Security & Compliance Statement

Last updated 7 October 2025

This Security & Compliance Statement describes the technical and organisational measures used to protect data processed by JobTek Ltd (“JobTek”) across www.jobtek.com, app.jobtek.com, jobtek.net, JobTek’s mobile apps, and related APIs (the “JobTek Services”). It is informational and does not replace the contractual obligations in JobTek’s Terms & Conditions, Privacy Policy and Data Processing Addendum (DPA).

1. Data Hosting & Residency

Hosted on Microsoft Azure in UK/EU regions with high availability architecture appropriate to plan tier.
Data may be processed outside the UK/EEA by approved sub‑processors under appropriate safeguards (e.g., UK IDTA / SCCs), as detailed in the DPA.

2. Access Control & Identity

Role‑based access control (RBAC) and least‑privilege principles.
MFA enforced for administrative access; strong password policies for staff accounts.
Segregated environments; audited admin actions and privileged operations.

3. Encryption

In transit: TLS 1.2+ for all external endpoints; HSTS on web properties.
At rest: Azure-managed encryption (e.g., AES‑256) for databases, files, and backups.
Secrets stored using cloud KMS and secure configuration management.

4. Application & Platform Security

Secure SDLC practices; peer review; dependency management; automated code analysis.
Patch and vulnerability management aligned to severity.
Logging and monitoring for key services; alerting on anomalous activity.
Change control and release management with staged rollouts where appropriate.

5. Email & Messaging Security

Outbound and inbound email handled via SendGrid (Twilio) with enforced TLS where supported.
Domain authentication: SPF, DKIM, and DMARC configured for JobTek‑managed domains.
Push notifications delivered via APNs (iOS) and Firebase Cloud Messaging (Android) using secure tokens; notifications may contain limited job/customer context necessary to identify the update (see Privacy Policy).

6. Backups and Continuity

JobTek performs regular backups of production data and routinely tests restoration procedures to ensure reliability.

Target objectives (non-contractual):

RPO (Recovery Point Objective): up to 24 hours, meaning no more than 24 hours of data would be lost in the event of a failure.
RTO (Recovery Time Objective): varies depending on the scope and scale of the incident, representing the target timeframe to restore normal service.

7. Incident Management & Breach Notification

Documented incident response plan with defined roles and escalation paths.
Continuous monitoring of production systems; forensics and post‑incident review.
Customer notification of Personal Data Breaches without undue delay and in any event within 48 hours of awareness (as set out in the DPA).

8. Sub‑processors & Vendor Oversight

Core providers include Microsoft Azure, SendGrid, Stripe, Google Maps Platform, Apple APNs, Google Firebase (FCM), and analytics providers (if enabled).
Written DPAs in place; periodic reviews of vendor security posture; change notifications for sub‑processor updates per DPA.

9. Compliance Alignment

JobTek’s controls align with UK GDPR and the Data Protection Act 2018.
Security controls draw on recognised frameworks and guidance (e.g., ISO/IEC 27001 control families, NCSC principles).

10. Vulnerability Management & Disclosure

Regular vulnerability scanning and remediation according to severity SLAs.
Coordinated vulnerability disclosure channel: security@jobtek.com.

11. Customer Responsibilities

Configure and manage user roles and permissions appropriately.
Maintain strong, unique passwords and (where offered) enable MFA.
Ensure a lawful basis for processing personal data and follow the Acceptable Use Policy.

Contact

Email: info@jobtek.com
Post: JobTek Ltd, 61 Bridge Street, Kington, Herefordshire, HR5 3DJ

For related information, see JobTek’s Privacy Policy, Acceptable Use Policy, and Data Processing Addendum.