Phase Locked Software Security

Last updated: 2024-04-23

Security Policy for Document Control

Overview

Many companies say they take security seriously. In our case, we’d like to demonstrate this with concrete information.

Document Control (the "Software", "Application") is hosted on Heroku (a Salesforce company), a proven Platform as a Service (PaaS) provider.

Phase Locked Software and Document Control follow the Atlassian Security Guidelines for Marketplace Partners. In more detail, we follow the Cloud App Security Guidelines. A CAIQ-lite sheet covering Document Control is available at CAIQ-lite.

Security Audit and Bug Bounty Program

We participate in the BugCrowd Bug Bounty Program and reward security researchers for disclosing vulnerabilities (see Marketplace Security Bug Bounty Program).

From time to time, we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.

Responsible Disclosure

We welcome whitehat security researchers and will gratefully receive reports of suspected security problems. If you submit a bug through our BugCrowd Bug Bounty Program, you may be eligible for a payout. We do not reward bug reports outside of this program with a payout.

Authorization, authentication, and access control

Document Control uses the principle of least privilege and requests only the scopes that the app needs to function.

We use two factor authentication (2FA) to restrict access to our critical IT infrastructure and to customer data. Each team member uses strong, unique passwords for each service we use. When an individual ceases working with us, we revoke their access to all services.

We allow our customers to use a second factor for signature authentication.

Data protection

Document Control stores data directly in the Atlassian infrastructure. These data are controlled and backed up by Atlassian. Document Control only accesses and stores data in the Atlassian infrastructure if you (i.e. the Confluence administrator) allows access.

Document Control also stores limited data in our infrastructure. These data are related to Document Control configuration information, and do not contain the content of your Confluence instance.

Whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS.

Our database uses encryption at rest.

Backups

Your data is safe with us. We take frequent backups and regularly ensure that a recent backup can be restored. Access to backups is guarded with a combination of 2FA, password managers, and tight access rules.

We store backups in our cloud infrastructure, and also offsite. These backups are encrypted at rest and in transit.

Logging and monitoring

We store application logs. These logs are kept directly accessible for about a week, and stored in long term storage for a year for post incident analysis.

Payment information

We don't store or process credit card information. All payment transactions are handled by Atlassian, and we only get summary information on the transactions.

Incident response workflow

Vulnerability management and patching workflow

Phase Locked Software follows the Atlassian Vulnerability Disclosure Program and the Security Bug Fix Policy.

How to report issues

Report security vulnerabilities to support@phaselockedsoftware.com. Once we’ve received your email, we’ll work with you to make sure that we completely understand the scope of the problem and keep you informed as we work on the solution.

Changes

We may update this security policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Contact us

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please email us at support@phaselockedsoftware.com.

For more information about our security practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at support@phaselockedsoftware.com.