How Does HeroCoders Approach Security & Privacy?
HeroCoders’ general approach to protecting customer’s information is based on three main principles:
Limit the data collected and stored to the minimum required in order to deliver the service;
Limit our access to customers' data to the minimum required in order to deliver the service;
Use trusted service providers rather than trying to reinvent the wheel ourselves.
Will HeroCoders complete a Security Questionnaire that a customer requests as part of their procurement process?
No, we provide information about how security is handled on this page and in the attached policies (see linked resources). Because of scale, it is simply not feasible for us to sign separate agreements or complete questionnaires for individual customers. We will provide customers with our policy documents and are open to redlining.
What customer data does HeroCoders collect and store? How is it protected?
Issue Checklist for Jira users can enter any content into the apps ’s text input fields (for example, checklist item text). Along with data entered by users, Checklist stores Metadata such as "clientKey", "baseUrl", "issueId", "projectId", "issueTypeId", "userAccountId". We also store the issue key in the app logs for support purposes.
Data is encrypted at rest and in transit and all data is stored in the the USA.
Atlassian provides HeroCoders with up to two contacts (Billing and Technical) when a paid app is installed. These contacts are subscribed to an email list (Hubspot) for onboarding, offboarding and other needed communication (technical issues, policy updates, etc.). Hubspot is provided with the Jira displayName and emailAddress for those contacts.
What steps does HeroCoders take to control employees’ exposure to, and handling of, customer data?
All personnel are required to sign NDA. All employees use 2FA (two-factor authentication) to access our systems. Only designated employees can access customer data, and data is protected as follows:
Customers' contact data (an email address for the billing contact of the Jira instance for each paid app) is provided to HeroCoders by the Atlassian Marketplace. These contacts are also stored HubSpot, our CRM. Only designated members of our team are given access to customer data.
Users' data entered into the app (for example, text in checklist items) – Stored in MongoDB database, data access is controlled through DBMS access rights.
Users' data provided to us through direct communication, e.g. email or Service Desk tickets – Data access is controlled through GSuite access rights and Jira Service Management permissions.
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
Not at this time. All paid apps provided by HeroCoders and available in Atlassian Marketplace participate in the Marketplace Security Bug Bounty Program, which allows third-party security engineers to test the apps for security holes. The Checklist apps are part of Atlassian Cloud Security programs:
Acceptance Criteria for Jira Free– Cloud Security Participant
Issue Checklist for Jira Free– Cloud Fortified
Issue Checklist for Jira Pro – Cloud Fortified
You can find specific information on the Apps' Privacy & Security tab in the Atlassian Marketplace.
How are incidents prevented and handled? What Business Continuity & Disaster Recovery plans are in place?
Data backups are created on a daily and weekly bases. Daily data backups are available for eight subsequent days, and weekly backups - triggered on Saturdays, are stored for eight subsequent weeks. The MongoDB database is configured to have one primary and two secondary nodes. Switching/failover is maintained automatically by MongoDB and a tested DB driver. At least two lead developers have access to the service and the data can be restored with just a few clicks.
HeroCoders uses continuous monitoring tools to control the health of the apps and notify us in case of an abnormal state:
New Relic monitors Apdex (both server- and client-side), response time, error rate, single transaction's time/throughput/etc. Built-in alerting mechanism notifies us in case of abnormal behavior;
App logs storing/processing systems monitor logs reported by HTTP routers and our apps, for irregularities such as an increased number of HTTP 404 or 50x responses, etc.;
Sentry tracks app errors;
PagerDuty collects incidents notifications from the tools listed above and notifies -via SMS, phone call, Slack, and email - the developer who is on call.
When an incident occurs the developer(s) who has been notified gets to work immediately to address the issue. An incident is created in Statuspage and the support team is made aware of the incident so they can liaison with affected customers. In cases where we have an email address for the customer and are able to identify which customers are impacted, we may contact them directly.
Do you have formal change control and release management processes to manage code changes?
Source code is stored in BitBucket and versioned with GIT to track what was changed and by whom. All changes are easily reversible. We use SDM and Jira for change and release management.
Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?
HeroCoders uses peer-reviewing and automated tools for testing vulnerabilities and ensuring that security controls are being implemented and operating effectively. We participate in the bug bounty program on the BugCrowd.com platform which provides an additional security check of production code.
Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment); and are you able to provide copies of results/findings?
Code reviews and peer testing of all changes in the code are implemented in our PR process in Bitbucket to identify any security issues. As mentioned above, we are part of the bug bounty program on the BugCrowd.com platform that gives us a security check of our production code.
We employ yarn audits to verify there are no known vulnerabilities in and of the dependency libraries.