THE CONTROLLER WITHOUT UNDUE DELAY in line with the DPA.

 

SEC 3. CUSTOMER RESPONSIBILITIES

3.1 Account Security. YOU ARE RESPONSIBLE for safeguarding your credentials and for all activities under your account. Use STRONG, UNIQUE PASSWORDS and enable SSO and/or 2FA where available. Do not share accounts; provision individual accounts for each user.

 

3.2 Team Hygiene & Access Management. Assign least‑privilege roles, review access regularly, and promptly de‑provision users who leave your organisation or no longer require access. Use ADMINISTRATOR CONTROLS to manage invitations and role changes.

 

3.3 API Keys & Secrets. KEEP API KEYS CONFIDENTIAL. Rotate keys periodically and immediately if exposed. Store secrets securely (e.g., environment variables or secret stores), never in client‑side code or public repositories. Use IP ALLOW‑LISTS or ORIGIN RESTRICTIONS where provided.

 

3.4 Custom Domains, DNS & Certificates. If you use CUSTOM DOMAINS, secure your registrar account with MFA, monitor DNS changes, and maintain valid TLS CERTIFICATES (we provide automation where supported). Misconfigured DNS can expose your domain to hijacking or subdomain takeovers.

 

3.5 Destination Security & Webhooks. YOU CONTROL THE DESTINATION CONTENT your links/QRs point to and any WEBHOOK ENDPOINTS you host. Secure those systems (patching, TLS, authentication, rate limiting) and validate all inputs. Ensure your endpoints can handle retries idempotently.

 

3.6 Devices & Networks. Maintain security on the devices and networks your users employ (e.g., OS patches, disk encryption, endpoint protection). We cannot secure your local environment.

 

3.7 Data Protection & Consent. Where you configure analytics or tracking on bio pages or destinations, YOU MUST IMPLEMENT LAWFUL DISCLOSURE AND CONSENT where required (see Privacy & Cookie sections). Limit collection to what is necessary.

 

3.8 Reporting Security Issues. If you suspect unauthorised access or a vulnerability, CONTACT US WITHOUT UNDUE DELAY AT security@jnshort.com and follow the guidance in SEC 6.

 

SEC 4. SHARED RESPONSIBILITY & SERVICE BOUNDARIES

We operate under a SHARED‑RESPONSIBILITY MODEL. The division of responsibilities is as follows:

— PLATFORM & INFRASTRUCTURE: We secure the core application, platform services, cloud infrastructure configuration, backups and service‑side encryption.

— APPLICATION FEATURES: We secure default configurations and server‑side controls; YOU configure organisation‑specific settings (roles, team access, custom domains, API keys, webhooks, consent tools).

— CONTENT & DESTINATIONS: YOU are responsible for the legality and security of destination websites, hosted assets you upload, and any third‑party integrations you enable.

— IDENTITY & ACCESS: We provide authentication mechanisms and audit logs; YOU manage users, SSO settings, 2FA enforcement, password policies and off‑boarding.

— ENDPOINTS & DEVICES: YOU secure your endpoints, networks and local storage.

— COMPLIANCE: We maintain controls required for our role; YOU ensure your use complies with your sector’s requirements (e.g., financial/health), including data‑subject rights and consent capture where applicable.

 

SEC 5. DATA RETENTION & DELETION

We retain data in accordance with the PRIVACY POLICY and our DATA RETENTION & DELETION schedules. On account closure or upon valid request, we DELETE OR ANONYMISE personal data within defined timeframes, subject to legal holds and backup cycles. Backups are overwritten on rolling schedules and are not modified except for restoration testing or recovery.

 

SEC 6. VULNERABILITY DISCLOSURE (CO‑ORDINATED)

6.1 Reporting. RESPONSIBLE SECURITY RESEARCHERS AND USERS MAY REPORT VULNERABILITIES TO security@jnshort.com. Include a description, steps to reproduce, potential impact, and your contact details.

6.2 Scope & Safe Harbour. DO NOT perform testing that violates law, degrades the Service, accesses other users’ data, or involves social engineering, denial‑of‑service or spam. If you act in GOOD FAITH and stay within scope, we will not pursue or support legal action against you for your research. Any testing must respect our AUP.

6.3 Remediation & Acknowledgement. We triage reports, assign severity, and target fixes based on risk. Where appropriate, we may acknowledge researchers who help us improve security.

 

SEC 7. BUSINESS CONTINUITY & COMMUNICATION

We maintain playbooks for disaster recovery and high‑severity incidents. In the event of a material service disruption, we will provide STATUS UPDATES via appropriate channels (e.g., status page or e‑mail) and post‑incident summaries for significant events.

 

SEC 8. CHANGES TO THIS POLICY

We may update this Security Policy to reflect changes in our practices, technology or legal requirements. MATERIAL CHANGES WILL BE NOTIFIED IN ADVANCE where required and will be reflected by an updated effective date.

 

SEC 9. CONTACT

Questions about security may be sent to security@jnshort.com. For data‑protection matters, contact privacy@jnshort.com. Urgent abuse reports should go to abuse@jnshort.com.