An Overview of Unito's Security Measures and Protocols

Learn all of the steps that Unito takes to ensure that your data and connections are protected.

• SOC 2

• OAuth

• Data

• PCI

• Encryption

• Infrastructure and network

• Security activities

• Incident response

• Personnel

At Unito, keeping your data secure is a top priority. Here are the steps we undertake and policies we enforce to ensure that your connections and data are fully safe.

SOC 2

Unito is SOC 2 Type 2 certified. The SOC 2 (System and Organization Controls) report is a globally-recognized security measure that rates a service provider's compliance with security, availability, and confidentiality best practices. More information on SOC 2 reports can be found here.

OAuth

We use the OAuth standard to authenticate you and get permission to access your tools. We never get your passwords, and you can revoke access anytime, easily. We are bound by the permissions/access rights of the OAuth user you designate for your connector; thus we recommend bot users for complete control.

Data

While we sync your item data, we don't store it. The data is encrypted in transit through HTTPS. Here's a breakdown of how we process the different types of data from the tools we synchronize:

• Work Item Data: To precisely detect modifications in each tool, we compute checksums of field data and store only those checksums. It is impossible to get the original item data from the checksums, which means that data is never stored by us.

• User Data: To accurately associate users in each tool (and synchronize assignees for example), we store the names and emails of active users.

• File Data: We never store your file data (e.g. file attachments). If you choose to synchronize attachments, we support doing it either through links, "native" attachments in the case of Trello, or via streaming. In all cases, we never store your data. Read more on how we sync file attachments.

• Credentials: Your credentials and your OAuth access tokens are fully encrypted (see Encryption below)

Read more in our privacy policy.

PCI

Unito's payments are processed through Stripe, which is certified to PCI Service Provider Level 1. Unito never processes or stores credit card numbers. Please visit stripe.com/security for more information.

Encryption

All communications are encrypted over HTTPS/TLS. In particular, if you run Jira, GitHub or GitLab on your own servers, we require that you enable HTTPS.

Furthermore, sensitive data is encrypted at rest using the proven Advanced Encryption Standard. We leverage industry-leading key management technologies, so we never store encryption keys ourselves.

Infrastructure and network

Unito runs in Amazon's AWS data centers, where our servers are hidden away in a private network, and protected at the network edge by Application Firewall technologies. To learn more about AWS certification and security in general, refer to Amazon's documentation.

We access the APIs of applications from a set of fixed, identifiable IP addresses. This lets you optionally add extra IP-based security on your self-hosted servers of Jira, GitHub or GitLab.

Security activities

Unito's software development process includes systematic design and code reviews as well as security reviews. Unit, functional and integration testing is ingrained into the process. All code is scanned several times a week for known security vulnerabilities.

Penetration testing is performed periodically by an external firm. This includes testing XSS

Incident response

Every network access is logged and monitored. In the unlikely event of a breach of our system, we have put in place a detailed response plan and we will notify any affected party in a timely fashion.

Personnel

Unito performs background checks on all its employees and trains everyone on security matters. Access to sensitive information is granted only to the appropriate employees.