Security - self assessment for Cloud

Sr No

Question

Response

Sr No

Question

Response

1a

Customer Data

Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.

We have instance based field (client key) in tables to identify customer data. We proactively conduct penetration testing & bug bounty programmes to identify vulnerabilities & fix them on priority.

1b

Customer Data

If you have answered YES to above, what is the jurisdiction(s) of where this data is hosted?

All our apps are located in EU region. (Paris, to be exact)

2

Sensitive Data

Is your application designed to access or store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models).

Some of our apps allow companies to store PII data.

Apps that store sensitive data - UpRaise for Employee Success, UpRaise People, UpRaise for Employee Garrison

Apps that do not store sensitive data - Automated release notes, Roadmap portal, Typeform integration, Screenjar, Enriched profiles.

3

Security Policy

Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the Policy).

Fair amount of these details have been covered in the CAIQ lite questionnaire that we have already submitted.

4

Release Management

Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process).

We maintain the processes and history of releases in confluence. This also covers impact analysis.

5

Audits

Do you undertake audits or other reviews to ensure that security controls are being implemented?

We will be doing our first ever ISO certification towards end of this year.

6

Accreditation

Are you accredited to any relevant security standards (e.g. SSAE16 SOC1/2/3, ISO27001, PCI DSS)?

No

7

Penetration Testing

Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results / findings?

Yes, we do conduct penetration testing on our cloud apps via freelancers & bug-bounty programmes. We have an ongoing program with Bugcrowd.

8

Notifying Atlassian

Do you have mechanisms to notify Atlassian in case of a security breach? An 'App Security Incident' ticket (https://ecosystem.atlassian.net/servicedesk/customer/portal/14/group/39/create/129) should be filed with us immediately upon your detection of a security incident.

Yes

9

Employee Access

Do your employees (e.g. developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?

Only the core team members have access to customer data. Even then the entire team signs an NDA regarding this.

10

Confidentiality

Are all personnel required to sign Non Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?

The entire team signs an NDA regarding customer data confidentiality.

11

Managing Security Vulnerabilities

Do you have a publicly documented process for managing security vulnerabilities in your application(s)? If Yes, please provide the URL; If No, please describe how you would handle a security vulnerability being identified in your code.

There is no documented security policy. But this is how we currently proceed once a security vulnerability has been identified

  • We try to figure out if this vulnerability has been exploited to gain access to harmful data

  • If yes, we notify Atlassian & relevant customers

  • If no, then we fix the vulnerability asap & go live with it

  • Finally, we conduct more tests to ensure that vulnerability is really addressed

12

Disaster Recovery

Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms.

Concerned teams have relevant knowledge on performing backup, restore, recovery. Exhaustive documentation is in progress as part of our current initiative.

13

Data Recovery

Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect?

To certain extent it can be recovered from daily backups. We have hosted apps/db in single region in aws, which can be changed to multiple regions easily.