Security Practices
Our Security Practices should be read in conjunction with the AxisAgile Apps Privacy Policy and License Agreement.
Jira Cloud usage
All of your data in Jira Cloud is kept within your Jira cloud instance. When you are using our Jira Cloud apps, you are making the changes to your own Jira Cloud instance on behalf of yourself (i.e. the logged in user). We simply send this request through to Jira Cloud, as if you were normally using Jira Cloud.
Our apps
Our apps are written in JavaScript, which run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance. Your data is never stored by our add-on servers.
AxisAgile Apps uses AWS to host its cloud hosted add-on components. AxisAgile Apps are responsible for provisioning, monitoring and maintaining the AWS infrastructure required to support our Cloud Apps.
Log information is stored on Elastic Cloud hosted on AWS.
We do not conduct penetration testing as our infrastructure provider is Amazon Web Services and they do not permit penetration testing on their infrastructure (based upon the license and usage agreement). Having said that, we do follow the Amazon guidelines for security.
Data location
Our data is stored in the following AWS Regions: ap-southeast-2a, ap-southeast-2b, ap-southeast-2c.
Data encryption
We encrypt sensitive data at rest in our AWS database using AES-256.
People and access
Only AxisAgile Apps Developers or Support Engineers have access to the AWS platform hosting our Cloud Apps. They only have access to the application data to perform system or application support.
HTTPS and SSH are the only protocols available to our cloud platform. SSH access is limited to AxisAgile Apps Support Engineers. SSH access is restricted with key-based authentication.
Backups
Data stored in our AWS platform for all Cloud Apps are backed up every 24 hours.
Change control and release management
Source code is managed and versioned using standard source control tools. When a team members pushes code to a development branch, unit tests and acceptance tests are run using continuous integration tools. When the development branch is ready for a code review a pull request is created and assigned to a colleague. The colleague reviews the code for quality and consistency.
Once the pull request has been approved the development branch is merged into master and all unit tests and acceptance tests are run again. Manual testing is also conducted at this stage to validate UI/UX. When we are satisfied that we are ready to deploy, then we deploy automatically.