Security

ScriptRunner Connect, developed by Adaptavist, is a cloud-based, Atlassian-focused, code-first integration Platform as a Service (iPaaS) product. Designed to connect to third-party systems, ScriptRunner Connect allows users to focus on writing business logic in JavaScript or TypeScript while the ScriptRunner Connect team manages the complexities of infrastructure and security. A key aspect of ScriptRunner Connect's mission is the emphasis on rigorous security standards and privacy protections.

While ScriptRunner Connect is an independent product and does not directly integrate with Atlassian, our security policies align with Adaptavist's trust, security, and privacy policies.

Security Measures

ScriptRunner Connect is a multi-tenant SaaS product that ensures the separation of customer data through logical partitioning and robust security checks at our API endpoints. These checks, verified through automated testing, ensure users can only access data they can view based on the least-privileges principle.

The app received good results from a penetration test from a third-party CREST-certified vendor.

ScriptRunner Connect is also part of a public bug bounty program.

To proactively identify potential vulnerabilities, we operate vulnerability scanners for third-party packages and ensure all security-related changes are thoroughly peer-reviewed. Our team is also trained in secure coding practices, reinforcing our commitment to maintaining a secure environment.

As we introduce new features, we perform risk assessments that consider reliability and security, ensuring all additions to ScriptRunner Connect meet our high standards.

ScriptRunner Connect primarily utilizes AWS services hosted in the Ireland (eu-west-1) region. If you need ScriptRunner Connect to be hosted in another region, please contact the ScriptRunner Connect team.

For script executions, ScriptRunner Connect uses V8 Isolates technology for secure isolation. Each script execution occurs in a new V8 Isolate, which is immediately destroyed afterward. This is the same technology that powers Chromium-based browsers and is used in shared cloud resources like Cloudflare Workers. This approach ensures the highest level of security while running untrusted JavaScript code. Check out ScriptRunner Connect's Runtime user documentation for more information.

Access to ScriptRunner Connect's AWS account and other cloud services is strictly limited to the ScriptRunner Connect engineering team.

We also use private network subnets for added security where appropriate.

Data Retention and Security

Operational and user-facing logs are retained for six months and can only be accessed by the ScriptRunner Connect team. Analytical logs, however, are kept indefinitely, enabling us to understand trends over time that we can leverage to improve our service. Analytical logs can be accessed by a broader Adaptavist group, though PII (Personally Identifiable Information) in analytical logs is anonymized.

In terms of data security, we only use cloud services that offer encryption both at rest and in transit. Sensitive information like end-user authentication keys is additionally encrypted using AWS KMS symmetric encryption with key rotation (256-bit AES-GCM). TLS version 1.2 with strong ciphers is used with HTTPS by default.

Incident Management

ScriptRunner Connect has a robust incident-management process with a post-incident review process to learn from prior incidents, including many monitoring and alerting systems. Our team also runs automated tests periodically to detect incidents as early as possible.

Compliance

ScriptRunner Connect is GDPR compliant and ISO 27001 and SOC Type 2 certified.

While we aim to reduce the PII (Personally Identifiable Information) data in our logs, we may occasionally temporarily increase our logging levels, which could contain PII data, for troubleshooting reasons.

For further information, you may refer to the following related compliance documents: AWS, Adaptavist Terms and Conditions, Privacy Policy, and the Data Processing Addendum.

Backups

Backups are kept for a minimum of one week. Additional backup copies are kept in accounts other than the host accounts and also in another geographical region for added security and disaster-recovery efforts. All backups are encrypted to ensure the safety of your data. In case of an incident, RPO (Recovery Point Objective) is no longer than four hours for critical data and twenty four hours for non-critical data (mostly logs).

Multi-Factor Authentication

ScriptRunner Connect offers Multi-Factor Authentication (MFA) to enhance the app's security. 

Multi-factor authentication (MFA) is a multi-step login process that enhances security by requiring users to provide more information than just a username and password. To log in with MFA enabled, users will use a one-time password (OTP) generated from an authenticator app. Popular options include Authy, Google Authenticator, Auth0 Guardian, and Microsoft Authenticator, all of which can be downloaded from the Google Play or Apple app stores.

Users receive a prompt to enable MFA when they sign up for the app. MFA preferences can be managed under user profile settings:

Conclusion

At ScriptRunner Connect, we deeply understand the significance of security, privacy, reliability, and trustworthiness in our digital era. Our steadfast values in these domains drive us to continuously refine our practices and maintain stringent security and privacy controls. The measures outlined in this document underscore our commitment to offering a reliable and secure integration platform, giving our customers peace of mind and the freedom to focus on building their business logic for integrations.

On this page