Cenote Security Statement

This page describes Cenote's security policy for its cloud and server apps.

Data Security for Cloud Apps

• We do not store Personally-Identifiable Information (PII) within our apps.
• We always minimize the amount of information stored outside of the Atlassian Cloud infrastructure.
• For information on the types of data that we do store in our Cloud apps, see the Cenote Privacy Policy.

Security Defect Policy

• When defects are discovered, they are immediately triaged, and where applicable, rated using CVSS or other industry-standard scales for security defects.
• For critical-rated defects, we issue security advisories and we proactively contact customers regarding the notice. Defects with a severity of "high" are lower are generally mentioned in product release notes. An archive of past product security notices is available in Product Security Notices.
• We comply with the Atlassian Security Bug Fix Policy for Marketplace vendors, including defect resolution timelines.

Build Security

• All of our developer workstations use full-disk encryption.
• All commits to our source code are controlled through the Git revision control system.
• Deployment of software to our production cloud environments is controlled with secure credentials and 2FA.
• We regularly scan our software for security vulnerabilities using industry-standard security scanner tools.

Cloud Operational Security

• Data stored by us outside of the Atlassian Cloud is stored in databases that are encrypted at rest with AES-256 block-level encryption.
• We require TLS 1.2 or higher to access our apps.
• All traffic is served over TLS (HTTPS).
• All cookies are served with HttpOnly/Secure.
• HSTS is enabled.