Security Practices for 55 Degrees Products
55 Degrees knows security is critical, yet hard to perfect. Thus, we are always improving our practices. Please read through our security practices and reach out to us at firstname.lastname@example.org if you have any questions. This document will be updated when our Security Practices are changed to reflect any new practices adopted.
Please note that this document is not a legal document and is not a guarantee. It should be treated as guidance of what 55 Degrees strives to accomplish in this area.
This page was last updated on November 26, 2019.
When we can, we store all of your data on the Atlassian Cloud instance. In some cases, this might not be possible due to the size of the data asset, security sensitivity of the data and general limitations of what’s capable with the Atlassian Cloud API. When your data is stored on the Atlassian Cloud instance, the App needs to be installed on your instance in order for us to retrieve it. In the cases where data needs to be stored on our database, we’ll use the appropriate security techniques such as using encryption and general checksum hashing for data.
We do not conduct penetration testing as our infrastructure providers, Amazon Web Services, DigitalOcean and Atlassian, do not permit penetration testing on their infrastructure (based upon their license and usage agreements). Having said that, we do follow the Amazon and Atlassian guidelines for security:
From time to time, 55 Degrees may capture analytics events from our products. This will be done through opt-in requests on a per installation basis.
55 Degrees maintains a development backlog. The team identifies the priorities of the work and works to fulfill them. The development code is verified and tested utilizing a non-production system before deploying to the production system. Any third-party integration, libraries, etc. are vetted for their security and licensing agreements prior to use.
We do not offer a bug bounty at this time. If you find a bug please raise a support request.
If you find a security vulnerability please email email@example.com.
We periodically review the infrastructure of our apps to verify configurations and settings. In addition, we have monitoring that alerts us to certain activities such as deployments and configuration changes.
Whenever our development team makes major changes for an app, we will review the app for any security concerns. Security reviews are also done on an ad-hoc basis.
Team members only have access to the systems absolutely necessary for them to perform the duties required. Production infrastructure access is locked down and requires trusted VPN access. Our automation and monitoring reduce the amount of access needed.
All team members make use of Password Vaults to maintain a randomly generated password for each service and use Two Factor Authentication for the Infrastructure providers that are able to support it.
All security changes are conducted after approval by both Co-Founders.
Change list to this document
November 26, 2019 - Adding in references to DigitalOcean
August 20, 2019 - Initial version of this document