Medeu IT: Data Security and Privacy Statement

Medeu IT: Data Security and Privacy Statement

Effective on 2026-06-25

Thank you for selecting Medeu IT products.

This Privacy Policy explains how we collect, use, process, and protect your information when you use our plugins on your servers or within cloud environments of supported Host Platforms (e.g., YouTrack, Jira, Confluence, ServiceNow, and others).

We are committed to respecting and protecting your privacy and complying with applicable data protection laws, including but not limited to:
  • GDPR (General Data Protection Regulation, EU)
  • CCPA (California Consumer Privacy Act, USA)
  • PDPA (Personal Data Protection Act, Kazakhstan)
  • Privacy Act 1988 (Australia)
Thank you for selecting Medeu IT products.
This Privacy Policy explains how we collect, use, and protect your personal information when you use our plugins on your servers or using Atlassian Cloud environments. We are committed to respecting and protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Australian Privacy Act.

What Your Data We Collect

2.1. Core Principle: Data Minimization
We do not collect, store, or transmit any personal data from users through our plugins.
Our plugins are designed as isolated solutions that operate entirely within your environment. There are no "shadowed" integrations, background data transfers, or external communications to Medeu IT servers or third-party services unless explicitly stated in the plugin documentation.

2.2. Data Within the Host Platform
When you use our plugins within a Host Platform (e.g., YouTrack Cloud, Jira Cloud, Confluence Cloud, etc.):
  • Your personal data, user information, and content remain inside your instance.
  • Data processing is governed by the Host Platform's own Data Security and Privacy Statement (e.g., JetBrains Privacy Policy, Atlassian Privacy Policy, etc.).
  • Medeu IT has no access to this data.

2.3. Third-Party Integrations
If a specific plugin includes integrations with third-party applications (e.g., external file storage, messaging services, or analytics tools):
  • Data transfers to such third parties are operated by those third parties in accordance with their own Privacy Policies.
  • We recommend that you carefully review the Privacy and Security details provided in the plugin's Marketplace listing and the third-party's privacy policy before enabling such integrations.

Data Retention

3.1. No Retention by Medeu IT
Medeu IT does not store or retain personal data created or processed by customers through our plugins.
All data generated or processed remains under your sole control and responsibility within your environment.

3.2. Recommendations for Sensitive Data
If you process sensitive personal data (e.g., health information, financial data, or special categories under GDPR), we recommend:
  • Using isolated, secured environments.
  • Implementing appropriate access controls.
  • Using obfuscated or anonymized data wherever possible.

Support and Issue Reproduction

4.1. Commitment to Privacy During Support
Medeu IT is committed to reproducing reported issues without using your actual data.
Where reproduction without your data is not possible, we strongly recommend that you:
  • Send only obfuscated or anonymized data.
  • Remove all sensitive information (names, email addresses, personal identifiers, etc.).

4.2. If You Must Share Personal Data
If, despite our recommendations, you provide personal data during support:
  • We will store this data only for the duration necessary to reproduce and resolve the reported issue.
  • After the support case is closed, we will permanently delete all your provided data from our test environments.
  • Data will not be retained for any period beyond case resolution.

4.3. External Customer Portals
If you submit support requests through external customer portals hosted by third-party companies (e.g., Atlassian Support, JetBrains YouTrack, or other ticketing systems):
  • Your data will be stored in the closed ticket system, accessible to you and those you explicitly involve.
  • We recommend using external secured file-storage services and providing private, time-limited links to sensitive files, rather than attaching them directly to tickets.

Security Measures

5.1. Least Privilege Principle
Our plugins are developed to use only the minimum necessary permissions required for their functionality.
  • Plugins do not request excessive or unnecessary permissions.
  • If a plugin provides access to restricted areas (e.g., administrative panels), such access is limited to Project or System Administration pages.
  • Only authorized personnel (as defined by you) will be able to access such data.

5.2. Service Accounts and Super Permissions
If a plugin requires the use of service accounts with elevated permissions (e.g., system administrator rights):
  • We recommend following best IT-Security practices to protect access to such accounts.
  • You are solely responsible for securing and managing these accounts.

5.3. Compliance with Platform Restrictions
Our plugins are designed to respect access and license restrictions of the Host Platform.
We implement technical safeguards to prevent violations of:
  • Platform licensing terms.
  • User permission boundaries.
  • Data access restrictions.

Vendor Security Practices

This section describes how Medeu IT secures our applications, development environment, and responds to potential threats.

6.1. Vulnerability Management
  • Regular Security Reviews: We perform security reviews of our code before releasing new plugin versions or major updates.
  • Dependency Monitoring: We monitor publicly disclosed vulnerabilities in third-party libraries and dependencies used by our plugins.
  • Timely Patching: If a critical vulnerability is identified in a dependency, we prioritize an update or patch within a commercially reasonable timeframe, depending on severity and exploitability.

6.2. Security Incident Handling
Reporting: If a potential security incident involving our plugins is reported:
  • We acknowledge the report within three (3) business days.
  • Our team assesses the report, reproduces the issue if possible, and determines the impact on customers.
Response Process:
  1. Assessment: Reproduce and confirm the issue.
  2. Fix Development: Develop and test a fix.
  3. Customer Notification: Notify affected customers via: Direct email (for critical issues) or Marketplace release notes (for lower-severity issues)
  4. Release: Release a patched version as soon as the fix is ready.

Reporting:
Customers and security researchers can report suspected issues to:
📧 support@m-it.kz (please prefix the subject with [Security])

6.3. General Security Controls

Access Control
Access to our source code, build systems, and test environments is restricted to authorized Medeu IT personnel only.

Data Minimization
Our plugins do not transmit customer data to Medeu IT servers. We operate without any cloud backend of our own.

Least Privilege
Our plugins request only the minimum necessary scopes and permissions on the Host Platform. We do not ask for system admin or global permissions unless strictly required for a specific feature (and this is clearly disclosed).

Secure Development
We follow secure coding guidelines for Java, Kotlin, Groovy, JavaScript, and other languages as applicable. We test for common issues like injection flaws and broken access control before each release.

Code Signing
All plugin releases are digitally signed to ensure integrity and authenticity.

Regular Audits
We periodically audit our codebase and development practices.

6.4. Responsible Disclosure

We appreciate the security research community.
If you discover a vulnerability in one of our plugins:
  1. Contact us immediately at support@m-it.kz with [Security] in the subject line.
  2. Provide details of the vulnerability, including steps to reproduce.
  3. Allow reasonable time for us to investigate and fix the issue before public disclosure.
  4. We will not pursue legal action against you if you follow responsible disclosure practices.

Subprocessors and Third-Party Data Transfers

7.1. No Subprocessors for Customer Data

Medeu IT does not engage any subprocessors for the processing of your personal data. We do not store, transmit, or process your data outside your environment.

7.2. Third-Party Integrations
If you enable specific features that require integration with third-party services:
  • Data transfers are governed by the third-party's own privacy policy.
  • You are responsible for reviewing and accepting those policies.

7.3. International Data Transfers
Medeu IT is headquartered in the Republic of Kazakhstan. However:
  • We do not transfer your data out of your environment.
  • If you voluntarily share data during support, such data may be transferred to our support systems in Kazakhstan for the duration of case resolution. After case closure, data is permanently deleted as described in Section 4.

Legal Basis for Data Processing (GDPR)

For users subject to GDPR, Medeu IT processes personal data only in the following cases:

Support interactions (when you voluntarily provide data)
Legitimate Interest — to resolve technical issues and provide support.

License validation (checking license keys)
Contractual Necessity — to ensure you have a valid license.

Marketing communications (if you opt-in)
Consent (you can withdraw anytime).

Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data:

Right to Access
Request a copy of your personal data (if we hold any).

Right to Rectification
Correct inaccurate or incomplete data.

Right to Erasure
Request deletion of your data.

Right to Restrict Processing
Request restriction of processing.

Right to Object
Object to processing based on legitimate interests.

Right to Data Portability
Request transfer of your data to another controller.

How to exercise your rights:
Contact us at support@m-it.kz with [Privacy Request] in the subject line.
We will respond within thirty (30) calendar days (or as required by applicable law).

Data Protection Officer (DPO)

Medeu IT has appointed a Data Protection Officer for compliance purposes:
Contact: support@m-it.kz (Attn: DPO)

Changes to This Statement

We may update this Privacy Policy from time to time.

We will notify you of significant changes:
  • By posting the updated policy in the Marketplace listing.
  • By updating the "Effective Date" at the top of this document.
  • By direct communication (email) for material changes.

Your continued use of our plugins after the effective date constitutes your acceptance of the updated policy.

Contact

Have questions or concerns about this Services, and privacy? You can contact us by writing email to address below:
Medeu IT
Kazakhstan