Versions Compared

Version Old Version 6 New Version 7
Changes made by

Andy Brook [Plugin People]

Andy Brook [Plugin People]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Security of Transmission

Our support system uses secure HTTPS transport

‘flagged’ support emails are made using secure HTTPS transport

Security of Storage

Data supplied in support is secured by the Jira platform, Data ‘flagged' is secured by the JEMHC production application which uses encryption at rest

Security of Processing

Full time employees participate in support and have access to ‘flagged’ data. Customer data is processed locally and on remote Jira instance sites. Data can also be reprocessed through external services as part of support. secure HTTPS transport is used at all times for such transfers

Organisational security measures

We use 2fa for Jira account security and access to ‘flagged’ data

Technical security minimum requirements

Access is limited to authorized named employees

Data is encrypted at rest (applies to webhooks, raw emails in/out)

Field level encryption is used for sensitive values

Updates to the Security Requirements

The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to

Part 2: Extra Protection Clauses

Extra Protection Clauses:

none

(i) Extra technical security protections

2 factor authentication wherever possible

The deployment works on a least privilege basis with group access policies for different environments (DEV/UAT/PROD)

Outbound SMTP mail must use TLS or SSL

Inbound POP/IMAP mail retrieval must use SSL

Mail stored as part of auditing is purged by policy after 30 days

Webhook ‘event’ data is purged by policy after 7 days to allow for review by customer and avoid data loss in cases where the monthly Capacity Plan is consumed or Plan Upgrade lapses, ie customer has 7d to purchase more capacity before webhook data will be lost.

A ‘dead end’ mailhost is used for consuming mail sent during testing with customer supplied email data to ensure no data can ‘leak’ to actual recipients.

MS Windows is not used for development

(ii) Extra organisational protections

Access to cloud development environment is limited to cloud team only, named users

(iii) Extra contractual protections

none

Part 3: Commercial Clauses

Commercial Clauses

none

Part 4: Mandatory Clauses

As per International Data Transfer Agreement VERSION A1.0, in force 21 March 2022