Security Policy

Effective Date: 28.07.2025

At Tegrilu SRL, we take the security of your data seriously. This Security Policy outlines the technical and organizational measures we use to protect your information when using our Jira plugin and related services ("Service").

1. Data Encryption

  • In Transit: All data transmitted between our systems and users is encrypted using TLS (HTTPS).
  • At Rest: We encrypt sensitive data stored on our servers using industry-standard encryption mechanisms.

2. Authentication & Authorization

  • We use OAuth 2.0 and/or Atlassian’s secure authentication flows for API access.
  • Access tokens are stored securely and are never logged or exposed.
  • Permissions requested are limited to the minimum required for the plugin to function.

3. Infrastructure Security

  • Our services are hosted on [e.g., AWS, DigitalOcean] using hardened configurations.
  • Servers are regularly updated and patched.
  • Access to production systems is limited to authorized personnel and secured with SSH keys and multi-factor authentication (MFA).

4. Data Access and Controls

  • Internal access to user data is strictly limited and monitored.
  • We enforce the principle of least privilege (PoLP) for staff accounts.
  • All administrative access is logged and auditable.

5. Backups and Disaster Recovery

  • We perform regular, encrypted backups of user data.
  • Backups are stored securely in geographically redundant locations.
  • We regularly test our disaster recovery plan.

6. Incident Response

  • We have a documented incident response plan.
  • Security incidents are investigated and mitigated immediately.
  • If a data breach occurs, affected users will be notified promptly in accordance with applicable laws.

7. Vulnerability Management

  • We use automated tools to monitor for vulnerabilities in dependencies and systems.
  • Security patches are applied as soon as reasonably possible.
  • We conduct periodic internal reviews of our code and infrastructure.

8. Responsible Disclosure

If you discover a vulnerability in our system, we encourage responsible disclosure. Please contact us at security@example.com.

9. Subprocessors

We may use trusted third-party services (e.g., AWS, Atlassian, Stripe) as subprocessors. All subprocessors are bound by data protection and security obligations. For a full list, see our Subprocessor List.

10. Compliance

We strive to align with industry best practices and comply with regulations such as:

  • GDPR (General Data Protection Regulation – EU)
  • Atlassian Cloud Security Requirements
  • Local data protection and privacy laws where applicable

11. Contact Us

If you have any questions or concerns about our security practices, contact us at:
📧 contact@aperta.red