Pivot Report has two types of Add-Ons on the Atlassian Marketplace.
Pivot Report uses DigitalOcean to host its cloud hosted add-on components, saved data and log information. Vendor representatives are responsible for provisioning, monitoring and maintaining the Digital Ocean infrastructure required to support Cloud Add-On.
Data is hosted in California, United States.
DigitalOcean security policy is described in corresponding document.
If you use firewall, you may need to add DigitalOcean server with Pivot Report components to your whitelist:
Account Data: data that is required for license validation of the customer instance, provided and generated by Atlassian. Each web request, from and to JIRA Cloud, is authenticated and authorized before access is allowed, and all communication is secured through SSL (https). For troubleshooting purposes this data is stored for a period up to 30 days.
Session Data: Source data for report generation (issue id, board id, etc.) is provided and generated by Atlassian from each customer’s use. This data is stored for product analytics and performance monitoring for a period up to 30 days.
Private Data: usernames and emails, summary and description of the issues, names of boards, filters and etc. This data is passed from Atlassian servers to user browser directly, is not passed to the Add-On and therefore is neither collected, nor stored.
Add-On Settings: permission and Portfolio support settings, user settings for columns and tables display are stored within JIRA instance on Atlassian servers.
Saved reports: settings for saved reports such as name, source and other configuration parameters. This data is saved on the Add-On side until deleted by user.
Data is backed up once per day.
Only Cloud Add-On Developers or Support Engineers have access to the DigitalOcean platform hosting our Cloud Add-Ons. They only have access to the application data to perform system or application support purposes.
HTTPS and SSH are the only protocols available to our cloud platform. SSH access is limited to Cloud Add-On Support Engineers. SSH access is restricted to known trusted internal networks with key-based authentication.
Our platform is micro-service based which is also layered into public and internal/private. Each one of these services is responsible for its own data and provides its own access controls. We will also ship and monitor logs from these micro-services which we alert if abnormal behaviour is detected.
Customers are responsible for maintaining the security of their own login information.
Metrics: Application metrics are stored for analysis and reporting in order for us to monitor the application performance. This includes anonymized organization data but no individual data. Users can turn off data collection in the Add-On settings, so there will be no information passed out of the JIRA instance.