What is the purpose of this integration? What is the business need that is being fulfilled?

Visor improves the way engineering and product teams plan and execute. It combines the flexibility of spreadsheets with the power of Jira to improve efficiency in planning and increase transparency for the team.

Through multiple views of tables or timelines, Visor allows all members of the team to have personalized views that seamlessly connect to the larger picture. Visor provides multi-level granularity for stakeholders without needing complicated formulas, pivot tables, or manual effort to create and maintain these frameworks.

Visor aims to improve how your teams are able to plan, track progress and communicate product roadmaps and product development timelines.

Please provide a brief history of Visor and how the Security Organization is constructed.

Visor was founded in 2016 in the Harvard Innovation Lab.  The company is currently headquartered in New York City.

Visor’s founder, a graduate from Princeton’s engineering school,  is also the company’s lead engineer and head of the VSC.  The VSC includes the team’s senior engineer, Patrick Shanley.  During a weekly Friday meeting, the VSC assesses the security of the existing platform and discuss security concerns regarding new products and features.  Security concerns are appropriately triaged and worked into the product engineering process on appropriately expedited schedules.

How does your service/product work?

Visor is a visual planning software for project management.  Based on the familiar design of a spreadsheet, the software integrates with Jira to allow bidirectional syncing.  This allows planning teams to build and communicate plans and roadmaps without having to update multiple systems.

The product is a web application available at https://app.visor.us. Users can create workbooks that store their project and timeline data.  Each sheet within the same workbook represents a unique filter and view of the same data.  This makes it possible to create different views highlighting different information.

Visor's integrations allow users to add information to their Workbook from Connected Apps.  When a user types in a Connected Field, Visor searches the Connected App for matching Records.  When the user selects one of those Records, that project row in Visor is linked to the Connected App, and any columns designated by the user are pulled into the Visor Workbook.  These could include dates, statuses, or any text descriptions.

Please briefly describe the security functions at your company; how can we be assured our data is safe in your hands?

Visor takes customer security very seriously and has engineered security into various levels of application design, development, deployment, and maintenance.

  • Development was influenced by OWASP’s principles, including: a positive security model for our client-facing API, failing securely (a failure follows the same path as a disallowed operation), avoiding open designs and security by obscurity, intrusion detection (including the capability to log security-relevant events, procedures to ensure logs are monitored regularly, and procedures to properly respond to any intrusions).
  • Application data is stored on resilient storage. In addition, we have a comprehensive backup program. Daily automated backups are performed and retained for 30 days with support for point-in-time recovery.
  • End user devices are not used for transmitting, processing, or storing customer data.
  • Our wireless networks are secured by utilising WPA2-AES and we routinely scan for rogue access points.
  • We use up-to-date Amazon Machine Images (AMI) as a means to ensure our virtualized operating systems are using hardened images.
  • All application data is transferred over encrypted network protocols.
  • We’ve routinely used automated scanning tools to test our products for vulnerabilities.

How are logins performed to your service? Do you support federated identity? (e.g., SAML)

Logins are handled via a secure, single-use, expiring token sent to users’ email addresses.  Tokens are encrypted in transit when submitted in the login flow.  Currently, federated identity is not yet supported by the Visor platform.

What data is required from my company in order to make Visor work? How is data stored? How long is it retained? What third parties / subcontractors of yours have access to this data or its underlying systems?

Visor works without requiring any upfront data ingestion.  Users can store projects in the platform much like they would add rows to a spreadsheet, allowing the users to choose what information they wish to store in Visor.

Users may connect Visor to Jira.  In this case, Visor will only cache on its servers the information directly requested by the user.  Only the specific fields a user requests for specific entities in Jira that are connected will be cached by Visor.  There is no bulk import of information, and Visor does not pull in more information than explicitly pulled by the user.  This information is retained for as long as the user has this information connected to a Visor workbook.

Customers manage their organisation's own access privileges within their SaaS account. Users invited to a workspace have access to view and edit data within that workspace.  Users may invite other users via their email address.  Customers may request that this functionality of inviting new users be blocked or limited.

As our service is delivered as a SaaS platform, we treat all tenant data with an equal level of sensitivity. Access to tenant data is limited to personnel who require such access to deliver our services and meet our customer service objectives.

All data changes to customer data are tracked and versioned at the database level, providing an audit trail indicating for each change the IP address at which the change was requested, the authenticated users account that requested the change, the datetime of the change, and the outcome (success or failure) of the transaction.  Customers may request information from these audit logs by contacting customer care via email.  It is possible to restore the data to any point in time by contacting Visor customer care.

Visor’s technical infrastructure is hosted on AWS.  Server logs are stored using Elastic.co’s hosted log management product.  Senior engineering team members are the only team members with access to these accounts.  As new team members are hired, it is planned that access will be granted according to the principle of least privilege.  New hires undergo background checks, including a criminal record check. These background checks are all stored.

AWS maintains multiple certifications for the protection of their data centers. AWS physical protection assurance information can be found at: http://aws.amazon.com/compliance/

Does your service have an SLA? If a service, what is your historical uptime? Do you have RTO and RPO metrics?

Visor does not currently offer an SLA.  Maintenance windows are generally not required, as changes are tested in a staging environment prior to deployment to production.  Patches to the web client are applied on a rolling basis.  Visor has not had documented downtime within the last 3 months.

Visor’s RPO is 24 hours -- backups of customer data occur nightly with a 30 day retention window.

Visor’s RTO goal is 3 hours.