RedmineUP's Statement on Security
Protecting Enterprise data:
Our cloud service enable teams to work more effectively, scale quickly, and focus more energy on their core activities. We are committed to ensuring the safety and security of your company’s data and to providing you with the information you need to understand and evaluate our security practices and policies for yourself.
1. Redmine — Open Source Software
RedmineUP is based on Redmine, the free and open source, web-based project management and issue tracking tool.
RedmineUP team members are a part of Redmine community for more than 10 years already. We have contributed with free plugins, themes and fixes to core Redmine.
You can check the list of security vulnerabilities that were fixed in Redmine releases, starting from 1.3.0.
2. RedmineUP Plugins
At RedmineUP - we continuously develop our plugins and support all Redmine core releases. We keep all plugins up to date and compatible with the latest version of Redmine.
3. Data Encryption with TLS/SSL
We use SSL for encrypting server's HTTP traffic and prevents attackers from eavesdropping on connections to and from your RedmineUP account. Using a valid and trusted certificate prevents error messages in your user's browsers and makes sure that the connection has not been intercepted by attackers.
- SSL encrypts your server's HTTP traffic and prevents attackers from eavesdropping on connections to and from your Redmine server.
- SSL certificate is valid and trusted. Using a valid and trusted certificate prevents error messages in your user's browsers and makes sure that the connection has not been intercepted by attackers.
4. Daily backups from two separate service
RedmineUP has a dedicated backup service that makes it easy and cost-effective for you to back up your account data, helping you meet your business and regulatory backup compliance requirements.
Independently from the source services, there is a second backup made by Amazon Web Services (our partner). Both backup copies are encrypted in- transit and at-rest, giving your data an additional layer of protection.
We offer an access to download a backup from your cloud account on demand. Each activity will be fixed at user audit log.
5. Firewall manager and Application load balancer
RedmineUP use a dedicated firewall manager that monitors and controls incoming and outgoing network traffic. We are able to detect unauthorised access such as port scans, unusual data packets, network attacks, and unusual traffic patterns.
We use Application Load Balancer as the tool for routing client requests. Load balancing ensures that no one server is overworked, what could degrade performance. It balanced incoming request among all available servers, what maximizes their performance.
If a single server goes down, the load balancer redirects traffic to the remaining online servers. When a new server is added to the server group, the load balancer automatically starts to send requests to it. In this manner, a load balancer performs the following functions:
- Distributes client requests or network load efficiently across multiple servers;
- Ensures high availability and reliability of infrastructure by sending requests only to servers that are online.
6. Independent, secure cluster for each client
We use Kubernetes cluster management for managing instances infrastructure and application delivery. It works by using Git as a single source of truth for declarative infrastructure and applications.
Git is well known for its strong correctness and security guarantees, backed by the strong cryptography. Thanks to the platform features it i used to track and manage code changes, as well as the ability to sign changes to prove authorship and origin. It is key to a correct and secure definition of desired state of the cluster.
If a security breach does occur, the immutable and auditable source of truth can be used to recreate a new system independently of the compromised one. Such approach reduces downtime and allows to more effective respose to incidents.
Another step we take to potential surface of the hacker attack and any potential impact of compromise is a separation of software between developing and releasing it into a production environment. By doing so, we embody the security principle of least privilege (POLP).
7. SLA for Enterprise
We believe so strongly in RedmineUP cloud infrastructure stability and performance that we are ready to provide you with a legally binding guarantee for it, in the form of an optional Service-Level Agreement (SLA). Each cloud account has a dedicated customer success manager.
We guarantee a 99.8 % availability (uptime percentage) of the RedmineUP cloud service. Our security bug fix Service Level Agreement (Part of SLA) defines the following time window for fixing security issues in our products:
- Critical severity bugs to be fixed in product within one week of being reported;
- Medium severity bugs to be fixed in product within 3 weeks of being reported.
Customer support is available during the working days by email channel. We respond to all request within 24 hours. In case of urgent request we are able to arrange a video call with your dedicated account manager.
At RedmineUP, we believe privacy should be clear, with easy control over your data — whether you are a company trying to decipher and comply with the GDPR and other global privacy laws, or you are a privacy-conscious user that needs to know who has access to your data.
That is why we commit to meeting the highest level of personal data privacy, and support you and your organisation in keeping your data secure and in your control.
Access to customer data stored within our applications is restricted on a “need to access” basis. We adhere to stringent controls over all customer data, and we train all new hires and contractors on the most up-to-date best practices for handling and protecting customer data.
Within RedmineUP, only a certain controlled group of authorised employees can access customer data stored within our applications. Authentication is established via individual pass phrase-protected public keys, and the servers we use accept incoming SSH connections only from our servers.
We appreciate that our customers have requirements under the GDPR. That is why we have prepared resources toward helping our customers fulfil their requirements under the GDPR.
9. Active directory integration with SAML (by request)
RedmineUP ready to connect Active Directory to your cloud account with SAML.
SAML is an XML-based open standard. It is the product of the OASIS Security Services Technical Committee. Most common SaaS vendors, such as Salesforce, Google and Microsoft already support SAML. SAML-enabling apps using other vendors.
10. Amazon Web Services Security
RedmineUP use Amazon Web Services (AWS) infrastructure that keeps your data safe and provides the smooth performance of our Redmine based platform.
Another benefit is automatic scaling of system performance. By default, we host all accounts on servers located in Ireland, Europe.
Date center provides all security certificates such as ISO/IEC 27001:2013. It is a security management standard that specifies security management best practices and comprehensive security controls.
11. 2Checkout (Payment service) security
We care about the security of your credit card and we despise fraudsters. When you pay with card for RedmineUP services, you can rest assured that our payment partner – 2Checkout – handles the security of that transaction with appropriate attention. 2checkout is currently compliant with PCI DSS v3.2