Marketplace Security Assessment

1a

Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.

No.

1b

If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted?

--

2

Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models)

No.

3

Do you have an Information Security Policy with supporting Standards and Procedures?

In Progress

4

Do you have formal change control and release management processes to manage code changes?

Yes. Any changes are planned and documented within our internal Jira. Code is committed to a git repository in Atlassian Bitbucket. All releases are uploaded to Netlify, where all released versions are persisted and rollback to previous versions is easily possible. All changes are first rolled out to an internal staging environment, where changes can be tested before they are rolled out to our live environments in the different regions.

5

Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?

Yes. Our automated dependency check for both frontend and backend libraries is running before any deployment to production and will prevent any known vulnerability in our dependencies. We also do regular peer-reviews of code and infrastructure within our development team to ensure high code quality and security awareness.

6

Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?

No.

7

Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings?

No penetration testing, but all code commits are peer-reviewed before a release. We’re also enrolled in the Atlassian Marketplace security bug bounty program, where our apps are exposed to security researchers who receive rewards for reporting exploitable vulnerabilities.

8

Do you have mechanisms to notify Atlassian in case of a security breach?

Yes. Our servers are permanently monitored for irregular behavior such as load spikes or unusual amount of errors and warnings. if a potential security breach is occurring, Atlassian is notified through the "App Security Incident" ticket and more colleagues are notified to help resolve and communicate the incident as quickly as possible.

9

Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?

No customer data is stored.

10

Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?

All employees with access to customer facing operations have NDA as part of the contract of employment.

11

Do you have a publicly documented process for managing security vulnerabilities in your application(s)?

Yes. For Cloud apps, a security vulnerability should be fixed within 2 weeks of being reported. Since a new cloud version is automatically rolled-out within 10 hours by Atlassian, there's no need to support multiple versions except for the brief transition period.

For Server and Data Center apps, a security vulnerability should be fixed within 2 weeks of being reported. All previous versions of the app containing the security vulnerability are changed to "private", so they are no longer installable by customers.

12

Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms.

All customer facing operations are managed in trusted public cloud vendors (Azure, AWS, Netlify, Cloudflare). All required permissions for handling customer needs are held by at least 2 employees. All operations can be carried remotely.

13

Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect?

We do not hold any customer data. We completely delegate all data storage to APIs provided by Atlassian.