How Do We at Alpha Serve Protect Customer Data? FAQ on Apps Data Security

Protecting the privacy of employees, business partners, and customers as well as their own corporate data is the highest priority for any company. However, it is not enough to just ensure strict policies on your side. A survey conducted by Soha Systems on risk management found that 63% of all data breaches were attributed to a third-party vendor. As a software development company, whose products involve data sharing, we understand your concerns about the ways we treat all information we get. That’s why here we answer all your most frequently asked questions about our applications’ data security policies.

Normally, our Cloud applications for Atlassian products do not collect, store or process any personal or confidential information. We also do not place any cookies or tracking beacons in such apps and do not collect or store any analytical or tracking data in other ways.

However, some of our applications may use personal data for their functional purposes or to provide customer support. For example, it is impossible to generate an add-on licence without an email address, according to the Atlassian licence issue process. This data may include the following:

Session data and account data, i. e. data provided and generated by Atlassian, that are required for license validation, contract administration, and communication with the customer instance. This data is anonymized and may never disclose the identity of the end-user. It does not contain any Customer Uploaded Data or Operation Data and is used for add-on functionality only.

Billing Data: We may store your billing information (such as company name, tax codes, bank details, country, contacts of the involved Atlassian partner) when this is required by the local tax legislation. The duration is no more than 3 years, all data, in this case, will be encrypted.

Support Data: Some of our apps have functionality for problem reporting, which means, when you are facing any issues or bugs, you can choose to automatically report the error to our support team. By using this feature, you give the app permission to collect appropriate support data from the systems you use. A member of our support team downloads this data to our own IT system. We also create a ticket in our support system on behalf of the user by using an email address. The same happens when you report an error manually.

Connection details to SMTP servers i.e. email addresses, username, and passwords. This data collection may be related to our MailMe app only. We need to share this data with the SMTP server to provide the service to the end-user of this add-on.

Real-time Error Tracking Data: Our Cloud apps may track errors of their resources executed in the end-users browsers in real-time. This includes, for example, AddOnKey, ClientKey, BaseUrl, anonymized TrackingID, error messages, and information about the environment such as browser type, browser version, and operating system. It is exclusively used to improve the service level for customers.

All the data used by our apps is stored mainly in the local database of your corresponding Atlassian cloud or on-premise product.

Our Cloud plugins, as well as instance and license information, are hosted on Amazon in the US and EU hosting region. This cloud platform is recommended by Atlassian and complies with all local laws. Information stored in the cloud database is covered with Amazon's security policy.

However, in particular cases, our apps can store some data locally. This includes billing data, support data, real-time error tracking data for any of our apps, as well as session data and account data for cloud-based apps.

We do not store user email addresses. All current user data is retrieved at the time of use. To do this we use Atlassian APIs. We also do not use email addresses in the UI.

Only a limited number of authorized Alpha Serve employees, subcontractors, temporary and third-party employees have access to customer data. All of them are bound by our data security and privacy policy.

Prior to accessing Alpha Serve information resources, each company’s team member or contractor signs an appropriate confidentiality agreement. An appointed person has also to verify compliance with thу security policy through periodic walk-thrus, business tool reports, internal and external audits, feedback to the Alpha Serve management team, etc.

There are some cases when the customer data may be transferred to third parties. They include the following:

1. We share SMTP connection data (such as email addresses, usernames, and passwords) with the SMTP server, as this is required for service provision. All the SMTP connection passwords are encrypted with industry-standard strong encryption.

2. We use YouTube videos to promote our apps on their corresponding Atlassian marketplace product pages. These videos are stored on www.youtube.com, which means that some of your user data can be transmitted when you are playing these videos. However, you can choose not to play the promo videos to prevent unwanted data transfers.

3. We also may use Google Analytics to monitor the performance of our apps’ Marketplace product pages and analyze user experience. Any collected information is anonymized and subject to Atlassian Privacy Policy.

All these options are allowed by Atlassian and used to improve our products and provide customer service.

There are several steps we take to protect your customers' information.

1. We collect only the most vital data, as we mentioned when answering the previous questions. We believe that the less sensitive information we use the fewer problems may occur, therefore, our apps retrieve all the current user’s information and store only the data that is required to ensure seamless service provision.

2. As digital connectedness continues to increase exponentially and malicious cyberattacks are becoming more sophisticated, targeted, widespread, and undetected, we always use the latest available tools and measures to ensure the best data security. We also keep all our security systems up to date to ensure our products are not putting your confidentiality and personal data at risk.

3. We limit access to your data. Only competent and authorized Alpha Serve support team members may access addon data. It is done exclusively in order to assess the app’s performance, for maintenance purposes, or upon customer request for support.

4. We keep the connection between the Cloud products and the AddOn server fully secured. The communication is done using web requests that are encrypted, digitally signed, authenticated, and authorized. In addition, the AddOn server is only accessible through secure protocols (e.g. HTTPS).

5. We regularly back up our apps. Normally, backups are performed at least once a day. All the backup data is securely stored and cannot be accessed by unauthorized persons. For further information, see your product documentation.

6. We have reliable security control in place, which is an integral part of all the steps of all our business processes. Assessments are held continuously starting from the app’s development stage and throughout its lifecycle. For example, newly developed products undergo a full assessment prior to their release; third-party or acquired web applications are being assessed by our team until they fully comply with our policy requirements; planned product releases are also subject to assessments based on the risk level that changes made to their functionality and/or architecture have. Apps that do not comply with the Alpha Serve high standards may be taken out of distribution.

However, you should always remember that security gaps are possible when transferring data on the Internet, as it is impossible to ensure complete protection of data from cyberattacks or unauthorized access.

Basically, we have three main security control levels:

1. Application monitoring and error tracking. We use a tool called Sentry to discover, triage, and prioritize errors in real-time. It helps us analyze application logs, capture any unhandled exceptions, see the impact of each problem, and generate useful reports.
2. On-going automated vulnerability scans. Our QA team uses a vulnerability scanner Burp Suite for internal and external web security testing. In addition, our cloud applications are constantly tested within the framework of the Bug Bounty Program by Atlassian. For these solutions, an always-testing model using a crowd-sourced bug bounty applies. They help us to constantly check our products for a number of vulnerability classes, including the following:

• Cross Instance Data Leakage/Access(unauthorized data access between instances)
• Server-side Remote Code Execution (RCE)
• Server-Side Request Forgery (SSRF)
• Stored/Reflected Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF)
• SQL Injection (SQLi)
• XML External Entity Attacks (XXE)
• Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
• Path/Directory Traversal Issues

As these testing programs exclude low-risk vulnerability types, we manage them independently.

3. We encourage our customers and users, as well as the wider community to report suspected security incidents through Alpha Serve Support or Service Desk.

4. Penetration Testing. Our team members with appropriate qualifications in computer science are performing regular internal penetration testing. They use the following approaches to find vulnerabilities:

• Code-assisted approach, when testers have access to a source code. This approach helps to perform an in-depth web application penetration testing, including manual code analysis (testers read source code, trace the source of all parameters, check access, etc.);
• White box approach (also called crystal or oblique box pen testing), when full network and system information, including network maps and credentials, is shared with the tester. It makes it possible to manually test UI (enter unsafe data and watch for unexpected behavior, etc.);
• Threat-based approach, when testing focuses on a particular threat scenario;
• Automated Scanning tools (Burp Suite that is useful for catching obvious flaws).

If our employee or an external tester identifies a vulnerability, we take appropriate actions specified by Alpha Serve Application Security Policy. We try to fix security bugs as soon as possible in accordance with our SLA.

Data privacy has always been important for every business, however, now, when we can see a dramatic proliferation of technology, excessive use of smartphones and apps, and other data-driven services that require personal data, cybercrime has become a big business. Research shows that cybercriminals bring in yearly revenues of around $1.5 trillion.

Therefore, companies always need not only to develop and adhere to a strict security policy and constantly think about how to protect key pieces of information, including corporate secrets, employee records, customer details, loyalty schemes, transactions, or data collection but also to ensure that their vendors have the same or higher level standards for confidentiality and personal data protection.

We at Alpha Serve understand your pain and try to do our best both to protect your data and to explain how we do it. There are several things that help us keep your data safe. They include collecting only vital information, keeping our security tools up to date, limiting access to customer’s information, regular backups, and keeping the connection between the Cloud products and the AddOn server secured. We have a reliable security control in place, which consists of ongoing assessments of apps for bugs, threat modeling, vulnerability checks, and penetration testing, both internal and external. However, we would like to pay your attention that risks still exist, as your data may be subjected to attacks during transferring. This means you should always take all possible measures to protect your data, too. Feel free to contact us anytime to request additional information or documentation.