Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue
nameSecurity Policy

This document describes our security policy. We cannot guarantee that no leak will ever happen, but we do our best to keep your data safe.

This document describes our security policy. We cannot guarantee that no leak will ever happen, but we do our best to keep your data safe.

Published annexes

Your data

Please see our Privacy Policy concerning how we manage your data.

How we develop secure software

  • We use code reviews to detect vulnerabilities before merging and delivering to customers,

  • We ensure that we check for permissions for any resources we have, and we regularly review those permissions,

  • We use Git to manage changes, so that any code that goes to production is easily auditable.

How we keep our communications secure

We make our best to use state-of-the-art techniques to keep the data safe:

  • We use SSH keys to access our servers,

  • We use HTTPS and SSL certificates to communicate between us and with you.

  • We don't transfer data in clear-text over the network

    , except in situations where we display a warning such as support requests through emails

    .

How we keep the data secure

Once again, we make our best to use state-of-the-art techniques to keep the data safe:

  • Our main servers are hosted by Digital Ocean, which has extremely good security procedures: https://www.digitalocean.com/legal/data-security/

    We host our websites on Digital Ocean,

  • We host our Cloud applications on Amazon AWS,

  • Data is encrypted at rest and in transit in our Amazon AWS installations,

  • The hard drives of our personal computers are encrypted (for example with Apple's FileVault 2),

  • Our personal backup drives are encrypted (for example with Apple's FileVault 2 / Time Machine).

Where we host your data

Please see the Privacy Policy on where we store data.

How we

...

  • We ensure that our plugins check Confluence and Jira permissions before exposing data to users,
  • We use peer-reviews to detect errors and security issues before releases,
  • We use Git to manage changes, so that any code that goes to production is easily auditable.

How we ensure continued security

Whenever we are aware of a leak affecting the software we use (for example Heartbleed or Shellshock), we halt the service in emergency and upgrade our systems.

...

handle a vulnerability

Important: If you notice a vulnerability, please submit a report to https://requirementyogi.atlassian.net/servicedesk/customer/portals .

  • We will investigate as soon as we can and write an internal report,

  • If we confirm the vulnerability, we will notify Atlassian,

  • If a breach allowed access or alteration of customer data, we also notify our GDPR authorities within 72hrs (namely CNIL, for France),

  • If a breach allowed access or alteration of customer data by an external person, we also notify those customers directly.

  • If a breach only allowed users of the same customer to view/edit data they were not permitted to (permission violation), we choose whether we only notify customers through the release notes when delivering the new version, or whether we directly contact customers.

We detect vulnerabilities using:

Anchor
detection
detection

Notes:

  • Automatic tools detect suspects in most common industry libraries quite frequently, whether we are affected or not. Therefore, we do not publish a report for each of them, we simply upgrade the library or ensure we are not using the feature of the library which has the vulnerability. Our release process blocks the release of software anyway until the suspect is resolved.

  • If a vulnerability looks grave to us (ability to access or alter customer data), we investigate whether it would have allowed access or alteration of customer data, and we apply the process above.

Please send notifications to https://requirementyogi.atlassian.net/servicedesk/customer/portals (In case this portal meets a breach, we are also available by email at security@r-yogi.com).

How we perform audits

Every year, we perform a security audit with an external third-party. We've published the result of the last audit on this page: Security audit (19/12/2023).