Security @ Maestro

Data in transit

All data transferred between the user’s browser and MaestroQA servers is encrypted in transit. MaestroQA uses TLS min v1.2

‍

Data at rest

Data is encrypted at rest in AWS using AES-256 key encryption.

‍

During Backup

Data is encrypted in AWS using AES-256 key encryption

Data center provider
MaestroQA uses Amazon Web Services (AWS) to host its production servers, databases, and supporting services.

‍

Multi-region
MaestroQA uses a multi-region setup for its infrastructure. The principal region for running the application is AWS region US-EAST (N Virginia), with AWS region US-EAST (Ohio) for its backup.

‍Backups
MaestroQA’s production systems and data are backed up on a regular basis. We run through a checklist to verify data is recorded and usable. Backups are tested on a periodic basis.

‍

Status page
MaestroQA service statuses, maintenance updates, and any incidents affecting our users are documented and available at https://status.maestroqa.com/.

Access to customer data is limited to authorized employees who require it for their job and data access is logged.

Access controls
Access to MaestroQA’s systems is limited based on employee roles and responsibilities. The principle of least privilege is enforced.

‍

Testing and review
All changes to our application are subject to peer review and testing before being merged.

‍

Separate environments
MaestroQA maintains segregated testing, development, and production environments.

Penetration testing
MaestroQA’s security team uses external third parties to conduct penetration tests to identify deficiencies in the system that may affect critical assets.

‍

Vulnerability scanning
MaestroQA uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.

In addition, MaestroQA undergoes regular external quarterly vulnerability scans.

‍

Code analysis
MaestroQA’s code repositories are regularly scanned for security issues using static code analysis.

‍

Bug bounty
MaestroQA offers rewards for user-submitted bugs found in our product. For more information, check out the Bug Bounty Program section at the bottom of the page.

Authentication Options

MaestroQA offers several user authentication options that the customer can choose to use exclusively or in combination including username and password, SSO through Zendesk login, ADFS, and SAML based logins such as Okta.

‍

User Roles

With MaestroQA, admins can provide limited-access permissions to certain accounts. Below are the roles that are available in Maestro:

1. Admin
2. Limited Admin
3. Grader
4. Manager
5. Agent (limited to Professional package)
6. Limited Agent (limited to Professional package) 

‍

Read more at help.maestroqa.com

‍

Remote Access

Access to customer data is granted based on the principle of least privilege and granted only to limited authorized and approved professionals at MaestroQA. MaestroQA requires its employees to use VPN in combination with MFA to access customer data securely. 

‍

Risk Management

MaestroQA has a well established risk management plan that includes an annual review of the plan, and an annual risk assessment and treatment that covers all aspects of our teams.

‍

Business Continuity and Disaster Recovery

MaestroQA has a defined BC/DR plan that is reviewed annually and an annual testing is performed that includes table top exercises as well as hypothetical scenarios for testing.

We partner with HackerOne to run a private bug bounty program to help surface and resolve security vulnerabilities before they can be exploited. We welcome your contributions by requesting invites to our bug bounty program by sending an email to security@maestroqa.com. Our Security Team will invite you to the platform, investigate, triage and respond to your report via the HackerOne platform.

‍

Please read through our bug bounty policy and rules before submitting bugs. In order to remain compliant with our bug bounty policy and adequately compensate you, we ask you to refrain from publicly disclosing any of your findings until we have triaged and fixed the vulnerability. We appreciate your time and effort in helping us keep MaestroQA secure.

These guidelines are intended for use by law enforcement when seeking information from MaestroQA, Inc.

Required Legal Process 

MaestroQA will not release customer information without a valid and binding legal demand properly served to us. MaestroQA objects to overbroad or otherwise inappropriate demands as a matter of course. We take customer privacy seriously and will evaluate every government request to ensure that it is properly issued

‍

Notification to Customers

MaestroQA will use reasonable efforts to provide notice to our customer when we respond to a request for their information unless we are explicitly prohibited from doing so by law.

Law enforcement or other official government agencies that do not want MaestroQA to notify our customer of their request should include a court order or reference to other legal authority that bars MaestroQA from disclosing the existence of the request to our customer.

‍

Method of Service 

MaestroQA accepts service of subpoenas, search warrants, or other legal processes by emailing privacy@maestroqa.com or in person at 33 West 17th Street, New York, NY 10011.

‍

Requests from Non-U.S. 

Law enforcement agencies located outside of the United States that are seeking MongoDB customer information must work through the available legal and diplomatic channels in its jurisdiction, including bilateral or multilateral legal assistance treaties. Such international requests may be made to the U.S. Department of Justice Office of International Affairs.

Emergencies. MaestroQA reserves the right to respond immediately to urgent law enforcement requests for information in cases involving a threat to public safety or risk of harm to any person.

MaestroQA will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.