Frequently Asked Questions
      Back to home
      1. Success Hub
      2. FAQ's
      3. Frequently Asked Questions

      Frequently Asked Questions about Security

      Join security policies are based on industry best practices.

      Is Join SOC 2 Type II Compliant?

      Yes. This attestation ensures that Join has undergone a thorough evaluation of its security measures, system availability, confidentiality protocols, processing integrity, and privacy protection practices. By achieving SOC 2 Type II compliance, Join demonstrates its commitment to maintaining a secure and reliable platform for its users.

      Where is Join hosted?

      Join runs on the Amazon Web Service platform (AWS) and complies with the AWS security policy, which includes a comprehensive set of security best practices and protocols to ensure the protection of data and systems. AWS provides a secure and reliable infrastructure for Join to operate on, leveraging industry-leading security measures such as encryption, access controls, and monitoring. By aligning with the AWS security policy, Join can confidently deliver a secure platform for its users, backed by the robust security standards of AWS.

      What information does Join collect?

      The Join web application collects project information and some information about users who log into the application. The Join Privacy Policy explains in detail the collected information and how it is used.

      What is Join’s policy on cyber incident awareness?

      Join runs an internal cybersecurity employee awareness program led by the Join Chief Information Security Officer (CISO). This program includes regular training sessions and updates on the latest cybersecurity threats and best practices. Additionally, risk and vulnerability assessments are conducted with every incremental code review to proactively identify and address any potential security vulnerabilities in the system.

      In the unfortunate event of a cyber incident, Join has established procedures to promptly respond and mitigate the impact. Upon being made aware of a cyber incident, Join's incident response team will initiate an investigation to assess the extent of the breach and take necessary actions to contain and remediate the situation. Join is committed to transparency and will notify our customers within five (5) business days or less, providing them with relevant information and guidance on how to protect their data and systems.

      How does Join handle access control?

      Join uses a third-party authentication provider (Auth0) for access control and enforcing pre-authentication risk checks. The system identifies users and data access is limited by a Role-Based Access Control layer. Join retains logs for end-user authentication for two (2) days for user login and seven (7) days for user actions ensuring the actions of individual users can be uniquely traced.

      How does Join protect data at rest or in transit?

      Join encrypts all data at rest and uses Transport Layer Security (TLS) for all communications between AWS and your browser. TLS encryption for data transmission guarantees that information exchanged between users and the platform is securely transmitted, safeguarding sensitive data from interception or tampering.

      Does Join support Single Sign-on?

      Join currently offers Single Sign-on (SSO) for the following identity providers or protocols:

      • Microsoft Azure AD
      • Okta
      • Google Workspace
      • SAML

      If you want to get SSO set up for your organization, read our SSO Setup Guide.

      Is Join GDPR compliant?

      Although Join has designed its Privacy Policy to align with both GDPR and CCPA, it does not currently offer its product as a service in the EU/EEA nor does it target companies or residents of the EU/EEA. For these reasons, GDPR does not apply to Join at this point in time. If you are considering using Join for a project that has an EU/EEA affiliation or clientele, please notify us in advance so that we can convey a timeline for when Join will be ready to accommodate this scenario.

      Does Join use any data sub-processors?

      Join collaborates with select third-party entities to process personal data on its behalf, adhering to the contractual agreements established between Join and these sub-processors, as well as the Join Terms of Use and Join Privacy Policy. To uphold the standards outlined in its SOC 2 Type II attestation, Join conducts annual compliance reviews of its sub-processors and their policies. This ensures that the handling of personal data meets the necessary protections mandated by relevant data protection laws.

      The sub-processors utilized by Join are detailed in the following table. Personal data processing will occur for the duration specified in the Join Terms of Use, product documentation, and any current agreements with Join's customers.

      Sub-processor Purpose for processing Category of Personal Data Processing Location Security 
      Amazon Web Services Join cloud hosting provider Personal data contained in user account information and content, text or files created in Join projects USA AWS Compliance Programs 
      Hubspot Join marketing, customer service, and technical support Personal data contained in user account information and chat, text or files created  and shared during support and services communications USA Hubspot Trust Center
      Okta Join access control Personal data contained in user account information USA Okta Trust Center

      What is Join's data backup strategy?

      The Join data storage strategy was designed for a high level of availability and substantial disaster protection. There are two types of data in Join: relational data which is stored in a SQL database (most data) and blob storage (uploaded images, etc.) stored in AWS Storage Service (S3). The SQL database is backed up daily, and the restoration process is exercised at least weekly to ensure that it functions properly. Join retains these backups for seven (7) days. S3 provides replication across multiple data centers to ensure availability in case of failure or data center loss.

      What domains does Join require access to in order to function correctly?

      Does your organization have networking rules in place to block access or requests from certain websites? If so, we recommend working with your company's IT department to adjust your network's allowed list to ensure that Join functions correctly from within your environment.

      Join recommends both Core Functionality and Extended Analytics domains be added to your allowed list. However, if your environment blocks access to Core Functionality domains then Join may not function as expected for your users.

      Core Functionality

      • *.join.build
      • *.amazonaws.com
      • developer.api.autodesk.com
      • *.appcues.com
      • api.appcues.net

      Extended Analytics

      • api.amplitude.com
      • api.segment.io
      • cdn.segment.io
      • sentry.io
      • hotjar.com
      • google-analytics.com
      • app.datadoghq.com

      Note: Domains marked with an asterisk (*) do not require you to add each sub-domain. 

      How do I ensure my team receives Join's communications?

      Join, Inc. will send out various types of communications, including but not limited to; platform notifications, support requests, transactional emails, and marketing communications as outlined in the Join Privacy Policy. To ensure your team is able to receive these communications, please work with your mail system administrator to ensure the join.build and connect.join.build domains are added to any appropriate allowed lists, such as email servers, email security systems, and other antivirus protection.