...
This document describes the information security policy including, but not limited to, the following parts:
Integrity, confidentiality and availability of the information
Safeguarding of data, including:
provisions with respect to portable computers and media
provisions for the disposal of media
provisions for the disposal of equipment
Safeguarding of applications
Safeguarding of equipment
Safeguarding of networks
Threat of viruses
Threat of intrusion
Data classification system, categorizing data and the respective measures according to its importance
Definitions
The terms used in this document are the following:
Confidentiality: Privacy or the ability to control or restrict access so that only authorized individuals can view sensitive information. One of the underlying principles of confidentiality is "need-to-know" or "least privilege". In effect, access to vital information should be limited only to those individuals who have a specific need to see or use that information.
Integrity: Information is accurate and reliable and has not been subtly changed or tampered with by an unauthorized party. Integrity includes:
Authenticity: The ability to verify content has not changed in an unauthorized manner.
Non-repudiation &
AccountabilityAccountability: The origin of any action on the system can be verified and associated with a user.
Availability: Information and other critical assets are accessible to customers and the business when needed. Note, information is unavailable not only when it is lost or destroyed, but also when access to the information is denied or delayed.
...
Regarding with the access through the plugin interface the communication between the front side and the backend is direct and made by SQL queries.
We collect the following categories of information, which may be considered Personal Information when maintained in an identifiable format:
Account registration information:
...
When you register or purchase Products or Services, we may collect your and/or your Administrator’s full name, email address, phone numbers, and account log-in credentials, if applicable.
Content and information that you submit through the Sites: Information submitted through the Sites may include, for example, the information you provide when you participate in any interactive features, research studies, or surveys, and any information you submit when filing a customer support ticket or as part of any other form submissions on the Sites.
Content and information voluntarily provided through the Services: We collect any information you provide to us voluntarily via the Services. Annex 1 outlines the categories of Personal Information in greater detail that we collect and that may be submitted through the Sites and/or Services.
Technical product usage data, logs, metrics, metadata, and device information: We automatically generate and retain records of how users interact with our Sites and Services. This may include information such as your Internet Protocol (“IP”) address, device identifiers, device information (such as OS type or browser type), cookie IDs, referring / exit pages and URLs, interaction information (such as clickstream data), domain names, pages viewed, crash data, and other similar technical data. We may use technologies such as cookies and/or scripts to collect this information.
Location information: We may use the IP address received from your browser or mobile device to determine your approximate physical location, such as city and country.
Information collected from third party or public sources: DEISER may receive information from third-party sources, such as business partners, the Atlassian Marketplace, Affiliates, marketing service providers, third-party data aggregators, or publicly available sources, that we use to make our own information better or more useful. We may collect an Authorized User’s name, email address, and phone number.
Safeguarding of the data
The plugins we provide in the Atlassian Marketplace are hosted in the cloud, specifically in DigitalOcean and Gooogle Cloud Platform. All the data hosted in their data centers is under our control. In addition, DigitalOcean has a code of practice for cloud privacy ISO/IIEC 27018, ISO27001 and SOC1/2/3 certified company. This adherence provides transparency about policies regarding the return, transfer, and deletion of personal information stored in their datacenters.
...
Every DEISER staff is educated about viruses in the following ways:
They are not allowed to use their own removable media storage tools.
Use the antivirus program to examine the entire file that comes from the outside.
Not download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
Software installation is strictly prohibited if unauthorized, including the one that was acquired by the user. The installation of software and / or systems must only be executed by the Support department, as they will perform the technical tests of the installation as well as maintenance and backups.
For the production virtual machines allocated in the DigitalOcean cloud a DigitalOcean exists and runs in background scanning and reporting to the system administrators.
...
In addition, everybody in the DEISER staff is educated on the following points:
To lock their computer by pressing the Windows + L keys, whenever absent from his/her post.
To use equipment, applications, mail, etc., for professional activities and not for other purposes
Not to connect to the DEISER network any computers or portable network electronics owned by the employees.
Prohibited from using their own removable media storage tools.
To use the antivirus program to examine every entire file that comes from the outside.
Not to download from the Internet free software, demos and generally software that comes from a source other than the company´s authorized providers.
Not to save their password in a readable form on disk files, and neither should they write passwords on paper and leave it in places where it can be found. If there is reason to believe that a password has been compromised, then password must be changed immediately. The system is configured with the following requirements:
New passwords cannot be equals to previous passwords used by that user.
Every 42 days, user must change the password.
Passwords have a minimum length of 7 characters, and they must contain at least one uppercase letter, one lowercase letter and one number.
Software installation is strictly prohibited if unauthorized, including software legitimately acquired by the user. Support department is the only one that can install software or systems, as they will perform the technical tests of the installation as well as maintenance and backups.
Data Classification System
DEISER’s data classification system is divided into four sections:
Public: Information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data is available to all DEISER employees and all individuals or entities external to the corporation.
Internal: Information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel who have a legitimate reason to access it.
Confidential: Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Administrator is required for access because of legal, contractual, privacy, or other constraints. Confidential data have a very high level of sensitivity.
Regulatory Data Classification: Information protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Regulatory Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a need-to-know basis.