Log4J Critical Vulnerability

On Dec 9th 2021 a critical vulnerability was uncovered in Log4J. Please note that Jeto does not use this framework and therefore, it is not directly affected by this threat. We have also confirmed that our upstream vendors have applied mitigation measures and we believe that these mitigations should cover with what is currently known about these vulnerabilities.

We will continue to monitor the situation and communicate any update here.

Personal Data Control and Processing

Jeto does not have access to, nor stores, any data related to Marketo lead or lead activity. Jeto will index folders, programs, and campaigns information required for Jeto users to configure Launchers and create Jeto Campaigns and associated to specific Marketo Programs. Marketo programs and database will ultimately regulate, control and process activities related to outgoing communication and lead database.  

Product security

Uptime & Status

You can access our status page at all time at http://help.jeto.io/en/articles/3743421-system-status-report.

Authentication Protocol

By default, Jeto requires "Basic" HTTP authentication (username & password) over HTTPS / SSL secured connection.

SSO: Upon request, Jeto can be deployed using a single sign on (SS0) authentication method. We work with Auth0 Identity Platform, which gives us the ability to support multiple Identity Providers see Auth0 website for supported providers. Confirmation of technical feasibility and additional cost may apply.

IP Whitelisting: Jeto can provide a static IP for whitelisting upon request.

Password Policy

Jeto requires a password with a minimum of 6 characters and 1 number.

Idle Timeout

Jeto applies Idle Timeout, which terminates a session after 60 minutes of inactivity.

Application User Roles and Permissions

A Jeto user can be assigned to 1 of 5 roles: Administrator, Collaborator, Viewer, Editor Approver. Each role contains a distinct set of permissions that allows to apply desired security controls for each individual user.

Data Hosting and Storage

Jeto services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Data Storage, Backups and Retention

The Jeto application databases are stored on Amazon AWS Relational Database Service (Amazon RDS), ensuring great performance and resizable capacity.
Physical and software security environment for Amazon servers is described on Amazon AWS' Website. All data is also backed up on a daily basis and is retained for a period of 35 days.

Jeto runs on Amazon RDS servers located in US East (N. Virginia).


Encryption in transit: all the information sent from Jeto to Marketo goes through encrypted data transfer using a SHA256 encryption method.

Encryption at rest: all sensible information like PII data, Campaign Data, user credentials and Marketo Encryption Key are encrypted before being stored in our DB and backups (AES encryption with 128 bits).

Data Ownership

Clients will retain all rights and ownership of data processed, stored, and/or archived on our systems.

Multi-Tenant Architecture

To mitigate risks associated to our multi- tenant architecture:

  • We use logical segregation for access to data based on unique user ID and unique account ID.

  • We perform automated regression testing prior to each change/release to test that logical segregation.

  • We have internal security protocols to isolate employee’s access to client data and minimize risk of human error.

  • In terms of the potential effect on server performance, we will introduce auto-scaling 1st half of 2020 to compensate for increased demand from any client.

Incident Response

Jeto implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are trained and informed of our policies and protocols.

Marketo API Access & Data

Jeto uses REST API to connect to your Marketo Instance. You must share Marketo API keys with Jeto so it can authenticate to your Marketo instance. Only a user with Marketo Administrator rights can control or revoke Jeto's API access by generating REST API Keys. It is recommended that you restrict the API Web Service with minimal access rights, which must include the following permissions.

  • Activate Campaign

  • Deactivate Campaign

  • Execute Campaign

  • Read/Write Campaigns

  • Read/Write Assets

  • Approve Assets

Marketo Data

The following Marketo data is accessible to Jeto:

  • Marketo Folders

  • Marketo Programs

  • Marketo Assets (Campaigns, Emails, Landing Pages, Forms, Snippets, Images and Files)

Jeto Account Data

Jeto stores the following Personally Identifiable Information (PII) from all users who are granted access to Jeto.

  • Company Name (required)

  • Email Address (required)

  • First Name (required)

  • Last Name (required)

  • Mobile Phone (optional)

  • Internal User ID (optional)

  • IP Address

  • City and country (calculated by the user’s IP address location)

Marketing Campaigns Data

Jeto allows users to create marketing campaigns of any type via a simple web form. The scope scope and nature of the related data is configurable and determined by users with Administrator access and typically include (but is not limited to) :

  • Campaign name

  • Campaign date(s)

  • Campaign logistics details

  • Campaign content (copy, files and images for emails and landing pages).

  • Campaign comments

API Endpoints

Please contact support for more details on Marketo API endpoints used in Jeto.

Access Termination

Jeto API access can be terminated by deactivating the related REST Custom Web Service from Marketo. 

Did this answer your question?