Last updated March 28, 2019
Lagom Solutions knows security is critical, yet hard to perfect. Thus, we are always improving our practices. Please read through our security practices and reach out to us at firstname.lastname@example.org if you have any questions. This document will be updated when our Security Practices are changed to reflect any new practices adopted.
When we can, we store all of your data on the Atlassian Cloud instance. In some cases, this might not be possible due to the size of the data asset, security sensitivity of the data and general limitations of what’s capable with the Atlassian Cloud API. When your data is stored on the Atlassian Cloud instance, the App needs to be installed on your instance in order for us to retrieve it. In the cases where data needs to be stored on our database, we’ll use the appropriate security techniques such as using encryption and general checksum hashing for data.
We do not conduct penetration testing as our infrastructure providers are Amazon Web Services and Atlassian, and they do not permit penetration testing on their infrastructure (based upon their license and usage agreements). Having said that, we do follow the Amazon and Atlassian guidelines for security:
- App Security Incident Management Guidelines for Atlassian Marketplace Vendors
- Security Guidelines and Best Practices for Atlassian Marketplace Vendors
From time to time, Lagom Solutions may capture analytics events from our products. This will be done through opt-in requests on a per installation basis.
Lagom Solutions maintains a development backlog. The team identifies the priorities of the work and works to fulfill them. The development code is verified and tested utilizing non-production system before deploying to the production system. Any third party integration, libraries, etc. are vetted for their security and licensing agreements prior to use.
We do not offer a bug bounty at this time. If you find a bug please raise a support request.
We periodically review the infrastructure of our apps to verify configurations and settings. In addition, we have monitoring that alerts us to certain activities such as deployments and configuration changes.
Whenever our development team makes major changes for an app, we will review the app for any security concerns. Security reviews are also done on an ad-hoc basis.
Team members only have access to the systems absolutely necessary for them to perform the duties required. Production infrastructure access is locked down and requires trusted VPN access. Our automation and monitoring reduce the amount of access needed.
All team member make use of Password Vaults to maintain a randomly generated password for each service and use Two Factor Authentication for the Infrastructure providers that are able to support it.
All security changes are conducted after approval by the both Co-Founders.