Data Security

Last updated June 12, 2017

WHAT DATA DO WE STORE?

Allstacks makes every effort to bring you insights about your organization without storing any sensitive data.  To that end, we only store metadata about your organization and your organization’s tools.  We do not store full copies of source code, documentation, or private communication.  Where our platform does inspect this data for analysis, it is collected, processed, and then immediately purged.  We do not access or store private communication.

From each of your tools, we do store the following data for data presentation:

  • Usernames and/or email addresses,
  • Repository Metadata [including: Project identifying information and statistics, pull request identifying information and statistics, commit identifying information and statistics, and issue identifying information and statistics],
  • Project Management Metadata [including project identifying information and statistics, issue identifying information and statistics, and user access statistics].
  • Unstructured communication on public forums and channels [Messages and comments]

What don’t we store:

  • Source Code or source code comments
  • Budget or financial information
  • Documentation or documentation contents
  • Customer information
  • Personal Information of users of your tools.
  • Personal information of customers, clients, or external parties.
  • Private communication

Access Credentials:
Some software integrations only provide a “basic” authentication structure, which requires storing a username and password for access.  In those cases, we store those credentials in a secured database, salted and encrypted with a key stored externally to the database.

For access tokens, API tokens, OAuth, and OAuth2.0 credentials, we store these tokens in a secured database, salted and encrypted with a key stored externally to the database.

Access credentials are persisted, unless the user removes the connection to the service.  This allows Allstacks to consistently update and refresh our data to provide you the most accurate and timely view.

 

HOW WE PROCESS METADATA

Allstacks processes data from a very large number of sources, and takes your privacy and sensitivity very seriously.  After explicitly granting access to each tool, Allstacks downloads specific data sets for processing.  Each data set undergoes a two step process where (1) each download is scanned, and relevant metadata is stored in a persistent database.  (2) This data is then processed to identify key metrics and insights, which are stored and presented on the platform.

 

WHERE IS YOUR PHYSICAL INFRASTRUCTURE?

Allstacks stores all data with Amazon Web Services, and as such, benefits from the secured, distributed, fault tolerant environment provided by Amazon.  Detailed information on Amazon’s security practices can be found here: https://aws.amazon.com/security/  Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II) PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

 

WHAT SECURITY POLICIES AND PROCEDURES DO ALLSTACKS STAFF FOLLOW?

Allstacks restricts access to production servers and databases to a select few staff members.  Security breaches are held as the highest level of infraction, and offenders are immediately terminated.

Allstacks supports a number of security policies that help restrict access to customers’ data:

  1. Data processing servers have routine access audits.
  2. Production datastores have routine access audits
  3. Credentials for Production datastores are only provided to a limited number of staff, and rotated with new staff members.
  4. Access is restricted to production and live data test servers to automated tools in order to minimize access levels needed by staff.
  5. Minimum password strength policies are in place.

 

DATA PROTECTION STATEMENT ACCESS

This document will be updated as features and security improvements are integrated into the system.  An updated copy can always be obtained by contacting Allstacks at support@allstacks.com and requesting an up to date copy of the data protection statement.