The following document is the Data Security and Privacy Statement for the “Polar SSO” apps, developed by Polarnight AS and made available through Atlassian Marketplace. This statement augments the overall Polarnight Privacy Notice with specific information about the Polar SSO apps.

Updated May 12th, 2020

Overview

Polarnight AS offers the software “Polar SSO” (the “App”) for purchase through the Atlassian Marketplace. Polar SSO is designed as an extension for installation in Atlassian’s line of Server or Data Center products such as Jira, Confluence, Bitbucket, Bamboo and Fisheye/Crucible.

Polar SSO is mainly a security product offering features such as SAML SSO, Kerberos SSO and multifactor authentication.

This Data Security and Privacy Statement provides an overview of Polarnight’s collection and processing of your data in the “Polar SSO” app.

How we collect data

The app only collects user identifiable or otherwise personal data when this is functionally required to implement or enable a feature of the app. The app does not share any collected data outside of the Atlassian application, file system, database or browser it is running in.

To enable maximum privacy, we use Atlassian’s anonymized “user key” instead of storing the full user name.

What data we collect

When a user enrols in multifactor authentication, we store credential information such as authenticator public keys or shared random secrets. 

When a user chooses to trust a device for multifactor verification, we generate a random ID for this device and store that in the application database and as a browser cookie.

When a multifactor authenticator is registered, we record the time of registration. When an authenticator is used for verification, we update the time of last use for the authenticator. The time of registration and the time of last use is visible for the application’s system administrators.

When a user performs multifactor verification or WebSudo reverification, the last method used is recorded in the browser’s local storage to enable pre-selection of that method on the next verification.

When the user logs in with SAML, we store the last selected SAML provider’s ID in the browser’s localStorage such that following logins can happen automatically.

When performing a SAML test, the last SAML request and response is collected. 

If security audit logging is enabled, we store a record for each collected security event, such as user login, user verification, user logout. The audit log has a defined retention period, by default 7 days.

How data is deleted

Enrolled multifactor verification methods and trusted devices may be deleted by the user or by an administrator.

Audit log data is deleted automatically after a retention period. Audit log data can also be deleted by an administrator manually before the retention period.

Any data stored in browser cookies and/or local storage can be deleted by the user using the appropriate browser user interface.

SAML test data is deleted when performing a new SAML test.

Support and troubleshooting requests

When you request help from Polarnight’s support team, we are often able to help you faster if we have access to more information about the instance our app is running in. In order to help you faster, we may ask that you share data about your application instance collected by our embedded support tool. This tool allows you to be selective about which data you want to include when sharing data with us. We also take care to not include or anonymize data here which we don’t see as useful for our support efforts.

We may also request screenshots of the application in use or ask for a screen-sharing session to debug and understand issues which are hard to reproduce in our lab.

In any case, it is up to you as a customer to decide which data you feel comfortable sharing with us during a support case.

Data location

The app stores data in:

  • The “polarsso” subdirectory of the Atlassian application’s home directory (SAML and Kerberos test data)
  • The SQL database (enrolled multifactor methods, trusted devices, audit log)
  • The user’s browser (trusted device UUID, last used SAML provider etc)

Changes and updates to this statement

Polarnight keeps this statement under regular review and places any updates on this web site. You can find the date this statement was last updated on the top of the page.

How to reach us

Polarnight AS (org. no. 921 903 820) is responsible for the processing of your personal data in Polar SSO. 

If you have any questions regarding this privacy statement, please send us an email at support@polarnight.com