Trust Center
Self-Assessment Responses
| Section Heading | Control Heading | ID | Question Text | Answer | Notes/Comment |
|---|---|---|---|---|---|
| Application & Interface Security | Application Security | AIS-01.2 | Do you use an automated source code analysis tool to detect security defects in code prior to production? | Yes | We automate the detection & update of vulnerable dependencies. Read more |
| AIS-01.5 (SaaS only) | Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? | Yes | All security defects found during review or testing are remediated prior to deployment to production. | ||
| Customer Access Requirements | AIS-02.1 | Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems? | Yes | We provide full details of this via our customer agreement and privacy policy on our website. | |
| Data Integrity | AIS-03.1 | Does your data management policies and procedures require audits to verify data input and output integrity routines? | Yes | Our software is built to check the validity of data input prior to ingestion and to sanitize API outputs. This is checked and audited via extensive end-to-end tests, human review, and penetration testing. We also fully rely on Jira's data integrity functionality as we do not store customer data on our own infrastructure. | |
| Audit Assurance & Compliance | Independent Audits | AAC-02.1 | Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports? | Yes | We don't have SOC II or ISO 27001 audits yet, but we intend to make as much detail about our audits public as is safe & reasonable. We also have the ISO 27001 report of our service provider linked in our Trust Center. |
| AAC-02.2 | Do you conduct network penetration tests of your cloud service infrastructure at least annually? | Yes | Find out more details about our Bug Bounty Program and other initiatives in the Trust Center. | ||
| AAC-02.3 | Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? | Yes | Find out more details about our Bug Bounty Program and other initiatives in the Trust Center. | ||
| Information System Regulatory Mapping | AAC-03.1 | Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements? | Yes | We review the regulatory landscape on a quarterly basis and make changes to our internal policies & documentation as a result. | |
| Business Continuity Management & Operational Resilience | Business Continuity Testing | BCR-02.1 | Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness? | Yes | We review our business continuity plan on an annual basis (or upon significant organizational and environmental change) and make changes to our internal policies & documentation as a result. |
| Policy | BCR-10.1 | Are policies and procedures established and made available for all personnel to adequately support services operations’ roles? | Yes | Continuously update our customer documentation, our internal documentation & staff training material. We use source control systems to store and publish these to ensure there is change tracking. | |
| Retention Policy | BCR-11.1 | Do you have technical capabilities to enforce tenant data retention policies? | Yes | We retain installation data provided to us. However, as we do not host customer data, most of the obligation lies with Atlassian. | |
| BCR-11.3 | Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements? | Yes | We regularly backup installation data in order to ensure continuous operation for our customers | ||
| BCR-11.7 | Do you test your backup or redundancy mechanisms at least annually? | Yes | |||
| Change Control & Configuration Management | Unauthorized Software Installations | CCC-04.1 | Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? | Yes | We automate the provisioning of infrastructure we use to deliver our services and manual installation of software on these instances does not happen. We use container technologies to ensure that the application stack is consistent. |
| Datacenter Security | Asset Management | DCS-01.2 | Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership? | Yes | We don't have a datacenter or any physical critical assets. Digitally critical assets and their ownership are listed in our business continuity plan. |
| Controlled Access Points | DCS-02.1 | Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented for all areas housing sensitive data and information systems? | Not applicable | We are a remote first company and we do not house a data center or any other sensitive data or information systems. | |
| User Access | DCS-09.1 | Do you restrict physical access to information assets and functions by users and support personnel? | Not applicable | ||
| Encryption & Key Management | Encryption | EKM-03.1 | Do you encrypt tenant data at rest (on disk/storage) within your environment? | Not applicable | We do not host any tenant data |
| Governance and Risk Management | Policy | GRM-06.1 | Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)? | Yes | You can find our public Information Security Policy in the Trust Center |
| Policy Enforcement | GRM-07.1 | Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? | Yes | These actions are enforced by our employment contracts and defined in our policies. | |
| Policy Reviews | GRM-09.1 | Do you notify your tenant's when you make material changes to your information security and/or privacy policies? | Yes | ||
| GRM-09.2 | Do you perform, at minimum, annual reviews to your privacy and security policies? | Yes | |||
| Human Resources | Asset Returns | HRS-01.1 | Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets? | Yes | |
| Background Screening | HRS-02.1 | Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification? | Yes | ||
| Employment Agreements | HRS-03.1 | Do your employment agreements incorporate provisions and/or terms in adherence to established information governance and security policies? | Yes | ||
| Employment Termination | HRS-04.1 | Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination? | Yes | ||
| Training / Awareness | HRS-09.5 | Are personnel trained and provided with awareness programs at least once a year? | Yes | ||
| Identity & Access Management | Audit Tools Access | IAM-01.1 | Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)? | Yes | Only authorized engineers are granted access to our information security systems. |
| User Access Policy | IAM-02.1 | Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes? | Yes | We have an offboarding plan for staff that leave, only authorized engineers are able to access the production environment. | |
| Policies and Procedures | IAM-04.1 | Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? | Yes | ||
| Source Code Access Restriction | IAM-06.1 | Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only? | Yes | All of our source code is stored on cloud based source control providers. Only approved staff members are granted access to private repositories. | |
| User Access Restriction / Authorization | IAM-08.1 | Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege? | Yes | We do not grant access to customer credentials in general. In support processes, customers can grant access to dedicated support staff. | |
| User Access Revocation | IAM-11.1 | Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties? | Yes | ||
| Security Incident Management, E-Discovery, & Cloud Forensics | Incident Management | SEF-02.1 | Do you have a documented security incident response plan? | Yes | This is required for us to comply with Atlassian's security policies |
| Incident Reporting | SEF-03.1 | Are workforce personnel and external business relationships adequately informed of their responsibility, and, if required, consent and/or contractually required to report all information security events in a timely manner? | Yes | We have dedicated security contacts with Atlassian that are required to comply with this policy | |
| SEF-03.2 | Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations? | Yes | |||
| Supply Chain Management, Transparency, and Accountability | Incident Reporting | STA-02.1 | Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)? | Yes | Incident reports will be made available via email to dedicated customer technical contacts and through our website |
| Third Party Agreements | STA-05.5 | Do you have the capability to recover data for a specific customer in the case of a failure or data loss? | Not applicable | Data is not hosted by us and the restore needs to happen on the customer instance by Atlassian | |
| Threat and Vulnerability Management | Antivirus / Malicious Software | TVM-01.1 | Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components? | Yes | |
| Vulnerability / Patch Management | TVM-02.5 | Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems? | Yes | Our infrastructure is configured to run automatic security updates on all machines. Our deployed containers are monitored for vulnerabilities and patched according to our bug fix policy. |