Security FAQ

Most of the Q&A's are related to the SaaS deployment type of getint.io (e.g. default one for Jira Cloud customers).
We do our best to meet Security standards expectations of our customers. Although, if for some reasons what you find here would not meet your requirements, you can always use a On-Premise (Self-Hosted) version of getint.io. This should let you to to run getint.io platform fully behind firewall, within your company infrastructure.

What type of data is transmitted, processed, generated and/or stored by application/service?

We are transmitting, processing and storing only the essential data that is required to perform integration and synchronization according to customers setup configurations. We also collect logs of each synchronization which are used by customers and support to identify and resolve encountered problems.
Type of data depends on what exactly was configured by customer for each integration, but it may include
  • items (issues, tasks, bugs, incidents) data, like fields values
  • comments data
  • users identifiers (like accountId, full name)
  • encrypted connection details stored in a database
  • url to apps instances that are under integration, eg. Jira url

Does this include sensitive (personal, health, financial, etc.) data?

Should not. Unless that data is stored in the items that are synchronized between apps and it was explicitly picked up by customer for a sync.
E.g. for each employee, customer creates a Task in Jira Project, and in that task custom fields there are stored employee gender, monthly salary etc. And customer wants those tasks including those custom fields to be synced to the other Jira instance. Then getint.io would keep those custom fields values in logs as a trace after performed synchronization

Is data encrypted in transit?

In SaaS deployment each customer data is stored on a one machine. And on that machine integration / synchronization logic is performed. Therefore there is no transmission of the data to any external services.

Is data encrypted at rest?

We use SSL for a HTTP protocol. Also REST communication is authenticated with JWT.

How are keys/secrets managed?

Keys are stored in encrypted form on hosts owned by getint.io. We can not provide much more information due to security reasons.

Who has access to Personally Identifiable Information (PII)?

Not applicable. If yes, only Getint.io company owners.

Who has access to Protected Health Information (PHI)?

Not applicable. If yes, only Getint.io company owners.

Is code stored in source control? Are cleartext passwords present in source control?

Yes, source code is under a GIT source control, provided by Azure DevOps platform.
There is no cleartext password stored in a code. All password, needed for running application are provided at runtime.

What is the data backup strategy?

Daily backups, kept for 30 days.

What are the sanitization processes for things such as back-up tapes, failed hard drives, and other storage media?

Under SaaS deployment, our infrastructure is deployed on Linode - comapny that has 1 milion of customers world wide. All backups and hard drives, VMs utilization is handled by Linode and done according to their SLA terms.

How is patching of the software/application implemented?

For each patch we are running threw the process of unit testing, automatic testing, uat testing and deployment to production.
Each patch is encapsulated as a new getint.io version, stored within internal artifactory.
We use a blue / green deployment technique to make sure patch deployment to production is backward compatible.

How does data get to application/service? Do external users have a way to load it? Is there some data synchronization process with other systems?

Data is provided by the customer who obtains an account within the application. Each customer has a separate database schema in which his data is stored. All the configurations, setups, connection details are provided by the customer and saved within his 'database' part. External users outside of his organization will not have access to load / read the data. Also, except backups, his data is not synchronized, transmited or shared to any other external services, machines.
Only getint.io support stuff has access to integration / synchronization logs in order to help customers solving the issues.
We use standard techniques provided by Spring framework.

Are you participating in a BugBounty program?

Not yet. We are planning to be on this program by the end of 2021.

Where is data stored? (local, data center, cloud?) If cloud, is it public, hybrid or private cloud?

What encryption is used for data at rest and in transit? How are users authenticated?

Users are authenticated using JWT tokens. Data is transmitted via HTTPS so data is encrypted via this protocol. Authentication is handled by standard Spring mechanisms.

Are strong password rules applied?

Yes. With frequent rotation.

Is multifactor authentication used? Is Google SSO supported? If so, what access to G-Suite data/services will be used by the application?

Only for internal systems used by getint.io company members.

How is authorisation of users managed?

Customers are authenticated with JWT tokens for both cloud and on-premise solutions. There is a flat roles structure so authenticated user gains access to the most parts of the product.
There is plan for introducing roles hierarchy but no delivery date is defined at moment.

Is role based access used?

As above.

Are secure code development practices used to develop the product (code reviews, segmented environments, etc).?

Yes we follow best practices, including code reviews, staged deployments, UAT and Smoke testing and many others.

Does the vendor have a Responsible Disclosure/Vulnerabilities programs?

No

Does the vendor conduct pentesting of the product and platform?

Yes, before the release, on staging environments.

Who is responsible for maintenance and update of the software?

Getint.io company members.

Does the vendor have any InfoSec relevant certifications or references to good practices/standards followed?

No

Data availability: Redundancy/backups/snapshots (this is usually based on the cloud provider's good practices/controls in place).

Read more here: Backups