Information Security Policy

Principles

At Visor, we believe that the cornerstone of trust is security.  We work tirelessly to maintain that trust with our world-class systems and processes. 

Visor emphasizes the following principles in the design and implementation of its security program and practices: physical security to protect the Service against unauthorized access, use, or modification; maintaining availability for operation and use of the Service; confidentiality to protect customer data; and integrity to maintain the accuracy and consistency of data over its life cycle.

Visor Security Council

Security is not just engineering. It includes maintaining strict procedures and conducting regular reviews.

Visor has created and maintains the Visor Security Council (VSC), which performs regular review of our application and infrastructure. VSC is made up of a select group of senior Visor engineers.

VSC conducts risk assessments, internal audits, and adhoc penetration testing of our application, network, and systems on a quarterly basis. VSC also maintains a formal change control and release management process to ensure audit trails on changes to the service; the Security Vulnerability Process centered around protection and confidentiality of Customer Data outlined below; and the Incident Response Plan also outlined below.

Data Centers

Where does our data live?

Visor uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in the United States. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

Access Management & Protections

Who has access and what they see.

Visor tightly adheres to the principle of least privilege. Access to manage Visor's AWS environment requires multi-factor authentication and access to Customer Data is restricted to a limited set of approved Visor employees on an as-needed basis.

Our systems also include the following protections:

  1. Broad system-level permissions hierarchy, and granular data-level authorization tagging built-in
  2. All customer data stored in an encrypted data warehouse with anonymous key relationships
  3. All analytic data stored in an encrypted data warehouse without any personally identifiable information
  4. Every action attempted by a user account is subject to strict access-control checks that ensure they only have access to the proper data
  5. All employees and contractors undergo strict vetting and are obligated not to disclose any customer data they may come into contact with
  6. Upon termination, whether voluntary or involuntary, every employee undergoes the official Visor off-boarding process to promptly revoke access to Visor's systems

Vendor Management

Our security is only as strong as the security of those we trust.

Every time Visor seeks to adopt a new third party service, the Visor Security Council reviews and audits the service's security protocols, data retention policies, privacy policies, and security track record to gain assurance that their security posture is consistent with Visor's for the type and sensitivity of the data the service will store or access.

This service review takes place on an annual basis for any service we use in production, and the Visor Security Council exercises the right to reject any software or software vendor for failure to demonstrate the ability to sufficiently protect Visor's data and End Users.

Visor takes reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated in this attachment.

Data Transfer & Networking

How our data travels: Encryption. Always.

  1. Industry standard SSL encrypted communication for authentication and data communication with all servers
  2. Minimal data transfer by optimizing local data storage on customers’ machines
  3. Virtual Private Cloud configuration creates firewalls around our systems

Customer Data is encrypted in transit and, subject to the applicable version for the Service selected by Customer, encrypted at rest (and remains encrypted at rest). The connection to app.visor.us is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.

Data Backups & Disaster Recovery

Data loss is not an option.

We have a comprehensive backup program. Customer data is 100% backed up to online replicas on a daily basis and retained for 30 days with support for point-in-time recovery. Backups are encrypted and have the same protections as our production environment. Additionally, all of our services are configured in automatic scaling groups that scale up to meet peak demand. We will proactively notify you of any customer-impacting situation, including but not limited to data outages and recovery efforts being performed by our team. In the event of a disaster, users can expect a maximum of 1 business day for data recovery efforts to be concluded and services fully restored. Correspondence will be emailed to impacted users upon completion of the recovery effort.

Vulnerability Detection and Monitoring

Our system is only as secure as our testing.

VSC performs rigorous testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Service on a quarterly basis. Additionally, the following precautions are taken by all engineers on a daily basis to detect vulnerabilities:

  1. Regularly cross-checking all third party software packages that we use against vulnerability databases
  2. Security-sensitive code reviews by senior engineers on all commits
  3. Automated vulnerability scanning on all Visor services

Visor also uses intrusion detection systems (IDS) for our corporate networks and production environments, and regularly performs scans of our code and systems to detect breaches or vulnerabilities. For virus monitoring, Visor automatically or manually updates most software it runs and outsources to Amazon when logical and possible. We use up-to-date Amazon Machine Images (AMI) as a means to ensure our virtualized operating systems are using hardened images.

Visor maintains a vulnerability scanning process for production systems. VSC performs vulnerability scans at least monthly and determines a severity rating for each vulnerability that is uncovered. If Visor determines that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue. Vulnerability scans are also run after any significant change to the production environment as determined by the VSC

Security Incident Response

Alert affected parties immediately, patch bugs as quickly as possible.

Visor maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, proprietary data or personal data transmitted, stored, or otherwise processed by Visor. If Visor detects and subsequently confirms unauthorized access to or disclosure of Customer Data, Visor shall report such breach to the Customer (and Atlassian via an App Security Ticket) within 24 hours, perform a root cause assessment, and remedy such breach in accordance with our Security Bug Fix Policy. Visor also commits to having at least one senior engineer on-call at all times after a security breach, so that vulnerabilities may be fixed as quickly as possible.

Change Management

Every commit must be secure to keep the system secure.

Visor has established a process to ensure changes meet Visor's security, confidentiality, and availability requirements:

VSC reviews and approves the policy annually. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by Visor Security Council prior to deployment.

Business Continuity

Always keep encrypted backups and have a plan for point in time recovery.

Visor maintains a plan for extended service outages caused by unforeseen or unavoidable disasters in an effort to restore services to the widest extent possible in a reasonable time frame:

This plan covers mission-critical business functions and associated systems. Visor has documented a set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. Database snapshots are taken daily, data backups are encrypted in storage, and the Service resides on a redundant network and server infrastructure located in geographically separate data centers. This plan is reviewed and tested on an annual basis.