Download PDF
Download page Security.
Security
This page applies only to Awesome Graphs for Bitbucket Cloud and does not apply to Awesome Graphs for Bitbucket Data Center. You can read about our security practices in regards to Awesome Graphs for Bitbucket Data Center here.
The security of Stiltsoft Europe ("Stiltsoft Europe", "we" or "our") customers' data is our highest priority, and we follow the best practices to keep your data safe.
Overview
Awesome Graphs for Bitbucket app (the “App”) is part of the Bug Bounty Program, which helps detect security vulnerabilities faster and increase the overall security level for our customers.
Our cloud security strategy is based on the CSA Cloud Controls Matrix (CCM). We also use CAIQ-Lite as a baseline mechanism to express our security posture and to provide security control transparency. The completed CAIQ-Lite questionnaire can be obtained upon request in our support system via the Whistic platform.
If you have questions or feedback regarding security with Awesome Graphs or would like to report a security vulnerability, please send an email to support@stiltsoft.com or create a request in the support system.
Secure development
We follow the best practices and frameworks to ensure the highest level of security in our software:
- Regular security trainings for developers to learn about common vulnerabilities and threats
- Code review for security vulnerabilities
- Regular update of the dependencies
- Static Application Security Testing (SAST) to detect vulnerabilities in our codebase
- Software Composition Analysis (SCA) tools to keep track of open source components used by your applications
Employee Access to Customer Data
The App’s team does not have access to user data. Our employees connect to the infrastructure via secure communication channels with several levels of protection.
Working on a support issue we only access the minimum data needed to resolve the issue.
Product Security
Users get access to the App only by logging into Bitbucket. The App uses the Atlassian Connect that relies on HTTPS and JWT authentication to secure communication between the App, the Atlassian product, and the user. Awesome Graphs doesn't work with or store any passwords or credentials, as users use the App only in conjunction with Bitbucket.
Please learn more about Atlassian Connect security.
Permissions
The maximum set of actions Awesome Graphs may perform is expressed in the scopes in the App descriptor and is presented to the administrator during installation. This security level is enforced by Atlassian Connect and cannot be bypassed by app implementations.
Here is the list of all used scopes:
account
— ability to see all the user's account information.email
— ability to see the user's primary email address.repository
— gives the App read access to all the repositories the authorizing user has access to.pullrequest
— gives the App read access to pull requests and collaborate on them.webhook
— gives access to webhooks. This scope provides read access to events payloads such asrepo:push
,repo:updated
,pullrequest:created, pullrequest:updated
, etc., and is used to synchronize data changes in our database with changes in Bitbucket.
All listed scopes allow only reading the information and do not include any ability to mutate any of the data.
Learn more in the scopes documentation.
Source Code Protection
Due to the Bitbucket scopes' granularity peculiarities, the repository scope allows the App to not only read the commit metadata but also to read the repository files themselves. Nevertheless, the App doesn't work with repository files directly, doesn't clone repositories, and never writes to repositories. The App interacts with Bitbucket through the standard Bitbucket REST API and only persists the metadata to the database.
At the moment, we’re using the following endpoints:
GET /2.0/repositories/{workspace}
GET /2.0/workspaces/{workspace}/permissions/repositories
GET /2.0/workspaces/{workspace}/permissions/repositories/{repo_slug}
GET /2.0/repositories/{workspace}/{repo_slug}
GET /2.0/repositories/{workspace}/{repo_slug}/commits
GET /2.0/repositories/{workspace}/{repo_slug}/commit/{commit}
GET /2.0/repositories/{workspace}/{repo_slug}/diffstat/{spec}
GET /2.0/repositories/{workspace}/{repo_slug}/pullrequests
GET /2.0/workspaces/{workspace}/members
GET /2.0/user
GET /2.0/users/{selected_user}
GET /2.0/users/{selected_user}/properties/{app_key}/{property_name}
The access is needed to collect commit metadata required to promptly build and render graphs when loading pages.
Please learn more about the data collected by the App.
Uptime
The App has uptime of 99.99% or higher. You can check our current and historic status at https://stats.uptimerobot.com/2v39XSVKP6.
Network and Application Security
The App hosts its infrastructure and data in Amazon Web Services (AWS) in the US East (Northern Virginia) region (us-east-1).
Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure is spread across two AWS availability zones in one region. The live data is stored in one of these availability zones and will be recovered from the backup stored in the other zone in case of an infrastructure failure.
Backups and Monitoring
Awesome Graphs uses automation to backup all data stores that contain customer data. We back up all our critical assets and test these backups regularly to guarantee a fast recovery in case of disaster. All our backups are encrypted.
On an application level, we use logs for all activity in combination with the Datadog monitoring service. The app also uses Sentry.io, a client-side error monitoring tool that helps us discover, triage, and prioritize app errors in real-time.
Encryption
All data sent to or from Awesome Graphs for Bitbucket systems is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. We use only AWS-managed network components and policies enforcing TLS with strong ciphers and key lengths, where supported by the browser.
All data stored by the App is located in an encrypted AWS RDS instance.
Data Isolation
All customer data is stored in a secured and encrypted database. The App's compute and storage are shared among the tenants. Secure logical tenant isolation is implemented on a database level with PostgreSQL Row Level Security, which excludes the violation of isolation even in case of developer's mistake in code and ensures that no tenant can gain access to another tenant’s data.
Virtual Private Cloud
All of our servers are located within our own virtual private cloud (VPC) in a dedicated AWS account with network access controls preventing unauthorized connections to internal resources.
Data retention and removal
We retain client's data for no more than 60 days from the moment the App was deleted from a workspace. If a client reinstalls the App, they have their data already pre-configured.
After 60 days since the removal of the App, all client's data is automatically deleted from the live production but remains in encrypted database backups for another 35 days.
On the expiry of 35 days, the data backups are wiped and all data will be automatically deleted forever. Every user can request the removal of usage data by contacting support or deleting his account.
You can learn more about our Data Retention Policy here.
Pentests and Vulnerability Scanning
Awesome Graph uses third-party security tools to continuously scan for vulnerabilities and participate in the Atlassian Marketplace Bug Bounty Program for crowdsourcing vulnerability discovery.
Incident Response
Awesome Graphs for Bitbucket implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.
Additional Security Information
Stiltsoft Europe makes an ongoing effort to reinforce good security practices and build a mature security program.
Policies
Stiltsoft Europe has developed a set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Security awareness
All Stiltsoft Europe employees, including the Awesome Graphs team members, explore and study security aspects of web application development and exchange experience between teams on an ongoing basis.
Headquarters security
Stiltsoft Europe headquarters employs door personnel and badge access is required at all hours. Visitors are required to sign in and be escorted at all times.
PCI Obligations
When you purchase a paid Awesome Graphs for Bitbucket subscription, your credit card data is processed by Paddle. Paddle is PCI DSS compliant, which means that they do not directly store card information and are PCI Compliant for web transactions only.
As a result, Awesome Graphs for Bitbucket do not store, process, and transmit cardholder data either physically or virtually.
Compliance
GDPR Commitment Statement
We’re committed to helping Awesome Graphs users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR was designed to align and strengthen data protection laws throughout Europe to ensure that EU data subjects have greater rights regarding their personal data.
We value your trust and are dedicated to protecting your privacy.
Please see our general Privacy Policy and the App-specific Privacy Policy for more details.
Data Processing Addendum
To sign the DPA, email us at support@stiltsoft.com, after which we will send you a PDF with a DPA signed by us, which you'll need to sign and send back to us.
Current Awesome Graphs Third-Party Subprocessors
For the list of the sub-possessors and the categories of data they collect please refer to our App-specific Privacy Policy.
Reporting An Issue
We appreciate your input and feedback on our security, as well as responsible disclosure.
In case you've identified a security concern, please email us at support@stiltsoft.com or create a request in our support system. We'll work with you to make sure we understand the issue and address it promptly.
White hat researchers are always appreciated, and we won't take legal action against you if you act accordingly.