The security of Stiltsoft ("Stiltsoft", "we" or "our") customers' data is our highest priority, and we follow the best practices to keep your data safe.

Overview

izi - LMS for Confluence app (the “App”) is part of the Bug Bounty Program, which helps detect security vulnerabilities faster and increase the overall security level for our customers.

Our cloud security strategy is based on the CSA Cloud Controls Matrix (CCM). We also use CAIQ-Lite as a baseline mechanism to express our security posture and to provide security control transparency. The completed CAIQ-Lite questionnaire can be obtained upon request in our support system via the Whistic platform.

If you have questions or feedback regarding security with izi LMS or would like to report a security vulnerability, please create a request in the support system.

Secure development

We follow the best practices and frameworks to ensure the highest level of security in our software:

  • Regular security trainings for developers to learn about common vulnerabilities and threats
  • Code review for security vulnerabilities
  • Regular update of the dependencies
  • Software Composition Analysis (SCA) to detect vulnerabilities in our codebase

Employee Access to Customer Data

The App’s team does not have access to user data. In cases where they have to access the user data in order to perform support services or to respond to an incident, we will ask for your consent. Our employees connect to the infrastructure via secure communication channels with several levels of protection.

Working on a support issue we only access the minimum data needed to resolve the issue.

Product Security

Users who are course/quiz creators get access to the App only by logging into Confluence. Course/quiz participants get access to the App by logging into Confluence if they were enrolled as a Confluence user. If a person is enrolled into a course/quiz as an external participant, they can access the portal where a course/quiz is displayed by following their unique link from an email notification. The App uses the Atlassian Connect that relies on HTTPS and JWT authentication to secure communication between the App, the Atlassian product, and the user. izi LMS doesn't work with or store any passwords or credentials, as users use the App only in conjunction with Confluence.

Please learn more about Atlassian Connect security.

Permissions

The maximum set of actions izi LMS may perform is expressed in the scopes in the App descriptor and is presented to the administrator during installation. This security level is enforced by Atlassian Connect and cannot be bypassed by app implementations.

Here is the list of all used scopes:

  • READ - View, browse, read information from Confluence.
  • WRITE - Can create or edit content in Confluence, but not delete them.
  • ACT_AS_USER - Access content using the permissions of the user running the app.
  • ACCESS_EMAIL_ADDRESSES - Get the email addresses of users.

All listed scopes allow only reading the information and do not include any ability to mutate any of the data.

Learn more in the scopes documentation.

Source Code Protection

Due to the Confluence scopes' granularity peculiarities, the repository scope allows the App to not only read the commit metadata but also to read the repository files themselves. Nevertheless, the App doesn't work with repository files directly, doesn't clone repositories, and never writes to repositories. The App interacts with Confluence through the standard Confluence REST API and only persists the metadata to the database.

At the moment, we’re using the following endpoints:

GET /wiki/rest/api/content/{id}

GET /wiki/rest/api/content/{id}/label

GET /wiki/rest/api/content/{id}/restriction

PUT /wiki/rest/api/content/{id}/restriction

POST /wiki/rest/api/content/{id}/restriction

GET /wiki/rest/api/content/{id}/property

POST /wiki/rest/api/content/{id}/property 

GET /wiki/rest/api/content/{id}/history/{version}/macro/id/{macroId}

GET /wiki/rest/api/user

GET /wiki/rest/api/user/memberof

GET /wiki/rest/api/user/email/bulk

GET /wiki/rest/api/group

POST /wiki/rest/api/contentbody/convert/{to}

GET /wiki/rest/api/space/{spaceKey}

POST /wiki/rest/api/space/_private

GET /wiki/rest/api/settings/lookandfeel

GET /wiki/rest/api/search

GET /wiki/rest/api/search/user

GET /wiki/rest/api/content/search

Please learn more about the data collected by the App.

Network and Application Security

The App hosts its infrastructure and data in Amazon Web Services (AWS) in the US East (Northern Virginia) region (us-east-1).

Failover and Disaster Recovery

Our systems were designed and built with disaster recovery in mind. Our infrastructure is spread across two AWS availability zones in one region. The live data is stored in one of these availability zones and will be recovered from the backup stored in the other zone in case of an infrastructure failure.

Backups and Monitoring

izi LMS uses automation to backup all data stores that contain customer data. We back up all our critical assets and test these backups regularly to guarantee a fast recovery in case of disaster. All our backups are encrypted.

The app also uses Sentry.io, a client-side error monitoring tool that helps us discover, triage, and prioritize app errors in real-time.

Encryption

All data sent to or from izi LMS for Confluence systems is encrypted in transit over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. We use only AWS-managed network components and policies enforcing TLS with strong ciphers and key lengths, where supported by the browser.

Virtual Private Cloud

All of our servers are located within our own virtual private cloud (VPC) in a dedicated AWS account with network access controls preventing unauthorized connections to internal resources.

Data retention and removal

We retain client's data for no more than 60 days from the moment the App was deleted from a workspace. If a client reinstalls the App, they have their data already pre-configured.

After 60 days since the removal of the App, all client's data is automatically deleted from the live production but remains in encrypted database backups for another 35 days.

On the expiry of 35 days, the data backups are wiped and all data will be automatically deleted forever. Every user can request the removal of usage data by contacting support or deleting his account.

You can learn more about our Data Retention Policy here.

Pentests and Vulnerability Scanning

izi LMS uses third-party security tools to continuously scan for vulnerabilities and participate in the Atlassian Marketplace Bug Bounty Program for crowdsourcing vulnerability discovery.

Incident Response

izi LMS for Confluence implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation, and post mortem. All employees are informed of our policies.

Additional Security Information

Stiltsoft makes an ongoing effort to reinforce good security practices and build a mature security program.

Policies

Stiltsoft has developed a set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Security awareness

All Stiltsoft employees, including the izi LMS team members, explore and study security aspects of web application development and exchange experience between teams on an ongoing basis.

Headquarters security

Stiltsoft headquarters employs door personnel and badge access is required at all hours. Visitors are required to sign in and be escorted at all times.

Compliance

GDPR Commitment Statement

We’re committed to helping izi LMS users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR was designed to align and strengthen data protection laws throughout Europe to ensure that EU data subjects have greater rights regarding their personal data.

We value your trust and are dedicated to protecting your privacy.

Please see our general Privacy Policy and the App-specific Privacy Policy for more details.

Data Processing Addendum

To sign the DPA, please create a request in our support system, after which we will send you a PDF with a DPA signed by us, which you'll need to sign and send back to us. 

Current izi LMS Third-Party Subprocessors

For the list of the sub-possessors and the categories of data they collect please refer to our App-specific Privacy Policy.

Reporting An Issue

We appreciate your input and feedback on our security, as well as responsible disclosure.

In case you've identified a security concern, please create a request in our support system. We'll work with you to make sure we understand the issue and address it promptly. 

White hat researchers are always appreciated, and we won't take legal action against you if you act accordingly.