Last updated: 8 November 2024

Do Async Security Statement

Do Async is an Atlassian Marketplace partner and we bind by Atlassian Marketplace Partner Agreement to provide industry-standard security measures.

Do Async uses Heroku, Cloudflare and Amazon Web Service (AWS) platform to build, deploy and serve applications. A lot of security measures are taken by Heroku, Cloudflare and AWS to prevent security and stability issues. For more information about security on those platforms see:

• https://www.heroku.com/policy/security

• https://aws.amazon.com/security

In this document, we provide a short overview of security measures and actions taken by Heroku, Cloudflare, AWS, Atlassian, and Do Async to make sure your data is safe and secure.

Vulnerability Reporting

If you are an Async Poker customer and you would like to report a vulnerability or have a security concern regarding Async Poker, please email [email protected].

Security Assessments and Compliance

Data Centers

Async Poker uses Heroku to host the application. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

Penetration Testing and Vulnerability Assessments

Marketplace Security Bug Bounty Program

Do Async with Async Poker For Jira application is participating in the bug bounty program.

The bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. For additional information see: https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program/

Ecoscanner

The Ecoscanner platform is a platform used for performing security checks against all Atlassian Marketplace cloud apps on an ongoing basis. This helps continuously monitor our cloud apps for common security vulnerabilities.

For additional information see: https://developer.atlassian.com/platform/marketplace/ecoscanner/

OWASP Dependency-Check

We run a dependency check to detect publicly disclosed vulnerabilities contained within a project’s dependencies each day and before each deployment.

For more information see: https://owasp.org/www-project-dependency-check/

Heroku Platform testing

Third party security testing of the Heroku application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.

Physical Security

Async Poker uses Heroku which utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges.

For additional information see: https://aws.amazon.com/security

Network Security

All of our traffic is served by Cloudflare, which is a global cloud platform designed to make everything you connect to the Internet secure, private, fast, and reliable.

For more information about network security(e.g. Firewalls, DDoS Mitigation, Spoofing and Sniffing Protections, Port Scanning) see:

• https://www.heroku.com/policy/security

• https://developers.cloudflare.com/waf/

• https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/

Data Security

We fulfill all security requirements for cloud apps defined by Atlassian. We use the Atlassian Connect framework created and maintained by Atlassian.

Heroku Postgres

We store data provided by customers in Heroku PostgreSQL. Connections to PostgreSQL databases require SSL encryption to ensure a high level of security and privacy.

For more information see: https://www.heroku.com/policy/security

Data encryption

All data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume. You can find more detail about EBS encryption here.

Backups

Applications

Our applications deployed to the Heroku platform are automatically backed up as part of the deployment process on secure, access controlled, and redundant storage by Heroku.

Postgres Database

Continuous Protection keeps data safe on Heroku Postgres. Every change to applications data is written to write-ahead logs, which are shipped to multi-datacenter, high-durability storage. In the unlikely event of unrecoverable hardware failure, these logs can be automatically 'replayed' to recover the database to within seconds of its last known state.

Additionally, we automatically backup our databases every 24 hours and keep those backups in secure Heroku storage.

Heroku Platform

From Heroku instance images to Heroku databases, each component is backed up to secure, access-controlled, and redundant storage. Heroku platform allows for recovering databases to within seconds of the last known state, restoring system instances from standard templates, and deploying customer applications and data. In addition to standard backup practices, Heroku’s infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.

Disaster Recovery

Applications and Databases Heroku platform automatically restores our applications and Heroku Postgres databases in the case of an outage. The Heroku platform is designed to dynamically deploy applications within the Heroku cloud, monitor for failures, and recover failed platform components including applications and databases.

For more information see: https://www.heroku.com/policy/security