Security

We take the security of your sensitive data seriously.

Security is embedded into the culture at Multiplier and is an integral part of how we operate.

Scroll down for information about specific security practices. Please email security@multiplierhq.com if you have any questions.

Compliance

Multiplier is SOC 2 Type 2 certified. Request a copy of our SOC 2 report here.

In addition, Multiplier adheres to all of the security requirements enforced by Atlassian for cloud apps, outlined here.

We participate in Atlassian's Cloud Fortified Apps program and bug bounty program for marketplace apps.

Infrastructure security

Multiplier hosts all data utilizing industry-leading US-based Amazon Web Services (AWS) facilities, which include 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.

Data submitted to Multiplier by authorized users is considered confidential. All data sent to or from Multiplier infrastructure is encrypted in transit using Transport Layer Security (TLS) v1.2. All data is encrypted at rest using military-grade AES-256 encryption. High risk data have multiple levels of encryption applied.

Our infrastructure is continually monitored for security vulnerabilities and updates applied automatically.

Policies and procedures

The following policies are followed and enforced at Multiplier:

Acceptable Use Policy, Asset Management Policy, Backup Policy, Change Management Policy, Code of Conduct, Cryptography Policy, Data Classification Policy, Data Deletion Policy, Data Protection Policy, Incident Response Plan, Information Security Policy, Password Policy, Physical Security Policy, Responsible Disclosure Policy, Risk Assessment Program, System Access Control Policy, Vendor Management Policy, Vulnerability Management Policy.

These policies are followed by all Multiplier employees and contractors, who review and accept the policies a minimum of once per year.

Vendor management

Multiplier uses a number of third party applications and services to support the delivery of our products to our customers. Multiplier's Security team has established a vendor management program that sets forth the requirements for Multiplier to engage with third party service providers.

Training and awareness

Multiplier requires all employees and contractors to sign a confidentiality agreement prior to their start date.

During Multiplier's onboarding process, all new hires are required to complete a security awareness training.

All employees and contractors continue to take a security awareness training annually. Multiplier's engineering team gets additional training focused on design patterns and the technical aspects of  infrastructure security.

As an added layer of diligence, every code change is evaluated from a security perspective.

Data storage and protection

Access to customer data is limited to functions that have a business requirement to do so.

Employees are required to use a VPN to access AWS resources, and all servers and databases are inside of VPC with minimum access policies.

Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Multiplier has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.

Multiplier employees are given minimum access to customer data based on their responsibilities. All employee access to systems is logged and audited for security purposes.

Multiplier runs automated container and application security scans on a daily basis, and package dependency security advisory scans on a weekly basis.

We also maintain separate production and testing environments.

Multiplier stores a limited amount of data in its own database outside of Atlassian Cloud.

What we store

  • API Tokens and credentials
  • Identity groups
  • Application metadata
  • Audit logs

What we don't store

  • Login credentials. We never store login credentials of users, and authentication happens through Atlassian.
  • Atlassian Content. Atlassian content is never cached and it is fetched on demand for the user requesting the data.