Security

Introduction

Stitch It, developed by Adaptavist, is a cloud-based, Atlassian-focused, code-first integration Platform as a Service (iPaaS) product. Designed to take care of connecting to third-party systems, Stitch It allows users to focus on writing business logic in JavaScript or TypeScript, while the Stitch It team manages the complexities of infrastructure and security. A key aspect of Stitch It's mission is the emphasis on rigorous security standards and privacy protections.

While Stitch It is an independent product and does not directly integrate with Atlassian, our security policies align with Adaptavist's trust, security, and privacy policies.

Security Measures

Stitch It is a multi-tenant SaaS product that ensures the separation of customer data through logical partitioning and robust security checks at our API endpoints. These checks, verified through automated testing, ensure users can only access data they are permitted to view based on the least-privileges principle.

To proactively identify potential vulnerabilities, we operate vulnerability scanners for third-party packages and ensure all security-related changes are thoroughly peer-reviewed. Our team is also trained in secure coding practices, reinforcing our commitment to maintaining a secure environment.

As we introduce new features, we perform risk assessments that consider both reliability and security, ensuring all additions to Stitch It meet our high standards.

Stitch It primarily utilizes AWS services hosted in the Ireland (eu-west-1) region. If there's a need for Stitch It to be hosted in another region, please contact the Stitch It team.

For script executions, Stitch It uses V8 Isolates technology for secure isolation. Each script execution occurs in a new V8 Isolate, which is immediately destroyed afterward. This is the same technology that powers Chromium-based browsers and is used in shared cloud resources like Cloudflare Workers. This approach ensures the highest level of security while running untrusted JavaScript code. Check out Stitch It's Runtime user documentation for more information.

Access to Stitch It's AWS account and to other cloud services is strictly limited to the Stitch It engineering team.

We also use private network subnets for added security where appropriate.

Data Retention and Security

Operational and user-facing logs are retained for six months and can only be accessed by the Stitch It team. Analytical logs, however, are kept indefinitely, enabling us to understand trends over time that we can leverage to improve our service. Analytical logs can be accessed by a broader Adaptavist group, though PII (Personally Identifiable Information) in analytical logs is anonymized.

In terms of data security, we only use cloud services that offer encryption both at rest and in transit. Sensitive information like end-user authentication keys is additionally encrypted using AWS KMS symmetric encryption with key rotation (256-bit AES-GCM). TLS version 1.2 with strong ciphers is used with HTTPS by default.

Incident Management

Stitch It has a robust incident-management process in place with a post-incident review process to learn from prior incidents, including a multitude of monitoring and alerting systems. Our team also runs automated tests periodically to detect incidents as early as possible.

Compliance

Stitch It is GDPR compliant and en route to achieving ISO 27001 certification and SOC Type 2 compliance. This is in line with Adaptavist's already ISO 27001 and SOC Type 2 compliant products.

While we aim to reduce the PII (Personally Identifiable Information) data in our logs, we may occasionally temporarily increase our logging levels, which could contain PII data, for troubleshooting reasons.

For further information, you may refer to the following related compliance documents: AWS, Adaptavist Terms and Conditions, Privacy Policy, and the Data Processing Addendum.

Backups

Backups are kept for a minimum of one week. Additional backup copies are kept in accounts other than the host accounts and also in another geographical region for added security and disaster-recovery efforts. All backups are encrypted to ensure the safety of your data. In case of an incident, RPO (Recovery Point Objective) is no longer than four hours to ensure minimum data loss.

Conclusion

At Stitch It, we deeply understand the significance of security, privacy, reliability, and trustworthiness in our digital era. Our steadfast values in these domains drive us to continuously refine our practices and maintain stringent security and privacy controls. The measures outlined in this document underscore our commitment to offering a reliable and secure integration platform, giving our customers peace of mind and the freedom to focus on building their business logic for integrations.