Security Statement

Last Updated: 2024-11-01

At Amulent Technologies, we prioritize the security and privacy of our users. CodeMerlin, our AI-powered issue triage and resolution platform, is designed to accelerate software development workflows while safeguarding sensitive data through state-of-the-art security practices. This statement outlines the measures we take to ensure users can rely on CodeMerlin with confidence.

General Security Practices

CodeMerlin integrates seamlessly with popular issue-tracking systems like Jira, GitHub, and GitLab to analyze software repositories and related issues. While we do not intentionally process sensitive personal or financial data, our platform may handle user-submitted content, such as Jira issues, which could include sensitive information. We employ strict security measures to protect all collected data from unauthorized access or misuse.

Infrastructure and Data Security

Cloud Hosting

CodeMerlin is hosted on Google Cloud Platform (GCP), utilizing OpenAI and Anthropic for AI services to provide robust, scalable, and secure infrastructure.

Encryption

  • All data is encrypted using TLS 1.2 for transmission and AES-256 encryption at rest.
  • Sensitive information, such as credentials and secrets, is encrypted throughout its lifecycle and securely stored to ensure it is only accessible when required.

Secret Management

CodeMerlin securely stores and manages all secrets using industry-standard encryption methods to prevent unauthorized access.

Compliance

We are working toward aligning with industry certifications such as GDPR, SOC 2, and ISO 27001 as part of our ongoing commitment to compliance and best practices.

Access and Authentication

User Authentication

CodeMerlin relies on Atlassian's secure authentication mechanisms for seamless access within the Atlassian ecosystem.

Role-Based Access Control (RBAC)

  • Privileged access is governed by the Principle of Least Privilege (PoLP) to limit access to sensitive data and administrative functions.
  • This ensures users and systems operate with the minimum necessary permissions.

Application Security

Secure Coding Practices

  • The application validates and sanitizes all untrusted data and treats all user input as unsafe to mitigate injection-related vulnerabilities (e.g., SQL Injection, XSS).
  • We adhere to secure development lifecycle practices, ensuring vulnerabilities are identified and mitigated early.

Dependency Management

  • CodeMerlin does not use third-party libraries or dependencies with known critical or high vulnerabilities.
  • When vulnerabilities in libraries are discovered, they are remediated as quickly as possible to minimize risk.

Security Headers

CodeMerlin enforces security headers such as:

  • HTTP Strict Transport Security (HSTS)
  • X-Content-Type-Options
  • X-Frame-Options
  • Content Security Policy

Cookie security attributes, including Secure, HttpOnly, and SameSite, are enabled to prevent cookie-based attacks.

Threat Prevention and Monitoring

Our platform is actively monitored and protected using a range of industry-leading tools and practices:

Monitoring and Detection

We leverage Google's Security Command Center, including:

  • Firewalls
  • Web Security Scanner
  • Security Health Analytics
  • Event Threat Detection

These tools help us proactively identify and address potential vulnerabilities.

Vulnerability Management

Automated scanning and regular vulnerability assessments ensure that security risks are quickly identified and mitigated.

DDoS and Malware Protection

Google Cloud Armor defends against DDoS attacks and other malicious activities.

Data Privacy and Backup

Data Deletion

When users uninstall the CodeMerlin application from Atlassian, all customer data associated with the account is permanently deleted.

Data Backup

  • User data is backed up daily, with backups securely stored for a maximum of seven days.
  • This ensures rapid recovery in the event of unexpected disruptions.

Incident Response

In the event of a security incident, our incident response plan ensures:

  • Prompt notification to affected users.
  • Mitigation of risks to prevent further damage.

User and Developer Transparency

Security Updates

While we do not yet maintain a dedicated security update channel, we are committed to keeping users informed of critical updates or changes that affect platform security.

Responsible Disclosure

A formal Responsible Disclosure Policy is under development, encouraging security researchers and ethical hackers to report vulnerabilities for timely remediation.

Contact Information

If you have questions or comments, please contact us:

📧 Email: info@amulent.com