MASTERMIND

DEMO
CONTACT

Data Security Policies

Last updated May 7th, 2020


WHAT DATA DO WE STORE?

Mastermind Assistant makes every effort to boost your developers’ productivity without storing any sensitive data. To that end, we only store metadata about your organization, your developers and your developers’ tools. We never fetch or store full copies of data, such as tasks, commits or pull requests. Where our platform does access this data, it is transferred to the server, processed in memory, and then either immediately purged or encrypted and stored in a database for a short period of time to maintain conversational context with a user. Conversational context allows the platform to support intelligent follow ups such as a user saying “Assign that to me” after getting a task. We do not access or store source code, documents or private communications.

From each of your tools, we do store the following data for the purpose of data presentation:

  • Usernames and/or email addresses
  • Project Management Metadata (including project identifying information and statistics, issue identifying information and statistics, and user access statistics)
  • Repository Metadata (including: Project identifying information and statistics, pull request identifying information and statistics, commit identifying information and statistics, and issue identifying information and statistics)
  • Unstructured communication on public forums and channels (Messages and comments)
  • Some Personally Identifiable information:
    • Web cookies
    • First or last names
    • Email address
    • Login name, screen name, nickname, or handle

WHAT WE DO NOT STORE:

  • Full Source Code or Full source code comments
  • Documentation or documentation contents
  • Customer information (Unless added as a part of information we store above)
  • Personal information of customers, clients, or external parties. (Unless added as a part of information we store above)
  • Private communications
  • Most personally identifying information (PII), including:
    • Home address
    • National identification number
    • Passport number
    • IP address
    • Vehicle registration plate number
    • Driver’s license number
    • Face, fingerprints, or handwriting
    • Credit card numbers
    • Digital identity
    • Date of birth
    • Birthplace
    • Genetic information
    • Telephone number
    • Country, state, postcode or city of residence
    • Age, especially if non-specific
    • Gender or race
    • Name of the school they attend or workplace
    • Grades, salary, or job position
    • Criminal record

ACCESS CREDENTIALS:

Some software integrations only provide a “basic” authentication structure, which requires storing a username and password for access. In these cases, we store pertinent credentials in a secured database, salted and encrypted with a key stored externally to the database.

Access tokens, API tokens, OAuth and OAuth2.0 credentials, and other connection credentials are stored in a secured database, salted and encrypted with a key stored externally to the database.

Access credentials are persisted, unless the user removes the connection to the service. This allows Mastermind Assistant to consistently fetch and update the data required to provide you the most accurate and timely view into your data.

HOW WE PROCESS METADATA

Mastermind Assistant processes data from a very large number of sources and takes your data privacy and sensitivity very seriously. After explicitly granting access to each tool, Mastermind Assistant downloads specific data sets for processing. Each data set undergoes a two-step process where (1) each download is scanned, and relevant metadata is stored in a persistent database. (2) This metadata is then processed to identify key metrics and insights, which are stored and presented on the platform.

WHERE IS YOUR PHYSICAL INFRASTRUCTURE?

Mastermind Assistant stores all data with Amazon Web Services, and as such, benefits from the secured, distributed, fault tolerant environment provided by Amazon. Detailed information on Amazon’s security practices can be found here: https://aws.amazon.com/security/ Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II) PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

WHAT SECURITY POLICIES AND PROCEDURES DO Mastermind Assistant STAFF FOLLOW?

Mastermind Assistant restricts access to production servers and databases to a few, select, staff members. Security breaches are held as the highest level of infraction, and offenders are immediately terminated.

Mastermind Assistant supports a number of security policies that help restrict access to customers’ data:

  • Data processing servers have routine access audits.
  • Production datastores have routine access audits
  • Credentials for Production datastores are only provided to a limited number of staff, and rotated with new staff members.
  • Access is restricted to production and live data test servers to automated tools in order to minimize access levels needed by staff.
  • Minimum password strength policies are in place.

DATA PROTECTION STATEMENT ACCESS

This document will be updated as features and security improvements are integrated into the system. An updated copy can always be obtained by contacting Mastermind Assistant at support@MastermindAssistant.com, and requesting an up to date copy of the data protection statement.

RESOLUTION AVENUES

All data requests can be made through the official communication channel at support@MastermindAssistant.com.

Any data can be removed upon request. This includes removal of the full set of data collected for an organization, a service, or an individual. This request should be made to the above address.

DATA RETENTION

Customer data is not stored for longer than it is needed. We require data about employees and users to deliver accurate views into your data, and remove this data either upon request, or after an audit period [30 days max] after the account is terminated.

Data is also removed if deemed out of date, or no longer valid. This can happen from removal of connected services, termination of accounts, or other events originating from connected service providers.