The Easy Agile team takes security seriously. We know we're not infallible and we are always working to improve our security practices. Below we detail our current practices.

Security Vulnerability

We align with the Security Severity Levels published by Atlassian, and as a Platinum Atlassian Marketplace Partner we adhere to their security requirements for Cloud applications.

We participate in the Atlassian Marketplace Security Bug Bounty Program.

If you believe you have found or experienced a security vulnerability with an Easy Agile product or service please raise a security incident.


Jira Cloud

All of your Jira issue / project / user data is kept in your Jira Cloud instance. Your data is never stored by our add-on servers. Our addons are simple, static javascript applications which run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance.

Our Jira Cloud versions require the following Atlassian Connect Permissions (Scopes): Read, Write, Delete and Project Administration. Project Administration is needed for the creation and updating of Versions.

As the product is delivered as a static, client-side add-on, the requests to read, create or update Jira data are made by the account of the person using the addon. When you install the add-on you will see a new user added automatically to the Jira Software projects (e.g. Easy Agile User Story Maps for Jira (addon_com.kretar.Jira.plugin.user-story-map)) under the role 'atlassian-addons-project-access'.

We follow the Atlassian guidelines for security:

We have completed the lite version of the Consensus Assessments Initiative Questionnaire(CAIQ), a survey provided by the Cloud Security Alliance for Cloud consumers and auditors to assess our security capabilities as a Cloud app vendor.

You can find our responses to this questionnaire here.


Error reporting

Easy Agile Products utilise an error reporting service, bugsnag, to assist us in providing higher quality software and quickly diagnosing errors which occur in Easy Agile code running in the browser. No data is ever transmitted from your Jira Server. This information helps us quickly pinpoint issues to help quickly resolve support requests, or ship fixes before support requests are raised. A win-win for everyone.

No Personally Identifiable Information is included in the bugsnag payload events sent.

Key points

  1. Only errors which originate from within Easy Agile code are transmitted.

  2. All business-sensitive information is redacted, such as:

    1. The URL of the Jira instance

    2. Any project keys

    3. Any issue keys

    4. Usernames or any other personally identifiable information

We do include the license Support Entitlement Number (SEN) to improve your customer support experience. For example, in the event you experience an error and raise a support request we are able to diagnose the problem quicker. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information.

 

Expand to see example
{
    "apiKey": "4c6a97b915700d2318f163d99f5a9323",
    "notifier": {
        "name": "Bugsnag JavaScript",
        "version": "6.5.2",
        "url": "https://github.com/bugsnag/bugsnag-js"
    },
    "events": [
        {
            "payloadVersion": "4",
            "exceptions": [
                {
                    "errorClass": "Error",
                    "message": "This is a test error being notified",
                    "stacktrace": [
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879909
                        },
                        {
                            "file": "https://<redacted>/server/bundled.eausm-server-app.js",
                            "lineNumber": 2,
                            "columnNumber": 2879770
                        }
                    ],
                    "type": "browserjs"
                }
            ],
            "severity": "warning",
            "unhandled": false,
            "severityReason": {
                "type": "handledException"
            },
            "app": {
                "releaseStage": "production",
                "version": "5.0.190"
            },
            "device": {
                "locale": "en-US",
                "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36",
                "time": "2020-08-14T03:49:11.401Z"
            },
            "context": "This is a test error being notified",
            "user": {},
            "metaData": {
                "deployment": "server",
                "jiraSoftwareVersion": "8.6.1",
                "pluginVersion": "6.1.0",
                "supportEntitlementNumber": "SEN-XXXXXXX",
                "uuid": "185c36dc-1a89-4f29-9c68-d5fd1ddf3fe7"
            },
            "request": {
                "url": "redacted"
            }
        }
    ]
}
CODE


How do I disable the in-app ‘Welcome’ video with sign up form for all my users?

To disable the Product Intro, you will need to disable the ‘EA Product Intro’ module in the app. 

Here are steps to walk you through this process:

  1. Navigate to the 'Manage Apps' page under the Administrator menu

  2. Navigate to 'Easy Agile Programs' from your list under 'User-installed apps'

  3. To the right of the Programs listing, expand the 'Modules Enabled' dropdown

  4. Find 'EA Product Intro' from the list of modules, and select 'Disable'

Please note: This is only available for Data Center & Server customers


What analytics does Easy Agile Programs capture and why?

Easy Agile captures analytics events from our products so that we can better understand how they are being used, and identify opportunities for improvement. The analytics data captured is stored in a private analytics database hosted by Amazon Web Services in the United States of America.

No Personally Identifiable Information is captured in our analytics events.

To improve your customer support experience, the analytics data we collect includes the license Support Entitlement Number (SEN). This is so that we are able to more quickly and accurately diagnose problems when you raise a support request. 

We also collect an anonymous and random unique identifier for each browser session. This unique identifier (UUID) is not tied to, or seeded from, personally identifiable information.

Example analytics event data we receive:

Add-on Key

SEN (Support Entitlement Number)

Action

Event Data

Timestamp

Version

com.easyagile.programs

SEN-XXXXXXX

eap-rendered

{"route": "/plugins/servlet/eap/program/:programId/increment/:incrementId", "boardType": null, "isConnect": false, "eapVersion": "1.0.4", "browserName": "Chrome", "jiraVersion": "8.5.1", "screenWidth": 1920, "windowWidth": 1920, "loadDuration": 18849, "projectCount": 0, "screenHeight": 1080, "windowHeight": 937, "browserVersion": "79", "estimationType": "n/a", "screenFormatted": "1920x1080", "windowFormatted": "1920x937", "completeLoadDuration": 18849}

2017-03-20 22:54:39.488+00

2.3.0

com.easyagile.programs

SEN-XXXXXXX

backlog-toggled

2017-03-20 22:53:22.433+00

1.2.3-AC


How do I disable the analytics events from Easy Agile Programs from being sent to Easy Agile?

To disable analytics events being sent to us, you will need to disable the 'eap-load-analytics' module in the app. 

Here are steps to walk you through this process:

  1. Navigate to the 'Manage Apps' page under the Administrator menu

  2. Navigate to 'Easy Agile Programs' from your list under 'User-installed apps'

  3. To the right of the Easy Agile Programs listing, expand the 'Modules Enabled' dropdown

  4. Find 'EA Analytics' from the list of modules, and select 'Disable'


What is Easy Agile’s Privacy Policy?

Last updated November 2017
  1. Acknowledgment

By using our Products, you acknowledge that you have reviewed the terms of our End User Licence Agreement (EULA) and this Easy Agile Privacy Policy (Privacy Policy), have the authority to act on behalf of any person for whom you are using the Products, and agree that we may collect, use and transfer your Data in accordance with this Privacy Policy. If you are using our Products on behalf of a company, then you acknowledge that you are binding your company to this Privacy Policy.

This Privacy Policy applies to our Customers. It is the responsibility of the Customer to determine if the Privacy Policy is consistent with its own treatment of end user data.

  1. Definitions

(a) Company means Easy Agile Pty Limited ACN 605 474 977. The terms “we”, “us” and “our” when used in this Privacy Policy are a reference to the Company.

(b) Customer means a direct customer of the Company. The terms “you”, “your” and “yours” when used in this Privacy Policy are a reference to the Customer.

(c) Data means Personal Information and User Data.

(d) Data Controller has the meaning given in Rec. 22, Art 3(1) of the GPDR, that is, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Information, where the purposes and means of processing are determined by EU or Member State laws.

(e) Data Subject means an identified or identifiable natural person who is a user of our Product.

(f) GDPR means the European Union General Data Protection Regulation.

(g) Law means all relevant legal and regulatory requirements applicable to you or us (including, for the avoidance of doubt, the Australian Privacy Act 1988 (Cth) and the GDPR).

(h) Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

(i) Product means software owned, developed and sold by us but does not include the software known as ‘Marketplace Clarity’.

(j) Subprocessor means any processor engaged by us or by any other Subprocessor who agrees to receive from us or from any other Subprocessor, Personal Information exclusively intended for processing activities to be carried out on behalf of you after the transfer in accordance with your instructions, the terms of our EULA and this Privacy Policy.

(k) Supervisory Authority means the authority with the primary responsibility for dealing with the relevant data processing activity.

(l) Unsolicited Information includes any unsolicited communications by you to the Company.

(m) User Data means all information collected passively or actively from our Customers that is not Personal Information

  1. Collection and use

(a) We process the Data provided by you in accordance with the Privacy Policy and your instructions. We will promptly inform you if we cannot process your Data in accordance with the Privacy Policy.

(b) The processing activities that we undertake include

(i) email notifications of new software versions to contacts;

(ii) analysis of anonymised Product analytics to understand usage patterns;

(c) You agree that we may collect and use technical data and related information, including without limitation, technical information relating to your device, system, and use of the Product(s), that is gathered periodically to facilitate the provision of software updates, product support, marketing efforts and other services and communications to you related to the Products, including providing you with information about services, features, surveys, newsletters, offers, promotions; providing other news or information about us and our select partners; and sending you technical notices, updates, security alerts, and support and administrative messages. We may use this technical data and related information, as long as it is in a form that does not personally identify you, except to the extent necessary to provide you with support, or communications to improve our products or to provide services or technology to you.

(d) You may opt out of promotions by unsubscribing at https://easyagile.com/unsubscribe .

  1. Security measures

(a) We have implemented the following security measures:

(i) Two Factor Authentication to access all development and production services;

(ii) Virtual Private Network required to access development and production servers;

(iii) annonymisation of all analytics events captured;

(iv) employee laptops secured with FileVault encryption;

(v) employees use 1Password to ensure a unique password is used for each development and production service;

(b) We use a self-assessment approach to ensure compliance with the Privacy Policy. We verify periodically that the Privacy Policy is accurate and comprehensive for the information intended to be covered, prominently displayed, completely implemented, and accessible and in conformity with applicable Laws. We encourage interested parties to contact us with any concerns using the contact information provided.

(c) We will:

(i) restrict access and use of Data to those employees responsible for processing Data to fulfil our obligations under the Privacy Policy; and

(ii) maintain a list of our employees that have been granted access to Data.

(d) Data is stored on an Amazon Web Services Postgres RDS Database in the United States. The Product is hosted on Amazon Web Services. We will notify you if the storage location of your Data changes.

  1. Incident response

Where there has been a security breach, data leakage or Personal Information is lost, destroyed or becomes damaged, corrupted or unusable, we will notify you as soon as practicable.

  1. Your obligations

You agree and warrant that:

(a) the processing, including the transfer itself, of Personal Information has been and will continue to be, carried out in accordance with all applicable Laws (and, where applicable, you have notified the Supervisory Authority in your country of such processing);

(b) all Data that you provide on behalf of a Data Subject has been obtained with the informed consent of the Data Subject;

(c) you have assessed our security measures as described in clause 4 and believe our security measures ensure a level of security appropriate to the nature of the Data you provide to us;

(d) you will provide Data Subjects with a copy of the Privacy Policy or a description of our security measures, if requested by the Data Subject;

(e) if applicable, you will deposit a copy of the Privacy Policy with the Supervisory Authority upon request or if such deposit is required under the applicable Laws.

  1. Access to Data

(a) Data Subjects have the right to request that we update, correct or, upon request, erase Personal Information in our possession. We will endeavour to provide the requested Personal Information within a reasonable time.

(b) If you request a correction to your Personal Information then we will take reasonable steps to correct that Personal Information.  

(c) To guard against fraudulent requests, we will require information to confirm your identity before granting access or making corrections.

(d) We may decline to provide a Data Subject with access to Personal Information including where we determine that the information requested:

(i) may disclose:

(A) the Personal Information of another individual; or

(B) trade secrets or other business confidential information;

(ii) is subject to legal professional privilege;

(iii) is not readily retrievable and the burden or cost of providing the information would be disproportionate to the nature or value of the information;

(iv) does not exist, is not held, or cannot be located by us;

(v) would pose a serious threat to the life, health or safety of any individual, or to public health or safety if it were accessed; or

(vi) is not permitted by Law to be accessed.

  1. Subprocessing

(a) Some of our obligations under the Privacy Policy and EULA may be performed by Subprocessors. A Subprocessor will only be granted access to your Data where:

(i) such access is for purposes consistent with the Privacy Policy; and

(ii) the Subprocessor agrees to be bound by the Privacy Policy.

(b) When we work with Subprocessors, we seek to provide the Subprocessor with only the information the Subprocessor needs to perform its specific functions.

  1. Disclosure of Data

(a) We will not disclose your Data to any other party other than at your request or in accordance with this clause 9.

(b) We will share information including Personal Information with our Subprocessors. In addition, Atlassian works with us on certain business-related functions of our Products, such as processing payments. Atlassian has its own privacy policy, which you can find here (https://www.atlassian.com/legal/privacy-policy ).

(c) There are also a limited number of circumstances in which we may share your Data with third parties. This may be done without further notice to you. These circumstances are:

(i) Legal requirements: We may disclose your Data and any other information if required to do so by law or in good faith belief that such action is necessary to:

(A) comply with a legal obligation;

(B) protect and defend the rights or property of the Company; or

(C) protect against legal liability.

(ii) Business transfers and related activities: We may sell, buy, restructure or reorganise our business or assets. In the event of any sale, merger, reorganisation, restructuring, dissolution or similar event involving our business or assets, Personal Information may be part of the transferred assets.

10. Cross-border transfer of data

(a) If you are using our Products in a country other than the United States, your communications will result in the transfer of Data across international boundaries. The countries in which recipients of your Personal Information are likely to be located are the United States, Australia and countries within the European Union.

(b) If you provide Personal Information, you acknowledge and agree that Personal Information may be transferred from your current location to the offices and servers of the Company and Subprocessors located primarily in Australia, the United States and countries within the European Union.

11. Warranties

We warrant that:

(a) you may withdraw your consent for us to process your Data at any time at which time the process under clause 13 will be followed;  

(b) we will process your Data in compliance with your instructions and the Privacy Policy. If we cannot provide such compliance for whatever reason, we will inform you promptly of our inability to comply, in which case you are entitled to suspend the transfer of Data and/or terminate your contract with us;

(c) we will not vary or modify clause the Privacy Policy without notifying you and obtaining your consent;

(d) we have no reason to believe that any Law prevents us from fulfilling the terms of the Privacy Policy. In the event of a change in the Law that is likely to have a substantial adverse effect on the warranties and obligations provided under the Privacy Policy, we will promptly notify you of the change as soon as we become aware, in which case you are entitled to suspend the transfer of Data and/or terminate your contract us;

(e) we will implement and maintain appropriate technical and organisation measures to meet the requirements of the Australian Privacy Act 1988 (Cth) and the GDPR. This does not alter your own obligations under these legal regimes;

(f) we will only use your Data for the purposes for which it is provided by you;

(g) we will not sell or otherwise redistribute to third parties the Data we collect from you;

(h) we will promptly notify you of:

(i) any legally binding request for disclosure of the Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any unauthorised access to or disclosure of Personal Information or any circumstances that are likely to give rise to such unauthorised access or disclosure, where there is a likely risk of serious harm to any Data Subject as a result of the unauthorised access or disclosure; and

(iii) any request received directly from one of your customers or a Data Subject, without responding to that request, unless we have been otherwise authorised by you to do so;

(i) we will deal promptly and properly with all inquiries from you relating to the processing of your Data and we will abide by the advice of any Supervisory Authority with regard to the processing of the Data transferred; and

(j) the processing services by any Subprocessor will be carried out in accordance with clause 20.

12. Survival

The Privacy Policy will survive termination of the EULA and will remain in effect until we have deleted all of your Data.

13. Termination

On termination, you will have the choice of having all Data transferred to you or the Data being destroyed, unless Laws imposed on us prevents us from returning or destroying all or part of the Data. If we cannot return or destroy the Data, we warrant that we will guarantee the confidentiality of the Data and will not actively process the Data after termination.

14. Audit of measures

(a) Where you are required by a Supervisory Authority to demonstrate compliance with privacy obligations, we allow and contribute to audits, including inspections.

(b) We will submit our data processing facilities for an audit of the measures referred to in clause 14(a) at the request of you and/or the Supervisory Authority.

(c) We will promptly inform you of the existence of any Laws that prevent us from being audited.

15. Unsolicited information

(a) If you submit unsolicited User Data, we will use it in accordance with the Privacy Policy.

(b) If you submit unsolicited Personal Information and we determine that we could not have collected the Personal Information in accordance with the Privacy Policy, we will destroy the information or ensure that the information is de-identified as soon as practicable. Otherwise, the Personal Information will be used in accordance with the Privacy Policy.

16. European Union General Data Protection Regulation

(a) Clauses 17 to 21 apply only if you are a Data Controller.

(b) If you are a Data Controller, clause 22 will not apply and instead the Privacy Policy will be governed by the law of the country in which you reside or are incorporated.

17. Notifying the data protection authority

In the event that you receive a notification from us or any Subprocessor under clause 11(d) or 14(c), you must forward such notification to the Supervisory Authority if you decide to continue the transfer of Personal Information or to lift the suspension.

18. Liability

(a) Any Data Subject who has suffered damage as a result of any breach of the obligations referred to in clause 20 by us, a Subprocessor or yourself, is entitled to receive compensation from you for the damage suffered.

(b) Where either the Company or a Subprocessor has breached the obligations referred to in clause 20 and a Data Subject is unable to bring a claim for compensation in accordance with clause 18(a) because you have disappeared, ceased to exist in Law, or have become insolvent, the Data Subject may issue a claim against us, unless any successor entity has assumed your entire legal obligations by contract or by operation of law, in which case the Data Subject can enforce its rights against the successor entity.

19. Mediation and jurisdiction

(a) If the Data Subject invokes third-party beneficiary rights and/or claims compensation for damages under the Privacy Policy, we will accept the decision of the Data Subject to:

(i) refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority; or

(ii) refer the dispute to the courts in your country.

(b) The choice made by the Data Subject will not prejudice their substantive or procedural rights to seek remedies in accordance with other provisions of Law.

20. GDPR-compliant subprocessing

(a) In addition to our obligations under clause 8, we will not subcontract any of our processing operations performed on your behalf without your prior written consent.

(b) Where a Subprocessor is engaged to process your Data in accordance with clause 20(a), we will enter into a written agreement with the Subprocessor. A copy of this written agreement will be provided to you. Where the Subprocessor fails to fulfil its data protection obligations under the written agreement, we will remain fully liable to you for the performance of the Subprocessor’s obligations under such agreement.

(c) The prior written agreement between the Company and the Subprocessor will provide for:

(i) the imposition of the same obligations on the Subprocessor as are imposed on us under the Privacy Policy, as applicable;

(ii) if a Data Subject is not able to bring a claim against you or us as referred to in clause 18, arising out of a breach by the Subprocessor of any of its obligations referred to in the Privacy Policy because both you and the Company have disappeared, ceased to exist in Law or become insolvent, the Data Subject may issue a claim against the Subprocessor  (unless any successor entity has assumed all of your  or our legal obligations by contract or by operation of law as a result of which it takes on your or our rights and obligations in which case the Data Subject can enforce its rights against such entity). The liability of the Subprocessor will be limited to its own processing operations under the Privacy Policy;

(iii) the Supervisory Authority’s right to conduct an audit of the Subprocessor; and

(iv) the Subprocessor’s warranty that upon the request of you and/or the Supervisory Authority, it will submit its data processing facilities for an audit of the measures referred to in clause 14(a).

21. Your obligations under GDPR

As a condition of our provision of the Products to you, you agree to comply with all of your obligations under the GDPR.

22. Jurisdiction

Other than in accordance with clause 16(b), the Privacy Policy is governed by and construed in accordance with the laws of the State of New South Wales, Australia. You agree to submit any dispute arising out of your use of the Products to the exclusive jurisdiction of the State of New South Wales.

23. Making a complaint

You are entitled to lodge a complaint about our treatment of your Data with the relevant Supervisory Authority.

Before lodging a complaint with a Supervisory Authority, we encourage you to first attempt to resolve the complaint by contacting us using the details below. We will respond to your complaint within 30 days.

24. Contact

If you have any questions about our Privacy Policy or our information practices, please contact our data protection officer:

Nicholas Muldoon
nick@easyagile.com
+61 447 541 202

If you no longer wish to receive communications from us, please unsubscribe at https://easyagile.com/unsubscribe .


Development Workflow

We have a backlog that is ordered in terms of our vision for the product coupled with key customer feature requests. Team members pull stories from the backlog as capacity allows. Typically their first step is to write tests to assert the behaviour we expect. From there they will write code to make tests pass, and then refactor as needed.

When a team member is ready for code review they add two of their colleagues to a pull request. Their colleagues review the code for consistency, sanity, and against the acceptance criteria of the user story. There are usually a few comments of things to consider, tidy up or change, and these are then incorporated.

During the code review we also begin user acceptance testing of the functionality in both Jira Cloud and Server. At this point we're trying to ensure that what we deliver makes sense from a customers perspective. This often turns up UI/UX improvements for the story which are then subsequently included in the pull request.

Once the pull request has been approved the development branch is merged into our staging branch where we do final user acceptance testing before release. Once we are happy with the results we merge into the master branch which always represents what is in production.

In the case of Jira Cloud the feature is then deployed automatically and customers begin to see the new version immediately. For Jira Server we select a commit on master that contains the desired functionality, we than tag that with a version number and perform a manual release to Atlassian Marketplace.

On every commit to the development branch unit and functional tests are automatically run. Pre-commit hooks exist on the master branch which prevent a merge in the event a pull request has not been approved or tests are not passing.


Infrastructure Access

Build, test and deployment automation means Easy Agile Team Members do not require or have access to production infrastructure.

Infrastructure is in code (Amazon Web Services CloudFormation Templates) enabling us to test changes in test and staging environments before rolling those changes to production environments.

We leverage a Cloud access management platform and enforce team members use of randomly generated passwords (1Password) plus Two Factor Authentication for accessing service providers.