Security Assessment
Last updated
The security assessment questionnaire was last completed in June 2022 and reviewed by Atlassian as part of the Atlassian Marketplace Cloud Security Program.
# | Question | Atlassian Guidance | Response |
|---|---|---|---|
1a | Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. | Ideally No. If Yes, provide details of controls in place. | Yes All customer data access is through encrypted channels with data at rest being encrypted with a unique key per customer in addition to using AWS native S3 encryption of data at rest. Our customers can access their data in via our Application Servers using HTTPS after Authentication. Our Operations Team has access to the database through SSH using a secure private key |
1b | If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted? | N/A Reference information. | AWS - US East |
2 | Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models) | Ideally No. If Yes, provide details of controls in place. | We have a backup & restore application for Jira cloud, which entails backing up data within a given jira site, any PII in the Jira site is backed-up into our system. The data stored in our system is encrypted - reference 1a Our customers can access their data in via our Application Servers using HTTPS after Authentication. Our Operations Team has access to the database through SSH using a secure private key |
3 | Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy). | Yes, and provides details. | Yes |
4 | Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). | Ideally Yes and provides process documents. If no, describe the current process. | Yes |
5 | Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? | Yes, and provides details. | Yes, we perform quarterly audits of all security controls & configurations to ensure all systems are working as intended and in order to verify & update our security practices / processes. |
6 | Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)? | N/A No accreditation required to pass, but beneficial. | No |
7 | Ideally Yes and provides results. Or Yes and describe process. | Yes The source code of all released versions have been code reviewed. All releases are made after extensively running test cases and also checking for common vulnerabilities such as the ones listed by OWASP Top 10 (Open Web Application Security Project) | |
8 | Do you have mechanisms to notify Atlassian in case of a security breach? An App Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches. | Yes, and provide details of the documented plan with notification and follow-up procedure. | Yes, and provide details of the documented plan with notification and follow up procedure. |
9 | Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? | Ideally No. If Yes, provide details of a tightly controlled system. | Yes Our Operations Team has access to the database through SSH using a secure private key. Employee access to the databases is monitored. The Customer Support Team needs to request the Operations team for data relevant to open service requests. |
10 | Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? | Yes if they have access to sensitive information. Otherwise not necessary. | Yes |
11 | Yes, and provides the URL to the documentation. Or No, and describes handling of security vulnerability identified in the code. | Yes | |
12 | Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. | Yes, with description. | Yes We have provision for multiple application servers based on customer load. If an application server is facing issues, we have the provision to spin up a new instance and connect it to the database within 10-30 minutes. Our cloud databases (SQL & NoSQL) are capable of replication. Database server instances can also be spun up and data restored from backups within 60 mins. In case of major problems with our Cloud Provider (AWS) our deployment tools are also capable of building and setting up an alternate application network on AWS within a few hours. |
13 | Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect? | Yes, with backup every 24 hrs. | Yes
|