Security and Privacy Statement

Overview

kervehrt provides two types of Apps on the Atlassian Marketplace.

  • Downloadable products or Server Apps that are installed in a server instance of the applicable Atlassian product hosted and managed by the client. These are our Server Apps.

  • Hosted Apps for Atlassian Cloud products that are delivered via the Atlassian Connect framework. These are our Cloud Apps.

This policy applies to the kervehrt Cloud Apps only.

Data Storage and Facilities

kervehrt uses AWS to host its cloud-hosted add-on components. kervehrt are responsible for provisioning, monitoring and maintaining the AWS infrastructure required to support our Cloud Apps.

Log information is stored on Elastic Cloud hosted on AWS.

Stored JIRA Data

Unless specifically highlighted below kervehrt do not store our customer data which instead is stored in the Atlassian Cloud Product that the add-on applies to. The data stored in the Atlassian Cloud Product is covered by the Atlassian Cloud Policy which can be found here.

Exceptions for all Cloud Apps

Account Data: Our Cloud Apps store data provided and generated by Atlassian, that are required for license validation, contract administration, and communication with the customer instance.

Session Data: Our Cloud Apps store data resulting from each customer's use of the service and is distinguished from Customer Uploaded Data. This data is anonymized. Therefore, we cannot identify the end user this data relates to.

Analytics: We use Google Analytics to allow us to analyze behavior patterns that ultimately lead to product improvements. It is exclusively used in order to improve our service. It does not contain any Customer Uploaded Data or Operational Data. kervehrt only capture the page that is viewed and the referrer along with the tenant identifier. There is additionally individual and organizational data that Google Analytics records, kervehrt do not intend to use this data.

Error Logs data: Our Cloud Apps track errors of our Cloud Apps' resources executed in the end users' browsers in real-time. This includes, for example, AddOnKey, ClientKey, BaseUrl, anonymized TrackingID, error messages and information about the environment such as browser type, browser version and operating system. It is exclusively used in order to improve our service. Errors from JavaScript in our cloud applications are sent to Sentry.IO to alert kervehrt support. The data sent to Sentry.IO includes organizational data but no individual data.

Metrics: Application metrics are sent to Datadog for analysis and reporting in order for us to monitor the application's performance. This will include anonymized organizational data but no individual data.

Data Location

Data is stored in the following AWS Regions us-west-2, eu-west-1, us-east-1 & eu-west-2

Encryption

We encrypt sensitive data at rest in our database using AES-256.

People and Access

Only kervehrt Developers or Support Engineers have access to the AWS platform hosting our Cloud Apps. They only have access to the application data to perform system or application support purposes.

HTTPS and SSH are the only protocols available to our cloud platform. SSH access is limited to kervehrt Support Engineers. SSH access is restricted to known trusted internal networks with key-based authentication.

Our platform is micro-service based which is also layered into public and internal/private. Each one of these services is responsible for its own data and provides its own access controls. We will also ship and monitor logs from these micro-services which we alert if abnormal behavior is detected.

Backups

Data stored in our AWS platform for all cloud Apps apart from SmartDraw is backed up every 4 hours with incremental backups. Daily backups of the entire platform are taken every 24 hours.