Gliffy aims to help every team solve problems and collaborate visually, which means that sometimes your diagrams may contain sensitive information. We care about your data and privacy, so we’re committed to making diagramming with Gliffy as easy as possible, without compromising on security.Gliffy is owned by Perforce Software, so certain policies and practices (ie: Business Continuity Plans) are informed by or aligned to their company-wide policies.Read on to learn more about our policies and commitments to your security or jump ahead to one of the following sections:What Information Do We Collect?Encryption, Hosted, and Network SecurityApplication SecuritySecurity Training and ManagementBusiness Continuity PlanGDPRWhat Information Do We Collect?Personal InformationNo personal information (billing information) is stored within Gliffy.Disclosure of your Personal Information We do not sell or share your personal information.Creating a Diagram Information about your session (browser type and IP) when you use the Online or Atlassian application can be used to help us troubleshoot technical problems. This information is stored, but the oldest data is overwritten by current data. Only engineering staff are permitted access to server logs to resolve issues.Diagram StorageGliffy is a web-based application. Gliffy does not store your diagram data on a local device. When you choose to store your diagram, your diagram data and your preferences are not stored on Gliffy servers. Diagram data stored in the following applications and cloud services are covered by their respective privacy policies: Confluence or Jira: Atlassian’s privacy policy Google Drive: Google’s privacy policy Error Capture and ReportingIf an error condition occurs, Gliffy typically will send an error report back to the servers. The information collected for troubleshooting does not contain personal information or complete diagram data. Support AccessGliffy Support will only access customer information when necessary, to resolve an open ticket.Request access to, modify and delete your informationIf you want to access, review, or delete your personal information and communication, please request assistance at https://www.gliffy.com/support/request-support. Encryption, Hosted, and Network SecurityEncryption in TransitAll customer data is encrypted using HTTPS over Transport Layer Security (TLS) 1.2 or higher.Encryption at RestAll document content is encrypted at rest with AES-256. The encryption is transparent; keys are managed by our cloud infrastructure provider.Backups and Reliability (Gliffy Online)Gliffy databases and infrastructure is built on top of Amazon AWS and AWS services are used for daily backups.All our systems are fully redundant and clustered.Disaster Recovery testing is periodically performed to ensure Gliffy operations are restored in a timely manner.Payments and Credit Card Data storage (Gliffy Online)All payments made for Gliffy Online use www.stripe.com (PCI Certified). For additional information, please visit https://stripe.com/privacy No credit card data or payment related information is stored on Gliffy systems.Hosted Security (Gliffy Online)Gliffy servers and customer data are hosted on Amazon Web Services (AWS). Information about AWS Security can be found here: https://aws.amazon.com/security/.Network SecurityThe Gliffy team has implemented a layered approach to network access.Controls are implemented at each layer dividing our infrastructure by zones, environments and services.Non-production and production environments are segregated.The Gliffy team controls access to sensitive networks via Virtual Private Cloud (VPC) routing, firewall rules and software defined networking and all communications via end-to-end encryption.The Gliffy team connectivity is secured with device certificates, multi-factor authentication and use of proxies for sensitive network access.Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in all our offices and production environments to identify and prevent potential security issues.The Gliffy team monitors our infrastructure and application/services 24/7. We also have set up monitoring and alerts.The Gliffy team, along with AWS follow best practices for patch management.Access is restricted to the microservices on a networking level. Services and databases hosted by AWS, by default, are not accessible from anywhere; explicit inbound rules must be added manually.Physical SecurityAt Perforce facilities, appropriate physical security is maintained and measured to ensure the safety and protection of employees, company assets, and Customer Data.Application SecurityCode SecurityThe Gliffy development team closely reviews all code before it is released. Developers inspect the logic and data information flows of new feature to ensure no security vulnerabilities are introduced. Unit tests are also developed and run to ensure the application does not behave in an unexpected way.Third PartiesPerforce works with third-party service providers and vendors that will have access to Gliffy Data and conducts a risk assessment of the data security practices of each third-party. Periodic reviews of each third-party to ensure their data security practices continue to meet the necessary requirements.Security Training and ManagementSecurity TrainingPeriodic training occurs on security issues and how to prevent/mitigate for continuous improvement. Separation of Duties Perforce maintains separation of duties to prevent end-to-end control of a process by one individual. Change Management The Gliffy team practices a change management process which informs and uses an approval workflow. All development changes are reviewed, and part of our SDLC process. The Gliffy team uses a Continuous Integration (CI) tool to check and flag changes before they are merged into the master branch. Automated Integration, Unit, Functional and Security tests generate issues based on test failures. Employee Termination Perforce has an employee termination process the covers timeframes for termination of logical and physical access, including procedures to collect any devices or equipment containing Perforce data. Security and Vulnerability Management Perforce’s security team makes use of a SIEM platform to monitor and flag any suspicious activity. Perforce internal processes define how these alerts are triaged, investigated and escalated appropriately. Perforce’s security team performs on-going network and infrastructure vulnerability scans using an industry leading vulnerability scanner. Perforce also uses external security firms to conduct penetration tests on the infrastructure, web sites and apps.Business Continuity PlanPerforce maintains a business continuity plan to manage and minimize the effects of unplanned disruptive events (cyber, physical, or natural).GDPRPerforce follows guidelines and recommendations from GDPR with regards to all the data and information handled, processed, and stored by Gliffy.Still Have Questions?Feel free to contact us with additional questions.Let's Talk
