1. How secure is the data between the recordkeeping system and iJoin?
For data flow between Recordkeeper and iJoin;
- All data in transit is encrypted via HTTPS using SSL/TLS certificates with SHA256 encryption algorithms along with 2048-bit RSA keys
- Data in transit is encrypted through web services via HTTPS.
- Each authentication request and outcome are logged and stored.
- Direct access by iJoin employees to our application database requires a secure VPN connection.
- Sensitive identifiers such as personally identifiable information (PII) and non-public information (NPI) are obscured from administrative view.
- Server access is restricted to the engineering team and protected by RSA keys.
- Our database features AES-256 (bank level) encryption via keys generated and stored on FIPS 140-2 validated hardware security modules.
As additional layers of security, entry into the iJoin participant experience is only permissible through a secure Single Sign-On process that is invoked entirely from the Recordkeeper Participant web application. This means a participant cannot enter iJoin until after they have successfully been authenticated by the Recordkeeper application, which includes any form of Multi-Factor Authentication methods that have been implemented within said application. Access to the iJoin administrative and analytics portal is also secured by way of Multi-Factor Authentication that you have the option to enforce across all system users.
2. How does iJoin protect personally identifiable information (PII) or non-public information (NPI), including account numbers?
- The entire iJoin database features AES-256 (bank level) encryption via keys generated and stored on FIPS 140-2 validated hardware security modules.
- Data in transit is encrypted through web services via HTTPS.
- System user passwords are hashed using SHA512.
3. Is iJoin SOC Compliant?
Yes, iJoin is SOC 2, Type 2 compliant. View our letter of attestation.