Medeu IT: Data Security and Privacy Statement

Thank you for selecting Medeu IT products.
This Privacy Policy explains how we collect, use, and protect your personal information when you use our plugins on your servers or using Atlassian Cloud environments. We are committed to respecting and protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Australian Privacy Act.

We do not collect any personal data from users in our plugins.
In case of using plugins on Atlassian Cloud environments, your personal data operates inside the instance, unless otherwise specified in Atlassian Data Security and Privacy Statement, as from host\owner of your Cloud environment.
Our plugins designed as isolated solutions, without "shadowed" integrations to transfer data to any external place related to our company or 3rd party companies. In case of dedicated plugin have data integrations with other applications, transferred data will be operated by related 3rd-party company, according their Data Security and Privacy Statement. We recommend to attentively read Privacy and Security details tab on Atlassian marketplace and familiarize if described policy meats with your requirements.

Medeu IT not store or retain personal data, created by customers.
Any data provided by you during the use of our plugins is under your control and responsibility. In case of you have sensitive, personal data, we recommend to use isolated, secured environments.
Medeu IT develops and provides tools, which potentially can operates with your data, without storing it in our systems.

Medeu IT interested to reproduce reported issues without using your data. In case of reproduction without your data not possible, we recommend you to sends us only obfuscated data, without sensitive information.

In case of your personal data will be provided by you during support, we are forced to store it, to reproduce reported issues on our test environments. After closing support issue, we are obligated to delete all your provided data from our environments permamentaly without storing it to any period. Data provided via external customer portals hosted by 3rd-party companies, will be stored in closed ticket, presented for you and involved by you persons. We recommend to use external secured file-storages and provide private links only, to not store your sensitive data directly without possibility to manage it from your side.

If you have any questions or concerns about this statements - please contact us at support@m-it.kz.

Our products developed to not use any excessive permissions to read and store any potential data. In case of plugin provides access to any restricted data (e.g. any admin panel) it can be used only from Project\System administration pages. Only authorized by you persons will able to have access to such data.

In case of plugin requires to use service accounts with super permissions, we recommend to use best IT-Security practices to protect access to this account. We assume that using such accounts will be protected by you and under you responsibility.

Our priority not only to provide you convenience of using applications, but also to not violate access and license restrictions designed by applications. Besides end-user-cases we works on technical, hided cases and scenarios to prevent such violations with using our apps.

This section describes how Medeu IT secures our applications, development environment, and responds to potential threats. Our approach is built on standard industry practices appropriate for Atlassian Marketplace apps.

1. Vulnerability Management

• We perform regular security reviews of our code, especially before releasing new plugin versions or major updates.
• We monitor publicly disclosed vulnerabilities in third-party libraries and dependencies used by our plugins.
• If a critical vulnerability is identified in a dependency, we prioritize an update or patch within a commercially reasonable timeframe depending on the severity and exploitability.

2. Security Incident Handling

• If a potential security incident involving our plugins is reported, we acknowledge the report within 3 business days.
• Our team assesses the report, reproduces the issue if possible, and determines the impact on customers.
• For confirmed incidents:
• We develop and test a fix.
• We notify affected customers via direct email or through Atlassian Marketplace release notes, depending on severity.
• We release a patched version as soon as the fix is ready.
• Customers and security researchers can report suspected issues to: support@m-it.kz (please prefix the subject with [Security]).

3. General Security Controls

• Access Control: Access to our source code, build systems, and test environments is restricted to authorized Medeu IT personnel only.
• Data Minimization: As stated above, our plugins do not transmit customer data to Medeu IT servers. We operate without any cloud back-end of our own.
• Least Privilege: Our plugins request only the minimum necessary scopes and permissions on the Atlassian platform. We do not ask for system admin or global permissions unless strictly required for a specific feature (and this will be clearly disclosed on the Marketplace listing).
• Secure Development: We follow secure coding guidelines for Java / Groovy (for Server/Data Center) and Forge (for Cloud). We test for common issues like injection flaws and broken access control before each release.

4. Responsible Disclosure

We appreciate the security research community. If you discover a vulnerability in one of our plugins, please contact us at support@m-it.kz with [Security] in the subject line. We will work with you to understand and resolve the issue promptly and will not pursue legal action if you follow responsible disclosure practices.

Have questions or concerns about this Services, and privacy? You can contact us by writing email to address below:

Kazakhstan

Email: support@m-it.kz.
Web-site: https://m-it.kz/