Security

Our basic tenets of security are:

1. Deliver the best experience to you while keeping your data secure.
2. Security by design and not an after-thought.
3. Employ industry - standard best practices.
4. Continuous effort to keep up with the new threats.
5. Be transparent - what we store, how we store, and incidence management.

This information applies to the Redpen suite of products that includes Jira Add-On, Chrome Extension, and Websites linked to https://www.redpen.ai and its subdomains.

1. Handle and persist minimal data required to deliver the optimal functionality to you thereby reducing the surface area for security threats.
2. Employ security measures and services offered by cloud platforms (in our case AWS) as much as possible as they are battle - hardened solutions.
3. Periodic review and upgrade of security measures.
4. Protocols to handle any breach and transparent reporting.

• Here is our Privacy Policy

Redpen uses Amazon Web Services (AWS) as the cloud provider.

A very limited number of our team members have access to the AWS production account. Access to AWS by them is audited by AWS. The access to the accounts is protected by 2FA.

Amazon makes significant investments in ensuring the security of the services it offers. We make all the attempts to leverage the built-in security offered by AWS infrastructure. Keeping that in mind, some of the AWS services that we use are:

1. AWS Elastic Beanstalk – AWS Elastic Beanstalk – Deploy Web Applications (amazon.com)
2. Amazon ElastiCache – Amazon ElastiCache- In-memory data store and cache
3. Amazon Relational Database Service – Amazon RDS | Cloud Relational Database | Amazon Web Services
4. Amazon Simple Storage Service – Cloud Object Storage | Store & Retrieve Data Anywhere | Amazon Simple Storage Service (S3)
   
5. Amazon Cognito – Amazon Cognito – Simple and Secure User Sign Up & Sign In | Amazon Web Services (AWS)
   
6. AWS Lambda – AWS Lambda – Serverless Compute – Amazon Web Services
   
7. AWS Certificate Manager – AWS Certificate Manager – Amazon Web Services (AWS)
   
8. AWS Secrets Manager AWS Secrets Manager | Rotate, Manage, Retrieve Secrets | Amazon Web Services (AWS)
   
9. Amazon Simple Email Service – Amazon Simple Email Service | Cloud Email Service | Amazon Web Services
   
10. AWS Systems Manager – AWS Systems Manager – Gain Operational Insights and Take Action (amazon.com)
    
11. Amazon CloudFront – Content Delivery Network (CDN) | Low Latency, High Transfer Speeds, Video Streaming | Amazon CloudFront
    

The majority of the service components are not accessible from the internet. Only the required services required to deliver functionality to the user are accessible from the internet.

We have a limited set of engineers and architects who are allowed to install the software in our production environment. In most cases, software installation is not possible.

We rely on the standard underlying images offered by AWS Elastic Beanstalk. Update and patching is configured to be managed by AWS.

We use AWS CloudWatch and Xray to monitor our systems and collect logs. Our SRE teams use them to monitor for availability or performance issues. Logs are retained for 30 days.

Logs are a key component of our overall incident detection and response strategy.

We have developed our system for business continuity. Our entire infrastructure is elastic and can scale to ensure high availability and performance.

There would always be people or entities who would try to breach our security and we have to be prepared that there is always a probability that they may succeed in that. We have processes and plans to handle such disruptions. Our goal is to minimize the impact on you in terms of the availability of our service and the loss of any critical data.

RDS databases are configured to be backed up daily utilizing built-in backup functionality offered by AWS. Backups are securely stored in AWS S3 buckets.

Amazon RDS snapshots are retained for 35 days with support for point-in - time recovery and are encrypted using AES-256 encryption.

We have a number of measures to ensure that we keep customer data secure.

Redpen products and data are hosted with the industry-leading cloud hosting provider Amazon Web Services (AWS).

Any customer data in our products are encrypted in transit over public networks using TLS encryption.

Our RDS databases are encrypted at rest and in transit.

Redpen uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Redpen is a multi-tenant Software-as-a-Service product. All our customers use to share a common cloud-based IT infrastructure when using Redpen products.

We have measures in place to ensure they are logically separated so that the actions of one customer cannot compromise the data or service of other customers. We use logical isolation of our customer data.

Security is a joint responsibility between Ajmera Infotech Inc. and our customers.

Some of the responsibilities of customers are:

1. Use secure systems to use Redpen products.
2. Protect your credentials. Do not share with anyone.
3. Make fair use of the system.
4. Do not run any automation on Redpen products.
5. Report any security breach immediately.
6. Do not attempt to circumvent security, usage limits, or data limits.
7. Report any security vulnerability discovered immediately.
8. Keep your OS and browser versions updated.

Only authorized personnel have access to customer data stored within our applications. They are trained to not access customer data unless it is done for:

1. Backup and maintenance
2. Health monitoring and analytics
3. On support request from a customer

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

We have a way for users to request to delete their data using https://www.redpen.ai/delete-my-information. We anonymize the user data when a deletion request is received on personal data reporting

We use the following automated analysis systems to identify security issues in our system.

1. Snyk
2. Renovate Bot
3. SonarCloud
4. Lighthouse

These tools:

• Finds and identifies outdated code dependencies that may introduce vulnerabilities (we discuss these in more detail in the part of this paper that discusses our approach to vulnerability management)
• Identifies any accidental or inadvertent disclosure of secrets in code repositories (e.g. authentication tokens or cryptographic keys)
• Undertakes an analysis to identify any problematic coding patterns that could lead to vulnerabilities in our code

• Internal Security Review – Testing consists of code review and application security testing, targeting areas of weakness highlighted by risk assessment.
• External Penetration Testing – We use <x tool> to run penetration tests.

Any security vulnerabilities identified are tracked in our internal Jira as they come.

We use a range of vulnerability detection tools that are run regularly across our infrastructure to automatically scan for and identify vulnerabilities.

We are continually reviewing the latest tools available and adding them to the suite we use if we believe they will enhance our vulnerability detection capabilities.

As part of our development process – we use a range of tools to try to identify and prevent as many vulnerabilities and bugs as possible from making their way into our products by the time our customers and users have access to them.

• Most of our services are deployed as a containerized application on AWS Elastic Beanstalk. Our service packages are run in a self-contained environment consisting of relevant system libraries, tools, configuration settings and any other dependencies required.
• Our products and services rely on numerous open - source libraries. We use multiple tools to scan for and identify dependencies and compare these to a database of known security vulnerabilities

In addition, when a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted.

We take even the smallest incidence reported very seriously. Our highly qualified team investigates every incidence, tracks the finding, implement the fixes or mitigations, and update the process to prevent any similar future incidences. Customers are kept updated on the progress, findings, and actions taken on the incidence related to them.

Our privacy policy is can be found on this page – Privacy – Redpen.

For further questions, contact us at support@redpen.ai