In this article:
Security Credentials - SOC II Type 2
Personal Data Control and Processing
Service Availability
Authentication and Access
Data Storage
Security Credentials - SOC II Type 2
We complete SOC II Type 2 auditing with the help of a 3rd party vendor on a yearly basis. Our last compliance report was issued on Dec 18th, 2023. This globally recognized attestation validates our commitment to critical security standards to protect and secure client data.
Personal Data Control and Processing
Jeto does not have access to, nor stores, any data related to Marketo lead or lead activity. Jeto will index folders, programs, and campaign information required for Jeto users to configure Launchers and create Jeto Campaigns associated with specific Marketo Programs. Marketo programs and databases will ultimately regulate, control, and process activities related to outgoing communication and lead database.
Sub Processors
The Jeto platform is built on 3rd party technologies that will process our customer data. We maintain a List of Sub Processors in our Software Bill of Material (SBOM) document accessible to all customers upon request. Please contact help@jeto.io to request the most recent version of this document.
Service Availability
Uptime & Status
You can access our status page at all times at http://help.jeto.io/en/articles/3743421-system-status-report.
Authentication and Access
Authentication Protocol
Jeto Authentication prevents unauthorized access to your organization or its data by making sure each logged-in user is who they say they are. We use Auth0, an Enterprise Identity Platform to manage access to your Jeto application.
We offer 4 types of Authentication:
Jeto User Login (Oauth 2.0)
Single sign-on (SSO)
Multi-Factor Authentication (MFA)
Application Connections (API keys)
Marketo Data & API Access
IP Whitelisting
Jeto can provide a static IP for whitelisting upon request.
Password Policy
Jeto requires a password with a minimum of 6 characters and 1 number.
Idle Timeout
Jeto applies Idle Timeout, which terminates a session after 60 minutes of inactivity.
Application User Roles and Permissions
A Jeto user can be assigned to 1 of 5 roles: Administrator, Collaborator, Viewer, Editor Approver. Each role contains a distinct set of permissions that allows to apply desired security controls for each individual user.
Data Storage
Jeto services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
Data Storage, Backups, and Retention
The Jeto application databases are stored on Amazon AWS Relational Database Service (Amazon RDS), ensuring great performance and resizable capacity.
The physical and software security environment for Amazon servers is described on Amazon AWS' Website. All data is also backed up on a daily basis and is retained for a period of 35 days.
Jeto runs on Amazon RDS servers located in US East (N. Virginia).
Encryption
Encryption in transit: all the information sent from Jeto to Marketo goes through encrypted data transfer using a SHA256 encryption method.
Encryption at rest: all sensible information like PII data, Campaign Data, user credentials, and Marketo Encryption Key are encrypted before being stored in our DB and backups (AES encryption with 128 bits).
Data Ownership
Clients will retain all rights and ownership of data processed, stored, and/or archived on our systems.
Multi-Tenant Architecture
We use multi-tenant architecture to optimize cost, maximize efficiency and reduce maintenance. To mitigate risks associated with multi-tenant architecture:
We use permission evaluators on all transactions to cluster access to data for each User and each Account.
We perform automated regression testing prior to each change/release to test that logical segregation.
We have internal security protocols to isolate employees’ access to client data and minimize the risk of human error.
In terms of the potential effect on server performance, we will introduce auto-scaling 1st half of 2023 to compensate for increased demand from any client.
Incident Response
Jeto implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post-mortem. All employees are trained and informed of our policies and protocols.
Marketo Data & API Access
Jeto uses REST API to connect to your Marketo Instance. You must share Marketo API keys with Jeto so it can authenticate to your Marketo instance. Only a user with Marketo Administrator rights can control or revoke Jeto's API access by generating REST API Keys. It is recommended that you restrict the API Web Service with minimal access rights, which must include the following permissions.
Activate Campaign
Deactivate Campaign
Execute Campaign
Read/Write Campaigns
Read/Write Assets
Approve Assets
Marketo Data
The following Marketo data is accessible to Jeto:
Marketo Folders
Marketo Programs
Marketo Assets (Campaigns, Emails, Landing Pages, Forms, Snippets, Images, and Files)
Jeto Account Data
Jeto stores the following Personally Identifiable Information (PII) from all users who are granted access to Jeto.
Company Name (required)
Email Address (required)
First Name (required)
Last Name (required)
Mobile Phone (optional)
Internal User ID (optional)
IP Address
City and country (calculated by the user’s IP address location)
Marketing Campaigns Data
Jeto allows users to create marketing campaigns of any type via a simple web form. The scope and nature of the related data are configurable and determined by users with Administrator access and typically include (but are not limited to) :
Campaign name
Campaign date(s)
Campaign logistics details
Campaign content (copy, files, and images for emails and landing pages).
Campaign comments
API Access Termination
Jeto API access can be terminated by deactivating the related REST Custom Web Service from Marketo.