Security

ScriptRunner Connect, developed by Adaptavist, is a cloud-based, Atlassian-focused, code-first integration Platform as a Service (iPaaS) product. Designed to take care of connecting to third-party systems, ScriptRunner Connect allows users to focus on writing business logic in JavaScript or TypeScript, while the ScriptRunner Connect team manages the complexities of infrastructure and security. A key aspect of ScriptRunner Connect's mission is the emphasis on rigorous security standards and privacy protections.

While ScriptRunner Connect is an independent product and does not directly integrate with Atlassian, our security policies align with Adaptavist's trust, security, and privacy policies.

Security Measures

ScriptRunner Connect is a multi-tenant SaaS product that ensures the separation of customer data through logical partitioning and robust security checks at our API endpoints. These checks, verified through automated testing, ensure users can only access data they are permitted to view based on the least-privileges principle.

To proactively identify potential vulnerabilities, we operate vulnerability scanners for third-party packages and ensure all security-related changes are thoroughly peer-reviewed. Our team is also trained in secure coding practices, reinforcing our commitment to maintaining a secure environment.

As we introduce new features, we perform risk assessments that consider both reliability and security, ensuring all additions to ScriptRunner Connect meet our high standards.

ScriptRunner Connect primarily utilizes AWS services hosted in the Ireland (eu-west-1) region. If there's a need for ScriptRunner Connect to be hosted in another region, please contact the ScriptRunner Connect team.

For script executions, ScriptRunner Connect uses V8 Isolates technology for secure isolation. Each script execution occurs in a new V8 Isolate, which is immediately destroyed afterward. This is the same technology that powers Chromium-based browsers and is used in shared cloud resources like Cloudflare Workers. This approach ensures the highest level of security while running untrusted JavaScript code. Check out ScriptRunner Connect's Runtime user documentation for more information.

Access to ScriptRunner Connect's AWS account and to other cloud services is strictly limited to the ScriptRunner Connect engineering team.

We also use private network subnets for added security where appropriate.

Data Retention and Security

Operational and user-facing logs are retained for six months and can only be accessed by the ScriptRunner Connect team. Analytical logs, however, are kept indefinitely, enabling us to understand trends over time that we can leverage to improve our service. Analytical logs can be accessed by a broader Adaptavist group, though PII (Personally Identifiable Information) in analytical logs is anonymized.

In terms of data security, we only use cloud services that offer encryption both at rest and in transit. Sensitive information like end-user authentication keys is additionally encrypted using AWS KMS symmetric encryption with key rotation (256-bit AES-GCM). TLS version 1.2 with strong ciphers is used with HTTPS by default.

Incident Management

ScriptRunner Connect has a robust incident-management process with a post-incident review process to learn from prior incidents, including a multitude of monitoring and alerting systems. Our team also runs automated tests periodically to detect incidents as early as possible.

Compliance

ScriptRunner Connect is GDPR compliant and en route to achieving ISO 27001 certification and SOC Type 2 compliance. This is in line with Adaptavist's already ISO 27001 and SOC Type 2 compliant products.

While we aim to reduce the PII (Personally Identifiable Information) data in our logs, we may occasionally temporarily increase our logging levels, which could contain PII data, for troubleshooting reasons.

For further information, you may refer to the following related compliance documents: AWS, Adaptavist Terms and Conditions, Privacy Policy, and the Data Processing Addendum.

Backups

Backups are kept for a minimum of one week. Additional backup copies are kept in accounts other than the host accounts and also in another geographical region for added security and disaster-recovery efforts. All backups are encrypted to ensure the safety of your data. In case of an incident, RPO (Recovery Point Objective) is no longer than four hours to ensure minimum data loss.

Conclusion

At ScriptRunner Connect, we deeply understand the significance of security, privacy, reliability, and trustworthiness in our digital era. Our steadfast values in these domains drive us to continuously refine our practices and maintain stringent security and privacy controls. The measures outlined in this document underscore our commitment to offering a reliable and secure integration platform, giving our customers peace of mind and the freedom to focus on building their business logic for integrations.