What this article covers:
- Infrastructure and network
- Security activities
- Incident response
At Unito, keeping your data secure is a top priority. Here are the steps we undertake and policies we enforce to ensure that your connections and data are fully safe.
We use the OAuth standard to authenticate you and get permission to access your tools. We never get your passwords, and you can revoke access anytime, easily. We are bound by the permissions/access rights of the OAuth user you designate for your connector; thus we recommend bot users for complete control.
While we sync your item data, we don't store it. The data is encrypted in transit through HTTPS. Here's a breakdown of how we process the different types of data from the tools we synchronize:
- Work Item Data: To precisely detect modifications in each tool, we compute checksums of field data and store only those checksums. It is impossible to get the original item data from the checksums, which means that data is never stored by us.
- User Data: To accurately associate users in each tool (and synchronize assignees for example), we store the names and emails of active users.
- File Data: We never access your file data (e.g. file attachments). Attachments are (optionally) synchronized by exchanging links to the files, not by copying actual file data. Read more on how we sync file attachments.
- Credentials: Your credentials and your OAuth access tokens are fully encrypted (see Encryption below)
Unito's payments are processed through Stripe, which is certified to PCI Service Provider Level 1. Unito never processes or stores credit card numbers. Please visit stripe.com/security for more information.
Infrastructure and network
Unito runs in Amazon's AWS data centers, where our servers are hidden away in a private network, and protected at the network edge by Application Firewall technologies. To learn more about AWS certification and security in general, refer to https://aws.amazon.com/security
Unito's software development process includes systematic design and code reviews as well as security reviews. Unit, functional and integration testing is ingrained into the process. All code is scanned several times a week for known security vulnerabilities.
Penetration testing is performed periodically by an external firm. This includes testing XSS
Every network access is logged and monitored. In the unlikely event of a breach of our system, we have put in place a detailed response plan and we will notify any affected party in a timely fashion.
Unito performs background checks on all its employees and trains everyone on security matters. Access to sensitive information is granted only to the appropriate employees.