Data Security FAQs

1. How secure is the data between the recordkeeping system and iJoin?

o All data in transit is encrypted via HTTPS using SSL/TLS certificates with SHA256 encryption algorithms along with 2048-bit RSA keys

o Data in transit is encrypted through web services via HTTPS.

o Each authentication request and outcome are logged and stored.

o Direct access by iJoin employees to our application database requires a secure VPN connection.

o Sensitive identifiers such as personally identifiable information (PII) and non-public information (NPI) are obscured from administrative view.

o Server access is restricted to the engineering team and protected by RSA keys.

o Our database features AES-256 (bank level) encryption via keys generated and stored on FIPS 140-2 validated hardware security modules.

As additional layers of security, entry into the iJoin participant experience is only permissible through a secure Single Sign-On process that is invoked entirely from the Recordkeeper Participant web application. This means a participant cannot enter iJoin until after they have successfully been authenticated by the Recordkeeper application, which includes any form of Multi-Factor Authentication methods that have been implemented within said application. Access to the iJoin administrative and analytics portal is also secured by way of Multi-Factor Authentication that you have the option to enforce across all system users.

2. How does iJoin protect personally identifiable information (PII) or non-public information (NPI), including account numbers?

The entire iJoin database features AES-256 (bank level) encryption via keys generated and stored on FIPS 140-2 validated hardware security modules.
Data in transit is encrypted through web services via HTTPS.
System user passwords are hashed using SHA512.

3. Is iJoin SOC Compliant?