Skip to main content
Skip table of contents

Security & Privacy

The Easy Agile team takes security seriously. We know we're not infallible and we are always working to improve our security practices. Below we detail our current practices.

Security Vulnerability

We align with the Security Severity Levels published by Atlassian, and as a Platinum Atlassian Marketplace Partner we adhere to their security requirements for Cloud applications.

We participate in the Atlassian Marketplace Security Bug Bounty Program.

If you believe you have found or experienced a security vulnerability with an Easy Agile product or service please raise a security incident.

Jira Cloud

All of your Jira data (including issues, projects, and users) is kept in your Jira Cloud instance. Your Jira data is never stored by our cloud servers. Our apps are simple, static javascript applications that run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance.

Our Jira Cloud apps require the following Atlassian Connect Permissions (Scopes): Read, Write, Delete, and Project Administration. Project Administration is needed for creating and updating Release versions.

As the product is delivered as a static, client-side add-on, the requests to read, create or update Jira data are made by the account of the person using the addon. When you install the add-on you will see a new user added automatically to the Jira Software projects (e.g. Easy Agile User Story Maps for Jira (addon_com.kretar.Jira.plugin.user-story-map)) under the role 'atlassian-addons-project-access'.

We follow the Atlassian guidelines for security:

Easy Agile’s Cloud services are SOC 2 Type II certified. Download our SOC 2 report from trust.easyagile.com.

Error reporting

Easy Agile products use error reporting service BugSnag to assist us in providing higher-quality software and quickly diagnose errors that occur in Easy Agile code running in the browser. No data is ever transmitted from your Jira Server. This information helps us quickly pinpoint issues to help quickly resolve support requests, or ship fixes before support requests are raised.

No Personally Identifiable Information (PII) is included in the BugSnag payload events sent.

Key points

  1. Only errors that originate from within Easy Agile code are transmitted.

  2. All business-sensitive information is redacted, such as:

    1. The URL of the Jira instance

    2. Any project keys

    3. Any issue keys

    4. Usernames or any other personally identifiable information

We do include the license Support Entitlement Number (SEN) to improve your customer support experience. For example, in the event you experience an error and raise a support request we are able to diagnose the problem quicker. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information.

Expand to see example
JSON
{
    "apiKey": "4c6a97b915700d2318f163d99f5a9323",
    "notifier": {
        "name": "Bugsnag JavaScript",
        "version": "6.5.2",
        "url": "https://github.com/bugsnag/bugsnag-js"
    },
    "events": [
        {
            "payloadVersion": "4",
            "exceptions": [
                {
                    "errorClass": "Error",
                    "message": "This is a test error being notified",
                    "stacktrace": [
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879909
                        },
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879770
                        }
                    ],
                    "type": "browserjs"
                }
            ],
            "severity": "warning",
            "unhandled": false,
            "severityReason": {
                "type": "handledException"
            },
            "app": {
                "releaseStage": "production",
                "version": "5.0.190"
            },
            "device": {
                "locale": "en-US",
                "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
                "time": "2020-08-14T03:49:11.401Z"
            },
            "context": "This is a test error being notified",
            "user": {},
            "metaData": {
                "deployment": "server",
                "jiraSoftwareVersion": "8.6.1",
                "pluginVersion": "6.1.0",
                "supportEntitlementNumber": "SEN-XXXXXXX",
                "uuid": "185c36dc-1a89-4f29-9c68-d5fd1ddf3fe7"
            },
            "request": {
                "url": "redacted"
            }
        }
    ]
}

What analytics does Easy Agile Personas capture and why?

Easy Agile captures analytics events from our products so that we can better understand how they are being used, and identify opportunities for improvement. The analytics data captured is stored in a private analytics database hosted by Amazon Web Services in the United States of America. This data is also sent to Amplitude, a third party analytics platform to query and visualise analytics data to make informed decisions about product development.

For more information on how Amplitude stores this data see here.

No Personally Identifiable Information (PII) is included in the BugSnag payload events sent.

We include the app Entitlement Number or Support Entitlement Number (SEN) in analytics to improve your customer support experience. For example, in the event you experience an error and raise a support request, we can diagnose the problem quickly. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information. 

Example analytics event data we receive:

Add-on Key

SEN (Support Entitlement Number)

Action

Event Data

Timestamp

Version

com.easyagile.personas

SEN-XXXXXXX

personas-rendered

{"boardId": null, "boardType": null, "isConnect": true, "browserName": "Chrome", "jiraVersion": "Cloud", "screenWidth": 2048, "windowWidth": 1792, "loadDuration": 1257, "projectCount": 1, "screenHeight": 1152, "windowHeight": 924, "browserVersion": "81", "estimationType": "n/a", "isAdministrator": true, "screenFormatted": "2048x1152", "windowFormatted": "1792x924", "isSystemAdministrator": false}

2020-03-20 22:54:39.488+00

1.0.3

com.easyagile.personas

SEN-XXXXXXX

persona-created-success

 

2020-03-20 22:53:22.433+00

1.2.3-AC

How do I disable the analytics events from Easy Agile Personas from being sent to Easy Agile?

To disable analytics events being sent to us, you will need to disable the ‘EA Analytics’ module in the app. 

Here are steps to walk you through this process:

  1. Navigate to the 'Manage Apps' page under the Administrator menu

  2. Navigate to 'Easy Agile Personas' from your list under 'User-installed apps'

  3. To the right of the Personas listing, expand the 'Modules Enabled' dropdown

  4. Find 'EA Analytics' from the list of modules, and select 'Disable'

Where can I read Easy Agile’s Privacy Policy?

The Easy Agile Privacy Policy is available on our website at Privacy Policy.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.