Security Self-Assessment Program
Scope | Questions | Passing criteria | Answer | Status | Answers | |
Customer Data | 1a | Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data. | Ideally No. If Yes, provide details of controls in place. | Yes | OK | Customer data is different according to the app:
Any data is always stored in secure databases hosted by AWS, in their Northern Virginia data center. Data is encrypted at rest and in transit. Moreover, only few Elements administrators has the possibility to get access to these databases, and only on request, from a unique IP, following a specific procedure. By default, all databases are closed and not exposed to the Internet. The previous mentioned procedure explains how to temporarily expose a database only to our private network for maintenance purposes. |
1b | If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted? | N/A Reference information. | N/A | OK | Data is hosted in the AWS Data Center, in Northern Virginia, USA. So, jurisdiction of this location applies. | |
Sensitive Data | 2 | Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models) | Ideally No. If Yes, provide details of controls in place. | Yes | OK | Only Elements Connect stores sensitive data; customer databases connection details. This data is of course encrypted in the database, and access to it is highly controlled and restricted. Other apps are not supposed to store sensitive data. |
Security Policy | 3 | Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy). | Yes, and provides details. | Yes | OK | Yes, our "Cloud apps Information Security Policy" is available if needed. |
Release Management | 4 | Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process). | Ideally Yes and provides process documents. If no, describe the current process. | Yes | OK | Yes, our "Change Control and Release Management process" is available if needed. |
Audits | 5 | Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively? | Yes, and provides details. | Yes | OK | Yes. We perform periodic security reviews of all of our hosting services. The last one has been performed in 2020, by a french company named Vaadata. A new one should be performed this year or next. In addition, we use Sonar and many security rules from several standards such as CWE, SANS and OWASP to strengthen reviews. |
Accreditation | 6 | Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)? | N/A No accreditation required to pass, but beneficial. | No | OK | No. But this is something we plan to get. |
Penetration Testing | 7 | Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings? | Ideally Yes and provides results. Or Yes and describe process. | Yes | OK | Yes. We perform periodic penetration testing of all of our hosting services. The last one has been performed in 2020 by the same french company (Vaadata). No major security flaw has been found up to now. A new penetration test should be performed this year or next. Moreover, our Sonar tool is once again strongly used to ensure the security of our apps. Finally, we participate in the Bug Bounty Program in order to get a continual security testing. |
Notifying Atlassian | 8 | Do you have mechanisms to notify Atlassian in case of a security breach? An Add-on Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches. | Yes, and provide details of the documented plan with notification and follow up procedure. | Yes | OK | In the event where a security breach is detected by our infrastructure and confirmed as genuine, we have documented a security procedure on our Confluence to raise a ticket with the Atlassian service desk (e.g.: https://ecosystem.atlassian.net/servicedesk/customer/portal/14/create/129) The procedure may be summarized as follows:
|
Employee Access | 9 | Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored? | Ideally No. If Yes, provide details of a tightly controlled system. | Yes | OK | Only few Elements administrators could get access. These persons are identified, and every access is logged. |
Confidentiality | 10 | Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information? | Yes if they have access to sensitive information. Otherwise not necessary. | Yes | OK | Customer information is legally protected by a Confidentiality Agreements clause in every employment contract. |
Managing Security Vulnerabilities | 11 | Do you have a publicly documented process for managing security vulnerabilities in your application(s)? | Yes, and provides the URL to the documentation. Or No, and describes handling of security vulnerability identified in the code. | No | OK | We do not provide any public information partly because no known vulnerability has been exploited yet through our apps. If needed, we have means of reaching to our customers via mailing and our public facing web sites, Jira instances (e.g., Support), our documentation and the Atlassian Marketplace. As for handling security issues we mostly rely on three elements:
Note: we participate in the Bug Bounty Program. |
Disaster Recovery | 12 | Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms. | Yes, with description. | Yes | OK | For this, we rely on AWS to do the actual infrastructure management and have set up some customisations in order to better suit our needs.
|
Data Recovery | 13 | Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect? | Yes, with backup every 24 hrs. | Yes | OK | We have set up daily backups (RDS snapshots and Point-In-Time-Recovery for DynamoDB tables) and we hold backups for one month. |
Source: https://developer.atlassian.com/platform/marketplace/security-self-assessment-program/