Security Self-Assessment
| # | Question | Answer |
|---|---|---|
| 1a | Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. | No |
| 1b | If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted? | Not applicable |
| 2 | Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models) | No |
| 3 | Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy). | No, we don't provide any formal security policies yet |
| 4 | Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). | We host our source code in Gitlab private repositories and deploy new versions using Gitlab CI. Only authorised employees allowed to do releases. Any product changes goes through JIRA issues. We do testing (both functional testing and auto-testing) before each release. |
| 5 | Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? | We do general (including security aspects) per commit code reviews. |
| 6 | Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)? | No |
| 7 | Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings? | No |
| 8 | Do you have mechanisms to notify Atlassian in case of a security breach? An Add-on Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches. | We will notify Atlassian if any security incident occurs using the following form - https://ecosystem.atlassian.net/secure/CreateIssue.jspa?pid=17070&issuetype=11400 |
| 9 | Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? | No |
| 10 | Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? | Not applicable |
| 11 | Do you have a publicly documented process for managing security vulnerabilities in your application(s)? | No |
| 12 | Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. | No |
| 13 | Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect? | Not applicable |