Security & Privacy
The Easy Agile team takes security seriously. We know we're not infallible and we are always working to improve our security practices. Below we detail our current practices.
Security Vulnerability
We align with the Security Severity Levels published by Atlassian, and as a Platinum Atlassian Marketplace Partner we adhere to their security requirements for Cloud applications.
We participate in the Atlassian Marketplace Security Bug Bounty Program.
If you believe you have found or experienced a security vulnerability with an Easy Agile product or service please raise a security incident.
Jira Cloud
All of your Jira issue / project / user data is kept in your Jira Cloud instance. Your Jira data is never stored by our add-on servers. Our addons are simple, static javascript applications which run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance.
Our Jira Cloud versions require the following Atlassian Connect Permissions (Scopes): Read, Write, Delete and Project Administration. Project Administration is needed for the creation and updating of Versions.
As the product is delivered as a static, client-side add-on, the requests to read, create or update Jira data are made by the account of the person using the addon. When you install the add-on you will see a new user added automatically to the Jira Software projects (e.g. Easy Agile User Story Maps for Jira (addon_com.kretar.Jira.plugin.user-story-map)) under the role 'atlassian-addons-project-access'.
We follow the Atlassian guidelines for security:
App Security Incident Management Guidelines for Atlassian Marketplace Vendors
Security Guidelines and Best Practices for Atlassian Marketplace Vendors
We have completed the lite version of the Consensus Assessments Initiative Questionnaire(CAIQ), a survey provided by the Cloud Security Alliance for Cloud consumers and auditors to assess our security capabilities as a Cloud app vendor.
You can find our responses to this questionnaire here.
Error reporting
Easy Agile Products utilise an error reporting service, bugsnag, to assist us in providing higher quality software and quickly diagnosing errors which occur in Easy Agile code running in the browser. No data is ever transmitted from your Jira Server. This information helps us quickly pinpoint issues to help quickly resolve support requests, or ship fixes before support requests are raised. A win-win for everyone.
No Personally Identifiable Information is included in the bugsnag payload events sent.
Key points
Only errors which originate from within Easy Agile code are transmitted.
All business-sensitive information is redacted, such as:
The URL of the Jira instance
Any project keys
Any issue keys
Usernames or any other personally identifiable information
We do include the license Support Entitlement Number (SEN) to improve your customer support experience. For example, in the event you experience an error and raise a support request we are able to diagnose the problem quicker. We also collect an anonymous and random unique identifier for each browser session, this unique identifier (UUID) is not tied to, or seeded from, a user's personally identifiable information.
How do I disable the in-app ‘Welcome’ video with sign up form for all my users?
To disable the Product Intro, you will need to disable the ‘EA Product Intro’ module in the app.
Here are steps to walk you through this process:
Navigate to the 'Manage Apps' page under the Administrator menu
Navigate to 'Easy Agile Programs' from your list under 'User-installed apps'
To the right of the Programs listing, expand the 'Modules Enabled' dropdown
Find 'EA Product Intro' from the list of modules, and select 'Disable'
Please note: This is only available for Data Center & Server customers
What analytics does Easy Agile Programs capture and why?
Easy Agile captures analytics events from our products so that we can better understand how they are being used, and identify opportunities for improvement. The analytics data captured is stored in a private analytics database hosted by Amazon Web Services in the United States of America. This data is also sent to Amplitude, a third party analytics platform to query and visualise analytics data to make informed decisions about product development.
For more information on how Amplitude stores this data see here.
No Personally Identifiable Information is captured in our analytics events.
To improve your customer support experience, the analytics data we collect includes the license Support Entitlement Number (SEN). This is so that we are able to more quickly and accurately diagnose problems when you raise a support request.
We also collect an anonymous and random unique identifier for each browser session. This unique identifier (UUID) is not tied to, or seeded from, personally identifiable information.
Example analytics event data we receive:
Add-on Key | SEN (Support Entitlement Number) | Action | Event Data | Timestamp | Version |
---|---|---|---|---|---|
com.easyagile.programs | SEN-XXXXXXX | eap-rendered | {"route": "/plugins/servlet/eap/program/:programId/increment/:incrementId", "boardType": null, "isConnect": false, "eapVersion": "1.0.4", "browserName": "Chrome", "jiraVersion": "8.5.1", "screenWidth": 1920, "windowWidth": 1920, "loadDuration": 18849, "projectCount": 0, "screenHeight": 1080, "windowHeight": 937, "browserVersion": "79", "estimationType": "n/a", "screenFormatted": "1920x1080", "windowFormatted": "1920x937", "completeLoadDuration": 18849} | 2017-03-20 22:54:39.488+00 | 2.3.0 |
com.easyagile.programs | SEN-XXXXXXX | backlog-toggled | 2017-03-20 22:53:22.433+00 | 1.2.3-AC |
How do I disable the analytics events from Easy Agile Programs from being sent to Easy Agile?
To disable analytics events being sent to us, you will need to disable the 'eap-load-analytics' module in the app.
Here are steps to walk you through this process:
Navigate to the 'Manage Apps' page under the Administrator menu
Navigate to 'Easy Agile Programs' from your list under 'User-installed apps'
To the right of the Easy Agile Programs listing, expand the 'Modules Enabled' dropdown
Find 'EA Analytics' from the list of modules, and select 'Disable'
Where can I read Easy Agile’s Privacy Policy?
The Easy Agile Privacy Policy is available on our website at Privacy Policy.
Development Workflow
We have a backlog that is ordered in terms of our vision for the product coupled with key customer feature requests. Team members pull stories from the backlog as capacity allows. Typically their first step is to write tests to assert the behaviour we expect. From there they will write code to make tests pass, and then refactor as needed.
When a team member is ready for code review they add two of their colleagues to a pull request. Their colleagues review the code for consistency, sanity, and against the acceptance criteria of the user story. There are usually a few comments of things to consider, tidy up or change, and these are then incorporated.
During the code review we also begin user acceptance testing of the functionality in both Jira Cloud and Server. At this point we're trying to ensure that what we deliver makes sense from a customers perspective. This often turns up UI/UX improvements for the story which are then subsequently included in the pull request.
Once the pull request has been approved the development branch is merged into our staging branch where we do final user acceptance testing before release. Once we are happy with the results we merge into the master branch which always represents what is in production.
In the case of Jira Cloud the feature is then deployed automatically and customers begin to see the new version immediately. For Jira Server we select a commit on master that contains the desired functionality, we than tag that with a version number and perform a manual release to Atlassian Marketplace.
On every commit to the development branch unit and functional tests are automatically run. Pre-commit hooks exist on the master branch which prevent a merge in the event a pull request has not been approved or tests are not passing.
Infrastructure Access
Build, test and deployment automation means Easy Agile Team Members do not require or have access to production infrastructure.
Infrastructure is in code (Amazon Web Services CloudFormation Templates) enabling us to test changes in test and staging environments before rolling those changes to production environments.
We leverage a Cloud access management platform and enforce team members use of randomly generated passwords (1Password) plus Two Factor Authentication for accessing service providers.