While ScriptRunner Connect is an independent product and does not directly integrate with Atlassian, our security policies align with Adaptavist's trust, security, and privacy policies.
ScriptRunner Connect is a multi-tenant SaaS product that ensures the separation of customer data through logical partitioning and robust security checks at our API endpoints. These checks, verified through automated testing, ensure users can only access data they are permitted to view based on the least-privileges principle.
To proactively identify potential vulnerabilities, we operate vulnerability scanners for third-party packages and ensure all security-related changes are thoroughly peer-reviewed. Our team is also trained in secure coding practices, reinforcing our commitment to maintaining a secure environment.
As we introduce new features, we perform risk assessments that consider both reliability and security, ensuring all additions to ScriptRunner Connect meet our high standards.
ScriptRunner Connect primarily utilizes AWS services hosted in the Ireland (eu-west-1) region. If there's a need for ScriptRunner Connect to be hosted in another region, please contact the ScriptRunner Connect team.
Access to ScriptRunner Connect's AWS account and to other cloud services is strictly limited to the ScriptRunner Connect engineering team.
We also use private network subnets for added security where appropriate.
Data Retention and Security
Operational and user-facing logs are retained for six months and can only be accessed by the ScriptRunner Connect team. Analytical logs, however, are kept indefinitely, enabling us to understand trends over time that we can leverage to improve our service. Analytical logs can be accessed by a broader Adaptavist group, though PII (Personally Identifiable Information) in analytical logs is anonymized.
In terms of data security, we only use cloud services that offer encryption both at rest and in transit. Sensitive information like end-user authentication keys is additionally encrypted using AWS KMS symmetric encryption with key rotation (256-bit AES-GCM). TLS version 1.2 with strong ciphers is used with HTTPS by default.
ScriptRunner Connect has a robust incident-management process with a post-incident review process to learn from prior incidents, including a multitude of monitoring and alerting systems. Our team also runs automated tests periodically to detect incidents as early as possible.
ScriptRunner Connect is GDPR compliant and en route to achieving ISO 27001 certification and SOC Type 2 compliance. This is in line with Adaptavist's already ISO 27001 and SOC Type 2 compliant products.
While we aim to reduce the PII (Personally Identifiable Information) data in our logs, we may occasionally temporarily increase our logging levels, which could contain PII data, for troubleshooting reasons.
Backups are kept for a minimum of one week. Additional backup copies are kept in accounts other than the host accounts and also in another geographical region for added security and disaster-recovery efforts. All backups are encrypted to ensure the safety of your data. In case of an incident, RPO (Recovery Point Objective) is no longer than four hours to ensure minimum data loss.
At ScriptRunner Connect, we deeply understand the significance of security, privacy, reliability, and trustworthiness in our digital era. Our steadfast values in these domains drive us to continuously refine our practices and maintain stringent security and privacy controls. The measures outlined in this document underscore our commitment to offering a reliable and secure integration platform, giving our customers peace of mind and the freedom to focus on building their business logic for integrations.