Security Practices
Overview
At MobilityStream security has number one priority. Many of our employees have come from large, security-conscious organizations and continuously work with organizations in defense, government, banking, and health care have helped us to strengthen our security culture even further. This is a non-comprehensive list of ways we think about security for our process, product, operations, availability, and compliance. We are happy to engage with your security team or a third party to help you assess our products in more depth. Also, if you have specific contractual requirements that go beyond our standard agreement, we are happy to discuss them with you. Please contact us at security@mobiliystream.com.
Process
Security Policy
MobilityStream’s security policy is an overarching document that governs MobilityStream’s handling of data governance and security in general. Clear responsibilities are defined within the organization, vulnerabilities are considered and handled. The policy is generally provided upon demand or during a security review.
Incident Management
This process lays out how MobilityStream handles security incidents. It defines how MobilityStream is communicating with Atlassian, clients, and other partners during an incident. The process clearly defines responsibilities and sets expectations. Should we detect any incident that potentially exposes client data, we will communicate within 48 hours after identification.
Bug Bounty Program
All of our products have been participating in a Bug Bounty Program for several years. If a potential vulnerability is detected we will release a fix within 7 days for critical issues.
Product Security
Building-in security
During our engineering process we consider security of the product at every turn and when we make major decisions of our products. Security requirements are key for us and we do not make any compromises. Code is reviewed and security is always a major consideration. Should a defect slip into production, a fix for the problem always has the highest priority at MobilityStream. We will release a fix for a critical security vulnerability within 7 days.
Encryption
We encrypt all traffic with internal and external systems. We always try to use the most secure and trusted encryption algorithms. We do not believe in proprietary methods. We encrypt the data on disk where it makes sense and additional safeguards are required to protect sensitive data.
Security controls
Our products support the most secure controls. For example for our mobile apps, we have been supporting Single Sign-On, Multi-factor authentication, and Mobile Device Management Solutions for many years. In addition our products rely on the underlying security product features of the Atlassian suite.
Operations
Security Information Event Management
In particular in our Cloud environment, we employ secure techniques to detect any unusual activity on our network in real-time. We use a SIEM to analyze and identify such activities and threats and neutralize them as soon as they are identified.
Segregation of duty
In our production environments, we have a clear separation of duties. Responsibilities are clearly defined and access is provisioned accordingly. Our engineers have the access they need to work on problems, but not more.
Change control
We have been following engineering best practices for change control since our inception. Our team has worked in large organizations and understands the importance of a well-defined process that is still nimble and provides agility for the team. All of our code is version controlled, we use CI/CD practices to move the product to production, and use monitoring to ensure that our products perform as expected.
Availability and Continuity
Robust Architecture
Our cloud architecture is designed in a way to make a failure highly unlikely. We pride ourselves to use modern technology and apply it to support high availability and spread the processing across multiple data centers. In the unlikely case of an outage we have means to recover quickly.
Recovery
We understand the impact a potential outage of add-on vendors may have to your operations. We have a clear and tested plan for restoring our Cloud environment in the unlikely case of failure. We have defined Restore Time Objectives (RTO) and Restore Point Objectives (RPO). Even in the unlikely case of outage, your impact will be minimal.
Compliance
We understand that your organization may have strict security, privacy and compliance requirements. We have been working with large organizations in government, defense, banking, and health care that need to comply with ISO 27001, HIPAA, FedRamp, PCI, SOC, HITRUST, and other compliance requirements. We pride ourselves to be a very competent partner to help our clients achieve their compliance goals.
Version: July 2023