Cenote Security Statement

Table of Contents

This page describes Cenote's security policy for its cloud and server apps.

Data Security for Cloud Apps

  • We do not store Personally-Identifiable Information (PII) within our apps.
  • We always minimize the amount of information stored outside of the Atlassian Cloud infrastructure.
  • For information on the types of data that we do store in our Cloud apps, see the Cenote Privacy Policy.

Security Defect Policy

  • When defects are discovered, they are immediately triaged, and where applicable, rated using CVSS or other industry-standard scales for security defects.
  • For critical-rated defects, we issue security advisories and we proactively contact customers regarding the notice. Defects with a severity of "high" are lower are generally mentioned in product release notes. An archive of past product security notices is available in Product Security Notices.
  • We comply with the Atlassian Security Bug Fix Policy for Marketplace vendors, including defect resolution timelines.

Build Security

  • All of our developer workstations use full-disk encryption.
  • All commits to our source code are controlled through the Git revision control system.
  • Deployment of software to our production cloud environments is controlled with secure credentials and 2FA.
  • We regularly scan our software for security vulnerabilities using industry-standard security scanner tools.

Cloud Operational Security

  • Data stored by us outside of the Atlassian Cloud is stored in databases that are encrypted at rest with AES-256 block-level encryption.
  • We require TLS 1.2 or higher to access our apps.
  • All traffic is served over TLS (HTTPS).
  • All cookies are served with HttpOnly/Secure.
  • HSTS is enabled.