Security - self assessment for Cloud
Sr No | Question | Response |
---|---|---|
1a | Customer Data Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. | We have instance based field (client key) in tables to identify customer data. We proactively conduct penetration testing & bug bounty programmes to identify vulnerabilities & fix them on priority. |
1b | Customer Data If you have answered YES to above, what is the jurisdiction(s) of where this data is hosted? | All our apps are located in EU region. (Paris, to be exact) |
2 | Sensitive Data Is your application designed to access or store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models). | Some of our apps allow companies to store PII data. Apps that store sensitive data - UpRaise for Employee Success, UpRaise People, UpRaise for Employee Garrison Apps that do not store sensitive data - Automated release notes, Roadmap portal, Typeform integration, Screenjar, Enriched profiles. |
3 | Security Policy Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the Policy). | Fair amount of these details have been covered in the CAIQ lite questionnaire that we have already submitted. |
4 | Release Management Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). | We maintain the processes and history of releases in confluence. This also covers impact analysis. |
5 | Audits Do you undertake audits or other reviews to ensure that security controls are being implemented? | We will be doing our first ever ISO certification towards end of this year. |
6 | Accreditation Are you accredited to any relevant security standards (e.g. SSAE16 SOC1/2/3, ISO27001, PCI DSS)? | No |
7 | Penetration Testing Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results / findings? | Yes, we do conduct penetration testing on our cloud apps via freelancers & bug-bounty programmes. We have an ongoing program with Bugcrowd. |
8 | Notifying Atlassian Do you have mechanisms to notify Atlassian in case of a security breach? An 'App Security Incident' ticket (https://ecosystem.atlassian.net/servicedesk/customer/portal/14/group/39/create/129) should be filed with us immediately upon your detection of a security incident. | Yes |
9 | Employee Access Do your employees (e.g. developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? | Only the core team members have access to customer data. Even then the entire team signs an NDA regarding this. |
10 | Confidentiality Are all personnel required to sign Non Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? | The entire team signs an NDA regarding customer data confidentiality. |
11 | Managing Security Vulnerabilities Do you have a publicly documented process for managing security vulnerabilities in your application(s)? If Yes, please provide the URL; If No, please describe how you would handle a security vulnerability being identified in your code. | There is no documented security policy. But this is how we currently proceed once a security vulnerability has been identified
|
12 | Disaster Recovery Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. | Concerned teams have relevant knowledge on performing backup, restore, recovery. Exhaustive documentation is in progress as part of our current initiative. |
13 | Data Recovery Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect? | To certain extent it can be recovered from daily backups. We have hosted apps/db in single region in aws, which can be changed to multiple regions easily. |