🔒 Our commitment to security and privacy
Alyna is a powerful tool for product engineering teams, but it cannot provide value without accessing data from Jira boards and Github PRs. Code is every software engineer's most important Intellectual Property, and roadmap items could be a company's most confidential information. We at Alyna are committed to securing user data and being transparent about the usage of collected data.
Without legal-ese, what does this mean specifically? It mainly boils down to four things:
To make sure that our team has the bandwidth to deliver the best product while ensuring we are airtight on the security front, we are leveraging the industry leading services from Vercel (frontend cloud), Supabase (database), and OpenAI (LLM).
System Architecture
MFA
Access to all internal systems is protected by multi-factor authentication. Access is restricted to those who require it to perform their job, and is regularly reviewed and revoked upon termination or when no longer needed.
Code Reviews
Code reviews are mandatory for all code changes to our product. Security-sensitive changes are additionally reviewed by security advisors before being released.
Testing
End-to-end tests to validate authentication and other critical workflows (such as authorization and authentication).
Client Secrets
We do not store sensitive keys and passwords in our code, instead relying on a secure secret vault.
Data Security
API Protection
APIs are secured using API keys, and access is restricted based on user roles. Regular security audits are conducted to identify and address vulnerabilities.
Identity Verification
Identity verification is performed using JWT tokens in the web application to ensure secure communication. Slack header signature is utilized to verify the identity of incoming requests from Slack.
Encryption
All customer data is encrypted at REST with AES-256 and in transit via TLS. Sensitive information like access tokens and keys are encrypted at the application level before they are stored in the database.
Network Security
All infrastructure is hosted on Vercel.
Firewall
Alyna leverages Vercel’s firewall which is configured to allow only necessary traffic. Rules are regularly reviewed and updated to mitigate potential threats.
DDoS protection
Vercel firewall blocks incoming traffic if it hits abnormal or suspicious levels of incoming requests.
VendorSec
Vendor security is crucial for safeguarding our systems; we rigorously assess and ensure our vendors adhere to industry standards, implement robust security measures, and maintain open communication channels to uphold a resilient and secure business environment.
CI system
Continuous integration pipelines include security checks to identify and address vulnerabilities in the codebase.
Data Storage
We leveraged the state of the art infrastructure at Supabase for data storage.
Backup
All customer databases are backed up every day. Point in Time Recovery allows restoring the database to any point in time.
Encryption
Sensitive information like PII and tokens are identified, classified, and stored securely. Access to the information is restricted, and encryption is applied during transmission and storage using pgsodium, which is a PostgreSQL extension which provides SQL access to libsodium's high-level cryptographic algorithms.
Data Access
Alyna requires data from various sources for the provisioning of services. The details are as follows:
| Source | Data Type | Access Type | Related Features | Purpose |
|---|---|---|---|---|
| Jira | Jira-user (user name, email, avatar) | Read | Standup Helper, Sprint Summary, and Status Update | To find relevant info pertaining to specific users |
| Jira-work (project, issue date, attachments, worklog) | Read | Standup Helper, Sprint Summary, and Status Update | To provide the context for engineering tasks | |
| Jira-work | Write | Link | To post slack summaries in the comment section of a Jira ticket | |
| GitHub | Metadata(including title, description, author, branch info, label, status, reviewer, review status, comments, timeline, activities, changes introduced) | Read | All features | To provide precise summaries of developer activities |
| Pull Requests | Read | All features | To provide precise summaries of developer activities | |
| Slack | Public channels, private channels, direct messages, and group direct message (messages, content) | Read | Sprint Summary | Identify challenges |
| Workspace (user, email) | Read | All features | Identify pertinent users in slack summaries | |
| Public channels, private channels, direct messages, and group direct message | Write | All features | Send messages as Alyna | |
| Workspace | Write | All features | To perform action in your workspace, i.e. to trigger the Alyna command |
Account Management
Creation
Company employees and contractors are provided with user accounts through our internal account management system (G Suite). Account creation requires valid employee/contractor identification and approval from the HR department.
Management
User accounts for employees and contractors are managed through an internal admin panel accessible to authorized personnel. Account permissions are assigned based on job roles and responsibilities.
Deletion
The secure deletion process is followed by administrators when an employee or contractor leaves the company or no longer requires access.
Password manager
Employees and contractors are required to use open source password manager to generate and store complex passwords securely.
Biometrics lock
Employees and contractors can enable biometric locks on devices supporting fingerprint or facial recognition.