1 Compliance
- 1.1 SOC2
- 1.2 GDPR
- 1.3 HIPAA
2 Governance
3 Data Protection
- 3.1 Data at rest
- 3.2 Data in transit
- 3.3 Data Residency
- 3.4 Secret management
4 Product Security
- 4.1 Penetration Testing
- 4.2 Public Bug Bounty
- 4.3 Vulnerability Scanning
5 Enterprise Security
- 5.1 Endpoint protection
- 5.2 Two factor authentication (2FA)
- 5.3 Remote access
- 5.4 Education
- 5.5 Identity and access management
6 Data Privacy

This page explains our security posture, which aims to assist customers in meeting their own compliance requirements.

Compliance

SOC2

The Plugin People has as of 23 APR 2024 attained SOC2 type 1 compliance. SOC2 Type 2 Audit was completed 22 JUL 2024. In scope are the core business processes, as well as our cloud infrastructure that is specific to our business and the development/deployment/support of Enterprise Mail Handler for Jira Cloud.

You can view our Trust Center online: The Plugin People Trust Center, SOC compliance attestation by our external auditor can be found in the resources section.

GDPR

The Plugin People have outsourced the Data Protection Officer role; audits are expected soon.

HIPAA

Specific to our Enterprise Mail Handler app for Jira Cloud: We do not currently have a HIPAA compliance program underway. See our HIPAA page for how we work toward this.

Governance

The Plugin People establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege
Security controls should be implemented and layered according to the principle of defense-in-depth
Security controls should be applied consistently across all areas of the enterprise
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increasingly auditable, and decreasing friction

Data Protection

Data at rest

From our Records of processing activities (ROPA, GDPR Article 30) page:

File stores used for storing inbound/outbound customer email data are encrypted at rest.

Databases used in production are encrypted at rest. Additional field Level encryption (prior to storage) is used on sensitive data.

When flagging mail for support, that mail content remains in its source region, is only retrieved at the point of need by The Plugin People.

Data in transit

The Plugin People follow Atlassian guidelines (see Security guidelines for Marketplace apps) on minimum transport security ciphers.

TLS version 1.2 is used for all public facing network access. HSTS (HTTP Strict Transport Security) is enabled with a maximum age of at least one year. Server TLS keys and certificates are managed by AWS.

Inbound / Outbound mail connections all support SSL/TLS connectivity. 3rd party integrations like Slack and SMS provider web gateways are only accessible over secure connections.

Data Residency

See Data Residency for more information.

Secret management

Key management is delegated to AWS wherever possible making rotation automated. Best practice Role based security is applied to all application nodes.

Product Security

Penetration Testing

As yet we have not done this. It is planned for future.

Public Bug Bounty

The Plugin People have an open public bug-bounty (https://tracker.bugcrowd.com/plugin-people) covering our Enterprise Mail Handler app.

Vulnerability Scanning

We make use of static analysis tools (https://www.sonarsource.com/products/sonarqube ) as well as dependency analysis triggered at build time (Developer security | Snyk).

Enterprise Security

Endpoint protection

All corporate devices are Linux based and use full desk encryption, have regular software updates, use screen-locks and password managers that are themselves encrypted and password accessible. USB devices are rarely needed but are full disk encrypted if used.

Two factor authentication (2FA)

Two factor authentication is used on all enterprise systems that support it, as well as our own management apps.

Remote access

Remote access to our office network is not possible. Remote access (other than through AWS console using 2FA) is not possible.

Education

All staff receive on-boarding security awareness training. Any vulnerabilities found are discussed with the team to share learning.

Identity and access management

Access to AWS infrastructure is strictly limited, granted through Change Control, and scoped to having Roles for permissions. Removing such access is handled through our termination process.

Data Privacy

We are very aware that your sensitive data flows through our app/system and are very clear that your data is yours, we make no use it beyond what you would expect to deliver the functionality of the app.