Principles of Data Privacy
In guiding our practices related to data privacy, we follow a these guiding principles:
Where possible we always avoid collecting personal information. Where we do need to collect information, we always ensure we know where the information is stored and minimize the number of systems it is stored in. For example, our analytics data contains no personal information.
We respect your preferences by honoring the Do Not Track setting in individual browsers and by allowing Server customers to turn off all anonymous analytics. Cloud customers can contact us to opt out of our analytics.
We allow everyone who interacts with us or our products to have their information deleted, updated or to access their data. By maintaining good data hygiene and auditing which systems hold which data, we can respond to these queries relatively quickly.
We believe we are compliant with GDPR. We have updated our Privacy Policies and incorporated a Data Processing Agreement and the Model Contract Clauses for data transfer into our standard terms for EU customers.
Types of Data
We use five broad categories to think about data:
- Customer Data
Our app, ProForma, allows teams to create forms for Jira. Thus, there are two types of customer data; the design of the forms and the data users enter into the forms. With the exception of form names, we avoid holding Customer Data. We never see customer data for Server customer. For cloud customers, Customer Data momentarily passes through our servers in order to be rendered in the browser, however this data is only held momentarily in our servers' memory.
- Organization Data
Organizational data includes our business records, customer support requests, the emails we receive, and other material we maintain to manage our business. We are under legal obligations to keep appropriate business records, typically for seven years. We keep this data in secure systems and whenever possible we delete any extraneous attachments.
- Usage Data
Capturing information on specific actions customers take within our app allows us to improve our product. Seeing which features are most utilized and at which points customers find the app confusing drives future development decisions. Our usage data is collected through Segment.com and does not include personal information. It does include the name of the ProForma forms and the license number for the organization. We have modified the Segment library to ensure that all events tracked through Segment are anonymous. For example, we ensure that IP addresses are not recorded and individual users are tracked using an anonymized account-id.
- Communications Data
This is the data that’s most likely to contain personal information. We collect names, email addresses, and occasionally phone numbers and/or job titles from customers we meet at Atlassian Summit, from our update requests submitted via our webpage and also through the contact details Atlassian provides us as part of each license issued in the Marketplace.
We use this information to send out updates about our app and to inform customers of changes to our policies or terms of service. Note that we only hold data that people have consented to give us, or where we have legitimate purpose to hold them (e.g. the admin contact for our app who we need inform about changes to our product or policies). We only communicate in relation to our apps. We do not use this data for general marketing.
- Analytics and Advertising Data
We use data from Google Analytics and other tools to measure how much traffic we are getting to our public facing websites. This information informs our decisions about future blog topics. We also use various advertising systems, such as Facebook, LinkedIn, and Google Ads to raise awareness about our app and the solutions we provide. Most of our public facing websites (but not our Atlassian Marketplace Apps) include ad tracking code, so that we can track the effectiveness of our advertising campaigns.
Auditing, Cleaning & Deleting Data
Periodically, we comb through are systems to ensure that we only have the data we need. This generally entails three steps:
- Auditing the Data
We maintain a record of all the systems where data is stored, including the types of data held in each system. Each system is categorized based on the type of data and the impact that a data breach would have. We conduct periodic reviews of these systems and monitor who has access.
- Cleaning the Data
There are times when our processes require extra scrutiny and clean up. We may make a local copy of data in order to better analyze it, but we make sure every computer has an encrypted file system before downloading this data. We then ensure we clean up afterwards. We also closely monitor any integration tools, configuring them not cache/log any processes that include personal data.
- Delete the Data
We are committed to deleting data that we don’t need. As part of our auditing process, we set an age limit on our records, dependent on their data type, and delete personal information once it is no longer required.
Best Practices for Data Security
ThinkTilt staff engage in day to day practices to ensure that all data is kept secure. These include:
- Two factor authentication;
- 1Password for storage of common passwords;
- Tightly controlling who has access to specific projects, production servers and other sensitive systems;
- Ensuring that all devices used by our team are encrypted and that team members practice good password management;
- Ensuring that all team members and contractors understand their confidentiality/NDA obligations;
- Carefully vetting all third party services we integrate with.
Finally, recognizing that an ounce of prevention is worth a pound of cure, we do our best to prepare for things going wrong. This includes having written procedures for responding to incidents and data breaches. We also make sure to carry more than adequate insurance coverage, so that should a breach happen, we will have the resources we need to handle the notification process.
We are committed to protecting your data and earning your trust. Please contact us if you have any questions or concerns about how we handle your data.