This page explains our security posture, which aims to assist customers in meeting their own compliance requirements.
The Plugin People are currently undergoing SOC2 compliance involving 3rd party auditors. SOC2 Type 1 and 2 Audits are due soon. In scope are the core business processes, as well as our cloud infrastructure that is specific to Enterprise Mail Handler for Jira Cloud.
The Plugin People have outsourced the Data Protection Officer role; audits are expected soon.
Specific to our Enterprise Mail Handler app for Jira Cloud: We do not currently have a HIPAA compliance program underway. See our HIPAA page for how we work toward this.
The Plugin People establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies are based on the following foundational principles:
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege
Security controls should be implemented and layered according to the principle of defense-in-depth
Security controls should be applied consistently across all areas of the enterprise
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increasingly auditable, and decreasing friction
From our Records of processing activities (ROPA, GDPR Article 30) page:
File stores used for storing inbound/outbound customer email data are encrypted at rest.
Databases used in production are encrypted at rest. Additional field Level encryption (prior to storage) is used on sensitive data.
When flagging mail for support, that mail content remains in its source region, is only retrieved at the point of need by The Plugin People.
The Plugin People follow Atlassian guidelines (see https://developer.atlassian.com/platform/marketplace/app-security-guidelines/) on minimum transport security ciphers.
TLS version 1.2 is used for all public facing network access. HSTS (HTTP Strict Transport Security) is enabled with a maximum age of at least one year. Server TLS keys and certificates are managed by AWS.
Inbound / Outbound mail connections all support SSL/TLS connectivity. 3rd party integrations like Slack and SMS provider web gateways are only accessible over secure connections.
See /wiki/spaces/JEMHC/pages/4102750249 for more information.
Key management is delegated to AWS wherever possible making rotation automated. Best practice Role based security is applied to all application nodes.
As yet we have not done this. It is planned for future.
The Plugin People have an open public bug-bounty (https://tracker.bugcrowd.com/plugin-people) covering our Enterprise Mail Handler app.
We make use of static analysis tools (https://www.sonarsource.com/products/sonarqube ) as well as dependency analysis triggered at build time (https://snyk.io/).
All corporate devices are Linux based and use full desk encryption, have regular software updates, use screen-locks and password managers that are themselves encrypted and password accessible. USB devices are rarely needed but are full disk encrypted if used.
Two factor authentication is used on all enterprise systems that support it, as well as our own management apps.
Remote access to our office network is not possible. Remote access (other than through AWS console using 2FA) is not possible.
All staff receive on-boarding security awareness training. Any vulnerabilities found are discussed with the team to share learning.
Access to AWS infrastructure is strictly limited, granted through Change Control, and scoped to having Roles for permissions. Removing such access is handled through our termination process.
We are very aware that your sensitive data flows through our app/system and are very clear that your data is yours, we make no use it beyond what you would expect to deliver the functionality of the app.
Further reading:
Our Privacy Policy
A list of our sub processors is found on Schedule 1 of our Cloud Software Product EULA