Security
This page explains our security posture, which aims to assist customers in meeting their own compliance requirements.
Compliance
SOC2
The Plugin People has as of 23 APR 2024 attained SOC2 type 1 compliance. SOC2 Type 2 Audit was completed 22 JUL 2024. In scope are the core business processes, as well as our cloud infrastructure that is specific to our business and the development/deployment/support of Enterprise Mail Handler for Jira Cloud.
You can view our Trust Center online: https://trust.thepluginpeople.com/, SOC compliance attestation by our external auditor can be found in the resources section.
GDPR
The Plugin People have outsourced the Data Protection Officer role; audits are expected soon.
HIPAA
Specific to our Enterprise Mail Handler app for Jira Cloud: We do not currently have a HIPAA compliance program underway. See our HIPAA page for how we work toward this.
Governance
The Plugin People establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies are based on the following foundational principles:
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege
Security controls should be implemented and layered according to the principle of defense-in-depth
Security controls should be applied consistently across all areas of the enterprise
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increasingly auditable, and decreasing friction
Data Protection
Data at rest
From our Records of processing activities (ROPA, GDPR Article 30) page:
File stores used for storing inbound/outbound customer email data are encrypted at rest.
Databases used in production are encrypted at rest. Additional field Level encryption (prior to storage) is used on sensitive data.
When flagging mail for support, that mail content remains in its source region, is only retrieved at the point of need by The Plugin People.
Data in transit
The Plugin People follow Atlassian guidelines (see https://developer.atlassian.com/platform/marketplace/app-security-guidelines/) on minimum transport security ciphers.
TLS version 1.2 is used for all public facing network access. HSTS (HTTP Strict Transport Security) is enabled with a maximum age of at least one year. Server TLS keys and certificates are managed by AWS.
Inbound / Outbound mail connections all support SSL/TLS connectivity. 3rd party integrations like Slack and SMS provider web gateways are only accessible over secure connections.
Data Residency
See Data Residency for more information.
Secret management
Key management is delegated to AWS wherever possible making rotation automated. Best practice Role based security is applied to all application nodes.
Product Security
Penetration Testing
As yet we have not done this. It is planned for future.
Public Bug Bounty
The Plugin People have an open public bug-bounty (https://tracker.bugcrowd.com/plugin-people) covering our Enterprise Mail Handler app.
Vulnerability Scanning
We make use of static analysis tools (https://www.sonarsource.com/products/sonarqube ) as well as dependency analysis triggered at build time (Developer security | Snyk).
Enterprise Security
Endpoint protection
All corporate devices are Linux based and use full desk encryption, have regular software updates, use screen-locks and password managers that are themselves encrypted and password accessible. USB devices are rarely needed but are full disk encrypted if used.
Two factor authentication (2FA)
Two factor authentication is used on all enterprise systems that support it, as well as our own management apps.
Remote access
Remote access to our office network is not possible. Remote access (other than through AWS console using 2FA) is not possible.
Education
All staff receive on-boarding security awareness training. Any vulnerabilities found are discussed with the team to share learning.
Identity and access management
Access to AWS infrastructure is strictly limited, granted through Change Control, and scoped to having Roles for permissions. Removing such access is handled through our termination process.
Data Privacy
We are very aware that your sensitive data flows through our app/system and are very clear that your data is yours, we make no use it beyond what you would expect to deliver the functionality of the app.
Further reading:
Our Privacy Policy
A list of our sub processors is found on Schedule 1 of our Cloud Software Product EULA