top of page

Security Statement â€‹

Last Updated: 2024-11-01

 

At Amulent Technologies, we prioritize the security and privacy of our users. CodeMerlin, our AI-powered issue triage and resolution platform, is designed to accelerate software development workflows while safeguarding sensitive data through state-of-the-art security practices. This statement outlines the measures we take to ensure users can rely on CodeMerlin with confidence.

 

General Security Practices

 

CodeMerlin integrates seamlessly with popular issue-tracking systems like Jira and GitHub to analyze software repositories and related issues. While we do not intentionally process sensitive personal or financial data, our platform may handle user-submitted content, such as Jira issues, which could include sensitive information. We employ strict security measures to protect all collected data from unauthorized access or misuse.

 

Infrastructure and Data Security

 

  • Cloud Hosting: CodeMerlin is hosted on Google Cloud Platform (GCP), utilizing OpenAI and Anthropic for AI services to provide robust, scalable, and secure infrastructure.

  • Encryption: All data is encrypted using TLS 1.2 for transmission and AES-256 encryption at rest. Sensitive information, such as credentials and secrets, is encrypted throughout its lifecycle and securely stored to ensure it is only accessible when required.

  • Secret Management: CodeMerlin securely stores and manages all secrets using industry-standard encryption methods to prevent unauthorized access.

  • Compliance: We are working toward aligning with industry certifications such as GDPR, SOC 2, and ISO 27001 as part of our ongoing commitment to compliance and best practices.

 

Access and Authentication

 

  • User Authentication: CodeMerlin relies on Atlassian’s secure authentication mechanisms for seamless access within the Atlassian ecosystem.

  • Role-Based Access Control (RBAC): Privileged access is governed by the Principle of Least Privilege (PoLP) to limit access to sensitive data and administrative functions, ensuring users and systems operate with the minimum necessary permissions.

​

Application Security

 

Secure Coding Practices:

  • The application validates and sanitizes all untrusted data and treats all user input as unsafe to mitigate injection-related vulnerabilities (e.g., SQL, XSS).

  • We adhere to secure development lifecycle practices, ensuring vulnerabilities are identified and mitigated early.

Dependency Management:

  • CodeMerlin does not use third-party libraries or dependencies with known critical or high vulnerabilities.

  • When vulnerabilities in libraries are discovered, they are remediated as quickly as possible to minimize risk.

Security Headers:

  • CodeMerlin enforces security headers such as HTTP Strict Transport Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Content Security Policy.

  • Cookie security attributes, including Secure, HttpOnly, and SameSite, are enabled to prevent cookie-based attacks.

​

Threat Prevention and Monitoring

Our platform is actively monitored and protected using a range of industry-leading tools and practices:

​

  • Monitoring and Detection: We leverage Google’s Security Command Center, including firewalls, Web Security Scanner, Security Health Analytics, and Event Threat Detection, to proactively identify and address potential vulnerabilities.

  • Vulnerability Management: Automated scanning and regular vulnerability assessments ensure that security risks are quickly identified and mitigated.

  • DDoS and Malware Protection: Google Cloud Armor defends against DDoS attacks and other malicious activities.

 

Data Privacy and Backup

​

  • Data Deletion: When users uninstall the CodeMerlin application from Atlassian, all customer data associated with the account is permanently deleted.

  • Data Backup: User data is backed up daily, with backups securely stored for a maximum of seven days. This ensures rapid recovery in the event of unexpected disruptions.

  • Incident Response: In the event of a security incident, our incident response plan ensures prompt notification to affected users and mitigation of risks.

 

User and Developer Transparency

​

  • Security Updates: While we do not yet maintain a dedicated security update channel, we are committed to keeping users informed of critical updates or changes that affect platform security.

  • Responsible Disclosure: A formal Responsible Disclosure Policy is under development, encouraging security researchers and ethical hackers to report vulnerabilities for timely remediation.

​

If you have questions or comments, please contact us info@amulent.com.

bottom of page