# | Question | Answer | Passing criteria |
---|---|---|---|
1a | Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. | Yes, we store various information such as Jira User Names, Jira API Tokens, Azure API Credentials, etc. We are using the Atlassian Forge Storage API features for storing the information. Forge Storage API allows encryption with the “Secret” feature. | Ideally No. If Yes, provide details of controls in place. |
1b | If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted? | Data is stored in the Atlassian Forge Platform which stores the data in the same region as the JSM site. | N/A Reference information. |
2 | Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models) | Our applications collect user related data (User Names, Email addresses, etc.) from external systems (i.e. Azure AD) and process them. We do not store them in the Forge database. Processing takes less than 25 seconds. We do not process Credit card data, Financial data, Source code, Trading algorithms or proprietary models. | Ideally No. If Yes, provide details of controls in place. |
3 | Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy). | Yes, please refer to our Privacy Policy. | Yes, and provides details. |
4 | Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). | Yes, we use Bitbucket for storing our code and keeping track of the changes. For every change we have our stories and tasks in Jira Software Project which are part of an agile sprint. We have approval process in place for every code change. | Ideally Yes and provides process documents. If no, describe the current process. |
5 | Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? | Audits are in our future plans. | Yes, and provides details. |
6 | Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)? | ISO27001 is in our future plans. | N/A No accreditation required to pass, but beneficial. |
7 | Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings? Example penetration testing report | Our products run on the Atlassian Forge Plattform and benefit the features of the provided framework. Our product does not have a separate user interface or API access. Our plan is becoming a part of the Atlassian Marketplace Security Bug Bounty Program is in our plans. | Ideally Yes and provides results. Or Yes and describe process. |
8 | Do you have mechanisms to notify Atlassian in case of a security breach? An App Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches. | Yes, keep track of the Forge logs and metrics for the operational excellence. We have the action plan for reporting the anomalies to Alassian via App Security Incident ticket. | Yes, and provide details of the documented plan with notification and followup procedure. |
9 | Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? | No. | Ideally No. If Yes, provide details of a tightly controlled system. |
10 | Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? | All employees sign our NDA. | Yes if they have access to sensitive information. Otherwise not necessary. |
11 | Do you have a publicly documented process for managing security vulnerabilities in your application(s)? Example security vulnerability process | No. Our customers contact us via our Support portal in case they notice a security incident. | Yes, and provides the URL to the documentation. Or No, and describes handling of security vulnerability identified in the code. |
12 | Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. | Yes. Our products run on the Forge Platform. The Atlassian Cloud backs up the entire hosted storage for disaster recovery. This includes content stored from the Forge storage API. Please review Atlassian’s Business continuity and disaster recovery management documentation. | Yes, with description. |
13 | Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect? | Yes. Our products run on the Forge Platform. The Atlassian Cloud backs up the entire hosted storage for disaster recovery. This includes content stored from the Forge storage API. Please review Atlassian’s Business continuity and disaster recovery management documentation. | Yes, with backup every 24 hrs. |
Manage space
Manage content
Integrations