Phase Locked Software Security
Last updated: 2022-05-30
Security Policy for Document Control
Many companies say they take security seriously. In our case, we’d like to demonstrate this with concrete information.
Document Control (the "Software", "Application") is hosted on Heroku (a Salesforce company), a proven Platform as a Service (PaaS) provider.
Phase Locked Software and Document Control follow the Atlassian Security Guidelines for Marketplace Partners. In more detail, we follow the Cloud App Security Guidelines.
Security Audit and Bug Bounty Program
From time to time, we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.
We welcome whitehat security researchers and will gratefully receive reports of suspected security problems. If you submit a bug through our BugCrowd Bug Bounty Program, you may be eligible for a payout. We do not reward bug reports outside of this program with a payout.
Authorization, authentication, and access control
Document Control uses the principle of least privilege and requests only the scopes that the app needs to function.
We use two factor authentication (2FA) to restrict access to our critical IT infrastructure and to customer data. Each team member uses strong, unique passwords for each service we use. When an individual ceases working with us, we revoke their access to all services.
Document Control stores data directly in the Atlassian infrastructure. These data are controlled and backed up by Atlassian. Document Control only accesses and stores data in the Atlassian infrastructure if you (i.e. the Confluence administrator) allows access.
Document Control also stores limited data in our infrastructure. These data are related to Document Control configuration information, and do not contain the content of your Confluence instance.
Whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS.
Our database uses encryption at rest.
Your data is safe with us. We take frequent backups and regularly ensure that a recent backup can be restored. Access to backups is guarded with a combination of 2FA, password managers, and tight access rules.
We store backups in our cloud infrastructure, and also offsite. These backups are encrypted at rest and in transit.
Logging and monitoring
We store application logs. These logs are kept directly accessible for about a week, and stored in long term storage for a year for post incident analysis.
We don't store or process credit card information. All payment transactions are handled by Atlassian, and we only get summary information on the transactions.
Incident response workflow
Vulnerability management and patching workflow
How to report issues
Report security vulnerabilities to email@example.com. Once we’ve received your email, we’ll work with you to make sure that we completely understand the scope of the problem and keep you informed as we work on the solution.
We may update this security policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.
Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please email us at firstname.lastname@example.org.
For more information about our security practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at email@example.com.