Skip to content

SaaS security

Our Squash TM SaaS offer is built to be simple, efficient and secure. You will find further informations about the hosting policy of our Squash TM SaaS offer, its infrastructure and its security below.

Hosting

Henix's SaaS Squash TM product offers a Squash TM instance and optionally a bug and issue tracker of your choice between MantisBT (Open Source) or Jira Cloud (owned by Atlassian).

Squash TM and MantisBT Hosting

Squash TM and MantisBT SaaS instances provided by Henix, as well as their data and backups, are hosted in Data centers physically located in France and monitored by companies under French law.

List of hosting companies involved in Henix's SaaS Squash TM offer :

The physical access to our client's server is strictly monitored by our hosting provider, they own several certification :

  • ISO 27001 : 2013 - Security management system
  • ISO 50001 : 2018 - Energy management certificate
  • GDPR
  • Tier 3 Uptime Institute : 2014
  • SWIPO

More informations on their official website :

Jira Cloud hosting (Atlassian)

If the client choose the Squash-tm SaaS offer with the synchronisation of the Atlassian's JiraCloud product, the JiraCloud instance is hosted directly by Atlassian and follow their official's directive. Henix can not guarantee that the Data synchronized between Squash-tm and JiraCloud will remain in French Datacenters and will keep being hosted by companies under French law. The client is advised to inquire with Atlassian if they wish to control or to know more about the hosting sites of their product. Atlassian is a company which asserts to follow official European requirements, including confidential recommandations (GDPR).

GDPR

Our SaaS offer is in accordance with General Data Protection Regulation (GDPR) requirements :

  • No personal data are processed or needed to ensure smooth operation of hosted applications. Users are responsible for the data entered in the applications and Henix does not apply any processing other than that necessary for its service commitments (backups, connection logs) ;
  • Henix does not employ subcontractor companies that would process personal data or work with non-European infrastructure ;
  • Only authorized personnel have access to relevant data ;
  • Secured site ;

Any client can contact Henix through the website contact form in order to assert their rights :

  • The right of access : individuals have the right to request a copy of any of their personal data as well as other relevant informations ;
  • The right to rectification : individuals have the right to request rectification other their data kept by Henix ;
  • The right to erasure : individuals have the right to have their data erased, without undue delay, if one of the GDPR grounds apply ;
  • The right to data portability : individuals are entitled to obtain their data in structured, commonly used and machine-readable form.

Infrastructure and Security

Application Architecture

Henix's Squash-tm SaaS offer is based on the following components :

  • Apache2 ;
  • Squash-tm and its built in web server ;
  • Java execution environment (long term support release only) ;
  • Postgresql databases ;
  • Optional : Xsquash-Cloud for the JiraCloud offer ;
  • Optional : MantisBT for the MantisBT offer.

All of these working in a virtualized environment on a Linux-based operating system (stable Debian distribution currently being supported).

Squash TM Access Management Policy

Access control are guided by the principle of least privilege. An application account with an Squash TM administrator role is given to the client when the SaaS is delivered and any new user account created in Squash-tm has, by default, no access or visibility to any existing project. It's the role of the administrative account to create user accounts and to give read and write rights for each project and each user.

To access Squash TM, users must enter their username and password, accounts are created and managed by the customer. The implementation of an optional Single sign-on (“SSO”) authentification is possible on request. Supported protocol is SAML 2.0.

Logging Policy

The access and activity logs (“logs”) of the Squash TM application are kept for one month and an automatic log rotation is in place. All SaaS system and network activities are registered in log files and can only be accessed by system and network administrators as well as their IT manager. Squash TM application logs are also available to software administrator accounts and the help desk team.

Business Continuity Plan

Henix has a business continuity plan which guarantees minimal impact for our customers and application availability over the year in accordance with the General Terms and Conditions of Sale (GTC)(French only). Daily, multiple, tested and redundant backups (on several hosts) of the applications and their database allow a maximum admissible data loss of 24 hours (worst case scenario). The backup policy is described in the GTC.

System and network security

The hosting of all Squash TM SaaS instances is distributed over several servers, each client being in its own container isolated from the others with its own public IP. The firewall only allows encrypted flows via HTTPS (minimum TLS 1.2 protocol). No other streams are allowed. A limitation by IP of incoming flows is possible on request. Henix's system and network administration team is the only one to have access to the underlying logical infrastructures of Henix's SaaS offer. Physical access to our servers is strictly controlled by our hosts providers.

Security Control Framework

For each SaaS instance, operating system security updates (including web server type middleware, databases, Java environment, etc.) are performed automatically within 24 to 48 hours of being made available on official repositories, after being tested in a pre-production environment. Non-critical operating system updates are installed weekly using the same procedure.

Regarding application security updates for the SaaS offer (Squash TM, MantisBT, XsquashCloud), customers are notified as soon as possible by email of the release of this update as well as the time slot in which the SaaS application(s) will be updated. Updates always take place outside working hours (corresponding to the opening hours of Squash Help desk team).

Jira Cloud update depends on Atlassian policy.