Cloud security statement

Scope

Expium LLC offers hosted product / services (“SaaS”), as described on its website. This cloud security statement applies only to these hosted services; other Expium offerings may involve customer hosted systems, or products and services not involving hosting, to which this cloud security statement does not apply.

Customer Data Separation

Each customer’s data is stored in a separate database schema, isolated from all other customer data. Every web or API request is authenticated and authorized for a specific customer before customer data can flow. Expium does not offer any products or features which combined, integrate, or otherwise access data between one customer and another.

Hosting Location / Jurisdiction

See our data processors list for hosting providers and locations for Expium SaaS products.

Integration with Other Services

Expium SaaS products typically integrate with another vendor’s offerings; for example, Atlassian Jira add-on products ("apps") use the Atlassian Jira API to access customer data stored there; this data is treated the same way as any data directly entered by customer users into Expium SaaS products.

Deletion of cloud data

Expium SaaS add-on products automatically delete customer data from Expium systems, after a safe waiting period, when the underlying core product (Atlassian Jira, for example) no longer connects Expium servers to a particular customer.

Operations and Support

The Expium support and operations team will access customer data only to the extent necessary to serve a customer support request, or to maintain the operation of Expium SaaS products. For more information please see our Privacy Policy.

Only authorized Expium team members have access to application data.

Backups

Expium systems are backed up regularly with backups stored off-site, using Amazon AWS services or other cloud hosting services. Expium SaaS products which act as add-ons treat the relevant product (for example, Atlassian Jira) as the system of record to the extent technically allowed, thereby relying primarily on the integrity and security of such upstream systems.