We are Ativo BV (hereafter ‘We’ or ‘Ativo’),
ADDRESS: Meubelstraat 20, 2800 Mechelen, Belgium
BANK: BE54 7340 3011 7697
We are a Marketplace Partner of Atlassian. We provide Ativo Programs (hereafter “Ativo Programs”, the “Application” or “Plugin”), a Jira native program management plugin to plan and execute agile programs in Jira. The EULA of the Application can be found here.
Ativo Programs is available on all Jira platforms:
- “Cloud”: the Application is hosted by the cloud service provider of Ativo
- “Server” & “Data Center”: the Application is hosted by the customer
Contact us if you want to report a security vulnerability.
Goal of this policy
This information security policy (hereafter the “Security Policy”) explains at high level how We ensure the confidentiality, integrity and availability of the Application.
This Security Policy informs and sensibilizes:
- our customers on how we deal with security,
- our suppliers, so that they know what is expected from them,
- our staff and our service providers, so that they remain aware of the importance of proper handling of data and IT systems.
The following functions in Ativo are involved in shaping the Security Policy:
- The CEO / founder is responsible for the security of Ativo.
- The staff is responsible to implement the security measures and advice the CEO.
Application user security model
The Application provides data access based on the Jira usernames and groups.
Jira Administrators / Jira System Administrators:
- Can define which groups and users have administration access on the Application (‘Ativo Programs Administrators”).
Ativo Programs Administrators:
- Can add, update or delete the configuration of the Application: teams, programs and periods. (documentation)
Authenticated Jira users:
- Can see the teams, programs and periods.
- Can see and update projects and tickets (issues) according to the permission schemes of Jira. Using the Application does not grant extra access on individual projects or issues. Ativo Programs respects the permission schemes that are configured in Jira.
- No access given
Security bug fixing
Ativo makes it a priority to ensure that customers’ systems cannot be compromised by exploiting vulnerabilities in the Application.
Security bug fix Service Level Objectives (SLO)
These timeframes apply to the Cloud hosted, Server and Data Center platforms of the Application:
- Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported
- High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported
- Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported
- Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 26 weeks of being reported
When a critical security vulnerability is discovered by Ativo or reported by a third party, Ativo will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible.
- Issue a new maintenance release for a previous version as follows:
It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice).
When a security issue of a High, Medium or Low severity is discovered, Ativo will include a fix in the next scheduled release.
You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.
(effective February 1st, 2021)
- Ativo Cloud services are hosted and delivered by Amazon Web Services (AWS). Amazon is responsible for the security of its actual data centers and the AWS cloud. Ativo is responsible for monitoring, managing and securing the Ativo Cloud.
- AWS manages the data centers that host the Ativo Cloud. For more information about security at those data centers, see here.
- Ativo Cloud production data is hosted in the United States.
- Amazon Web Services manages the security of the cloud. AWS has been certified by third-party organizations, and manages many compliance programs to comply with laws and regulations. A list of such certifications and compliance statements can be found here.
At a glance, the following technical measures are taken to protect our Application and the data We process. For security reasons, we do not disclose details.
SOFTWARE VULNERABILITY MITIGATION
- Software is scanned regularly against known security vulnerabilities and security alerts.
- Mitigation actions are taken against possible attacks (XSRF, XSS, reflected CSS, SQL injection, etc.) on the Application.
- Protection of the Application REST endpoints.
- Software hardening.
ARCHITECTURE, DEVELOPMENT AND TESTING
- Software development is done according to good industry practices (clean code, clean architecture, TDD, DRY principle, patterns, reviews, branching, repositories, etc.).
- Core functionalities in our software have a high unit test coverage level.
- We follow the API guides and best practices provided by Atlassian.
- We take actions to detect and mitigate software flaws (unit testing, BDD testing, CI/CD automated integration and endurance testing, etc.).
- Software bugs are prioritized based on the impact they have on our customers. Software bugs that generate a security vulnerability are taken up with the highest priority.
- Customer data at rest is encrypted using industry-standard encryption by our cloud service provider. (Applicable for the Cloud platform only. We do not access nor store customer data for the Server and Data Center platforms.)
- Data is backed up on a daily basis. (Applicable for the Cloud platform only. We do not access nor store customer data for the Server and Data Center platforms.)
- Customer data provided via support requests is only retained temporarily for the duration of the intervention and only used to investigate and solve the service request (and if applicable, solve the underlying root problem)
SYSTEM ACCESS AND PROTECTION
- We use software to detect and mitigate threats (virus, malware, phishing, etc.).
- Our networks are protected against access by unauthorized third parties.
- Roles and permissions are given to users on a need-to-know basis, with individual access (no shared users).
- Access is given with the minimal level of privileges needed.
- Only a few members of the team have access to the production environment for the purposes of maintaining our services and assisting our customers.
- Passwords must have a minimal complexity and are rotated. Where useful, 2-factor authentication is used.
- Connections with our systems are secured with HTTPS using TLS.
- Physical access to our premises is restricted to authenticated personal and visitors.
- Sensitive printed information is destroyed instead of being thrown away.
- Only approved software is installed on our systems.
- Software used on our systems is kept up to date.
Staff training and sensibilization
- Management of Ativo stresses the importance of security and sets the good example internally.
- We use sensibilization videos and training materials on security, phishing, etc.
We are committed to work with reliable partners and suppliers who take appropriate security measures.
We make clear and written agreements with suppliers who provide services or products that access our IT systems or data.
Data processing and privacy
We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.
Current version: January 26th, 2021