Trust & Security Center

← Back to Home

1. Overview

At KJXX Systems Corp., security is not an afterthought — it is woven into every layer of our construction project coordination platform. This Trust Center provides transparency into our security posture, infrastructure decisions, email practices, and compliance commitments. We believe our clients deserve to know exactly how their data is protected.

2. Trust Pillars

3. Security Practices

Access Controls

• Role-Based Access Control (RBAC) enforced across all internal and client-facing systems
• Multi-factor authentication (MFA) required for all employee and administrator accounts
• Principle of least privilege applied to every role and API key
• Access reviews conducted quarterly; stale accounts deprovisioned within 24 hours

Data Protection

• All data classified into sensitivity tiers (Public, Internal, Confidential, Restricted)
• Confidential and Restricted data encrypted both in transit and at rest
• Database backups encrypted and stored in a geographically separate AWS region
• Data anonymization applied to development and staging environments

Application Security

• Secure development lifecycle (SDLC) with code review mandatory for all changes
• Dependency vulnerability scanning on every build (Dependabot + Snyk integration)
• OWASP Top 10 mitigations implemented and tested
• Input validation and parameterized queries prevent injection attacks
• Content Security Policy (CSP) headers enforced on all web-facing endpoints

4. Infrastructure Details

Cloud Hosting

KJXX Systems runs on Amazon Web Services (AWS) in the us-west-2 (Oregon) region. Our architecture leverages:

• EC2 Auto Scaling Groups for application servers
• Amazon RDS (PostgreSQL) with Multi-AZ failover
• Amazon S3 with server-side encryption and versioning for file storage
• Amazon CloudFront CDN for static asset delivery
• VPC with private subnets, NAT gateways, and security groups

Email Delivery

• Provider: Mailgun (Sinch) — SMTP relay
• IP: Dedicated sending IP with completed warm-up cycle
• Daily volume: Approximately 12,000 transactional messages
• Complaint rate: < 0.03% (target < 0.05%)
• Bounce rate: < 1.4% (target < 2%)
• Authentication: SPF + DKIM + DMARC (p=reject) fully aligned

5. Incident Response

KJXX maintains a documented Incident Response Plan with the following stages:

1. Detection & Triage (0–1 hour) — Automated monitoring and manual reports are triaged by the on-call engineer. Severity classified as Critical, High, Medium, or Low.
2. Containment (1–4 hours) — Affected systems are isolated. Access keys and credentials rotated if compromise is suspected.
3. Investigation (4–24 hours) — Root cause analysis conducted. Forensic evidence preserved. Third-party specialists engaged if necessary.
4. Remediation (24–72 hours) — Vulnerabilities patched, configurations hardened, and affected users notified. GDPR-mandated breach notification issued within 72 hours if personal data is affected.
5. Post-Incident Review (within 5 business days) — Formal retrospective with timeline, root cause, impact assessment, and preventive measures documented.

6. Logging & Audit Trail

• Email delivery logs: Retained for 90 days — includes recipient, timestamp, delivery status, bounce codes, and complaint flags
• Access & authentication logs: Retained for 12 months — includes login attempts, session duration, IP addresses, and role-based actions
• Template & configuration change logs: Retained indefinitely — includes author, timestamp, diff of changes, and approver identity
• Infrastructure logs: Centralized in AWS CloudWatch with 12-month retention
• Audit access: Change management logs are available to client administrators upon request for their tenant data

7. Compliance

KJXX Systems is committed to compliance with the following regulations and frameworks:

• GDPR (General Data Protection Regulation) — Data processing agreements, lawful basis documentation, data subject rights workflows, 72-hour breach notification
• CCPA/CPRA (California Consumer Privacy Act) — Consumer rights fulfillment, no data selling, privacy disclosure
• CAN-SPAM Act — Accurate sender identification, functional unsubscribe mechanism, physical address in messages
• CASL (Canadian Anti-Spam Legislation) — Consent verification, sender identification, unsubscribe processing within 10 days

8. Email Practices (Detailed)

This section provides an in-depth view of how KJXX manages outbound email to maintain deliverability, protect recipients, and comply with anti-spam regulations.

Recipient Verification

Every recipient address belongs to a user created through one of three verified pathways: employer invitation, vendor onboarding via signed agreement, or direct account registration with email confirmation. No messages are sent to addresses that have not been verified through one of these methods.

Suppression List

A global suppression list is maintained and enforced in real time. Addresses are added upon: hard bounce return, spam complaint receipt, manual unsubscribe request, or administrative removal. Suppressed addresses are permanently excluded from all future sends.

Bounce & Complaint Workflows

• Hard bounces: Immediately suppressed; no retries
• Soft bounces: Retried up to 3 times over 24 hours, then permanently suppressed
• Complaints: Address immediately suppressed; incident logged; manual review within 1 business day to identify root cause

Feedback Loop (FBL) Monitoring

KJXX is enrolled in feedback loop programs with major mailbox providers. All FBL reports are ingested automatically, triggering immediate suppression and complaint triage. Monthly FBL reports are reviewed by the deliverability team.

Rate Limiting & Anomaly Detection

Per-client and per-template sending rate limits are enforced. If any account's volume exceeds 2× its 7-day rolling average, outbound delivery is automatically paused and a manual review is initiated within 30 minutes.

RBAC for Sending

Only authorized operations engineers (two individuals) have permissions to create or modify email templates and sending rules. All changes follow the four-eyes principle — a second authorized team member must approve before deployment.

Approvals on Template Changes

Template modifications are version-controlled. Each change records: the author, timestamp, full diff, reviewer identity, and approval timestamp. Unapproved templates cannot be deployed to production.

Audit Trail

Delivery logs are retained for 90 days. Template change history is retained indefinitely. All sending configuration changes are logged with full attribution.

How to Report Abuse

If you believe you have received an unwanted message from the KJXX platform, please report it to abuse@kjxx.com. Reports are acknowledged within 4 hours during business hours and fully investigated within one business day.

9. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential vulnerability in any KJXX system, please report it to:

Email: security@kjxx.com

Our commitments:

• Acknowledgment of your report within 48 hours
• Initial assessment and severity classification within 5 business days
• Regular updates on remediation progress
• No legal action against researchers who report in good faith and do not access, modify, or delete user data

10. Contact

For security inquiries, compliance questions, or to request additional documentation:

KJXX Systems Corp.
274 South 600 East, Suite 210
Salt Lake City, UT 84102
Security: security@kjxx.com
Privacy: privacy@kjxx.com
Abuse: abuse@kjxx.com
Phone: +1 (801) 436-7182