Behave Pro is an Atlassian Connect application for Jira Cloud. The Atlassian Connect architecture requires data communication between Jira Cloud and Behave Pro to be hosted on separate compute resource.
Hindsight Software is responsible for provisioning, monitoring, and managing the compute resource for the Behave Pro application. Hindsight hosts Behave Pro with Amazon AWS, with all communication between Jira Cloud and Behave Pro using HTTPS.
The remainder of the document describes the security and privacy of 3rd party data stored within Behave Pro only and not Jira Cloud.
What do we store?
Behave Pro for Jira Cloud uses Jira issues REST APIs to query data from selected projects to provide the desired functionality. We will sometimes store this data for performance reasons but only a small amount of data will be stored about Jira Issues, this includes Issue key, Issue Summary, Issue sprint, Issue fix version, and Issue assignee.
The following user-generated data is stored in Behave Pro's database: BDD Scenarios, BDD Features, and Ready Votes, Questions, and Exploratory test sessions including notes and session attachments.
If a project is connected to one or more Git repositories to allow Behave Pro to sync with the repositories then the following data is stored by our databases: commit sha, feature files (text files with the extension ‘feature’) and BDD test results (Passed, Failed, Skipped) from CI builds for individual commits.
How do we keep your data safe?
We take security seriously and take a number of steps to keep your data safe:
Encryption at rest – Data within our database is encrypted and keys are managed using AWS KMS. Each data region has its own unique key and the keys a rotated on a schedule.
Encryption in transit – All communication between servers, containers and databases, within the networks/VPCs we manage and external to traffic all employ encryption to protect data in transit.
Regular backups – Database backups are taken at least every 6 hours and are retained for 30 days. These backups are regularly tested.
Limited employee access to data – A limited and regularly reviewed list of employees have access to the database or datastores. Additional access is granted on a temporary basis as required using permissions that automatically expire. Access also requires the use of the company single-on system with hardware 2FA, company managed computers with appropriate security software installed.
Bug bounty – Behave Pro participates in the Marketplace bug bounty program managed by BugCrowd.
Data storage and processing locations
AWS (Amazon Web Services) is the hosting platform for Behave Pro with databases deployed by MongoDB Atlas also running on AWS. Data is processed in the same AWS regions as the data is stored. The following AWS regions are used by Behave Pro:
US (US East)
US (US East)
Europe (EU West)
Data residency gives you control over where your in-scope product data for Jira Software and Behave Pro is stored. By default Behave Pro will store data in the Global location but when Behave Pro is notified by Atlassian using publicly documented Data residency API’s then Behave Pro will store in-scope product data in the region specified.
In-scope product data
This table lists in-scope data types that can be pinned to a data region using data residency, and out-of-scope product data that can’t. Behave Pro is an app that operates solely on Jira projects and offer two different types of working with projects: Classic and Git. The functionality provided differs between these two projects types and impacts where data can be pinned.
Can be pinned
Jira issue key, summary, sprint, fix version, and assignee user accountId
User-generated content: BDD Scenarios, and BDD Features.
Git repository connector: commit sha, feature files from the repository (text files with the extension ‘feature’) and BDD test results (Passed, Failed, Skipped) from CI builds for individual commits.
All compute resource logs and network traffic logs are stored centrally in the US Region for operations monitoring purposes. This data can not be pinned to a region.
When a customers subscriptions lapses or ends we will retain the data for a period of 30 days and then the data may be removed. Within this 30 day period customers can renew their subscription and continue to access the data.
Customers may request the permanent removal of data from our systems by writing to Hindsight Software Ltd, 2a The Quadrant, Epsom, KT17 4RH, UK. The removal of data will be conducted within 15 days and does not include removing data from any backups materials.