Security Policy

1. Security Incident Handling & Response

Baseliner.ai maintains a structured Incident Response Plan (IRP) designed to identify, contain, and mitigate potential security threats swiftly. Our incident handling methodology follows a standardized lifecycle:

• Identification & Detection: Continuous automated alerting mechanisms and internal auditing tools monitor system anomalies and potential unauthorized access vectors.
• Containment: Upon detecting a validated threat, our security team initiates immediate containment protocols to isolate affected systems, limiting potential impact while maintaining core system integrity.
• Eradication & Recovery: The root cause of the incident is analyzed, eliminated, and systems are verified as secure before returning to baseline operations.
• Notification & Compliance: In the event of a confirmed data breach impacting customer data, Baseliner.ai will notify affected users and relevant compliance authorities within 72 hours of verification, providing clear insights into the nature of the breach and mitigation steps taken.

2. Vulnerability Management Process

We proactively identify and remediate security vulnerabilities to protect our systems from emerging exploits. Our vulnerability management workflow includes:

2.1 Reporting

We welcome responsible disclosure from security researchers, partners, and customers. Vulnerabilities can be securely submitted to our security team via email at info@baseliner.ai. Submissions should include clear replication steps and technical context to aid our investigation.

2.2 Triage

Upon receipt, all reports are triaged within 48 business hours. We assess risk based on the Common Vulnerability Scoring System (CVSS) framework, considering exploitability, data impact, and scope.

2.3 Remediation SLAs

Baseliner.ai adheres to strict Service Level Agreements (SLAs) for deploying security patches based on threat severity:

3. Key Security Controls

We apply defense-in-depth principles across our operational environment through three fundamental pillars:

3.1 Access Control

• Principle of Least Privilege (PoLP): Internal access to product environments and databases is restricted exclusively to authorized personnel whose roles explicitly require it.
• Authentication Protocols: Multi-Factor Authentication (MFA) is strictly enforced for all internal developer and administrator access accounts. Single Sign-On (SSO) mechanics align with Atlassian's secure authentication layers.

3.2 Data Protection

• Encryption in Transit: All communications between user browsers, the Atlassian Marketplace, and Baseliner.ai servers are encrypted using Transport Layer Security (TLS 1.2 or higher).
• Encryption at Rest: Customer-specific project configurations, metadata, and persistent tokens are secured at rest using industry-standard Advanced Encryption Standard (AES-256) mechanics.

3.3 Monitoring & Auditing

• Continuous Infrastructure Monitoring: Operational environments undergo continuous monitoring to flag anomalous behaviors, unusual bandwidth shifts, or unapproved runtime events.
• Audit Logging: Administrative changes, system build updates, and infrastructure configurations generate secure, tamper-resistant access logs retained for security audit reviews.