Security

Effective date:  05-01-2021

Our approach to security

Our basic tenets of security are:

  1. Deliver the best experience to you while keeping your data secure.
  2. Security by design and not an after-thought.
  3. Employ industry - standard best practices.
  4. Continuous effort to keep up with the new threats.
  5. Be transparent - what we store, how we store, and incidence management.

This information applies to the Redpen suite of products that includes Jira Add-On, Chrome Extension, and Websites linked to https://www.redpen.ai and its subdomains.

Security Guidelines

  1. Handle and persist minimal data required to deliver the optimal functionality to you thereby reducing the surface area for security threats.
  2. Employ security measures and services offered by cloud platforms (in our case AWS) as much as possible as they are battle - hardened solutions.
  3. Periodic review and upgrade of security measures.
  4. Protocols to handle any breach and transparent reporting.

More information

Securing our cloud infrastructure

Cloud Provider

Redpen uses Amazon Web Services (AWS) as the cloud provider.

Access to the production AWS account

A very limited number of our team members have access to the AWS production account. Access to AWS by them is audited by AWS. The access to the accounts is protected by 2FA.

Leveraging AWS’s Managed Services for Secure Architecture
Restricted access from the public internet

The majority of the service components are not accessible from the internet. Only the required services required to deliver functionality to the user are accessible from the internet.

Managing configurations in our systems

We have a limited set of engineers and architects who are allowed to install the software in our production environment. In most cases, software installation is not possible.

We rely on the standard underlying images offered by AWS Elastic Beanstalk. Update and patching is configured to be managed by AWS.

Making use of AWS service for Monitoring and Logging

We use AWS CloudWatch and Xray to monitor our systems and collect logs. Our SRE teams use them to monitor for availability or performance issues. Logs are retained for 30 days.

Logs are a key component of our overall incident detection and response strategy.

Business continuity and disaster recovery management

We have developed our system for business continuity. Our entire infrastructure is elastic and can scale to ensure high availability and performance.

There would always be people or entities who would try to breach our security and we have to be prepared that there is always a probability that they may succeed in that. We have processes and plans to handle such disruptions. Our goal is to minimize the impact on you in terms of the availability of our service and the loss of any critical data.

Backups

RDS databases are configured to be backed up daily utilizing built-in backup functionality offered by AWS. Backups are securely stored in AWS S3 buckets.

Amazon RDS snapshots are retained for 35 days with support for point-in - time recovery and are encrypted using AES-256 encryption.

Keeping data secure

We have a number of measures to ensure that we keep customer data secure.

Data centers

Redpen products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services (AWS).

Encryption of data

Any customer data in our products are encrypted in transit over public networks using TLS encryption.

Our RDS databases are encrypted at rest and in transit.

Key management

Redpen uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Tenant separation

Redpen is a multi-tenant Software-as-a-Service product. All our customers use to share a common cloud-based IT infrastructure when using Redpen products.

We have measures in place to ensure they are logically separated so that the actions of one customer cannot compromise the data or service of other customers. We use logical isolation of our customer data.

Sharing the responsibility for managing customer data

Security is a joint responsibility between Ajmera Infotech Inc. and our customers.

Some of the responsibilities of customers are:

  1. Use secure systems to use Redpen products.
  2. Protect your credentials. Do not share with anyone.
  3. Make fair use of the system.
  4. Do not run any automation on Redpen products.
  5. Report any security breach immediately.
  6. Do not attempt to circumvent security, usage limits, or data limits.
  7. Report any security vulnerability discovered immediately.
  8. Keep your OS and browser versions updated.
Controlling access to customer data

Only authorized personnel have access to customer data stored within our applications. They are trained to not access customer data unless it is done for:

  1. Backup and maintenance
  2. Health monitoring and analytics
  3. On support request from a customer

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Retention and deletion of data

We have a way for users to request to delete their data using https://www.redpen.ai/delete-my-information. We anonymize the user data when a deletion request is received on personal data reporting

Code analysis

We use the following automated analysis systems to identify security issues in our system.

  1. Snyk
  2. Renovate Bot
  3. SonarCloud
  4. Lighthouse

These tools:

  • Finds and identifies outdated code dependencies that may introduce vulnerabilities (we discuss these in more detail in the part of this paper that discusses our approach to vulnerability management)
  • Identifies any accidental or inadvertent disclosure of secrets in code repositories (e.g. authentication tokens or cryptographic keys)
  • Undertakes an analysis to identify any problematic coding patterns that could lead to vulnerabilities in our code
How we identify, protect against, and respond to security threats
Security testing
  • Internal Security Review – Testing consists of code review and application security testing, targeting areas of weakness highlighted by risk assessment.
  • External Penetration Testing – We use <x tool> to run penetration tests.

Any security vulnerabilities identified are tracked in our internal Jira as they come.

Infrastructure

We use a range of vulnerability detection tools that are run regularly across our infrastructure to automatically scan for and identify vulnerabilities.

We are continually reviewing the latest tools available and adding them to the suite we use if we believe they will enhance our vulnerability detection capabilities.

Products

As part of our development process – we use a range of tools to try to identify and prevent as many vulnerabilities and bugs as possible from making their way into our products by the time our customers and users have access to them.

  • Most of our services are deployed as a containerized application on AWS Elastic Beanstalk. Our service packages are run in a self-contained environment consisting of relevant system libraries, tools, configuration settings and any other dependencies required.
  • Our products and services rely on numerous open - source libraries. We use multiple tools to scan for and identify dependencies and compare these to a database of known security vulnerabilities

In addition, when a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted.

Incident response

We take even the smallest incidence reported very seriously. Our highly qualified team investigates every incidence, tracks the finding, implement the fixes or mitigations, and update the process to prevent any similar future incidences. Customers are kept updated on the progress, findings, and actions taken on the incidence related to them.

Privacy

Our privacy policy is can be found on this page – Privacy – Redpen.

Law enforcement and government requests for data

Ajmera Infotech Inc. shall comply with government requests for data received after following appropriate legal processes (whether a request for user data or a request to remove content/suspend user accounts).

Further questions and inquiries

For further questions, contact us at support@redpen.ai