Overview

Colined has two types of Apps on the Atlassian Marketplace.

  • Hosted Apps for Atlassian Cloud products that are delivered via the Atlassian Connect framework. These are our Cloud Apps.
  • Downloadable products or Server Apps that are installed in a server instance of the applicable Atlassian product hosted and managed by the client. These are our Server Apps.

Cloud Apps

Cloud may be a true pain for your security department. We had that understanding in mind from the day one of the development. And we are doing the best we can to provide you with well secured services.

Data Storage and Facilities

Pivot Report uses DigitalOcean to host its cloud hosted App components, saved data and log information. Vendor representatives are responsible for provisioning, monitoring and maintaining the Digital Ocean infrastructure required to support Cloud App.

Data is hosted in California, United States.

DigitalOcean security policy is described in corresponding document.

Types of Data

Account Data: data that is required for license validation of the customer instance, provided and generated by Atlassian. Each web request, from and to JIRA Cloud, is authenticated and authorized before access is allowed, and all communication is secured through SSL (https). For troubleshooting purposes this data is stored for a period up to 30 days.

Session Data: Source data for report generation (issue id, board id, etc.) is provided and generated by Atlassian from each customer’s use. This data is stored for product analytics and performance monitoring for a period up to 30 days.

Private Data: usernames and emails, summary and description of the issues, names of boards, filters and etc. This data is passed from Atlassian servers to user browser directly, is not passed to the App and therefore is neither collected, nor stored.

App Settings: permission and Portfolio support settings, user settings for columns and tables display are stored within JIRA instance on Atlassian servers.

Saved reports: settings for saved reports such as name, source and other configuration parameters. This data is saved on the App side until deleted by user.

Backups

Data is fully backed up 4 times a day.

People and Access

Only Cloud App Developers or Support Engineers have access to the DigitalOcean platform hosting our Cloud Apps. They only have access to the application data to perform system or application support purposes.

HTTPS and SSH are the only protocols available to our cloud platform. SSH access is limited to Cloud App Support Engineers. SSH access is restricted to known trusted internal networks with key-based authentication.

Our platform is micro-service based which is also layered into public and internal/private. Each one of these services is responsible for its own data and provides its own access controls. We will also ship and monitor logs from these micro-services which we alert if abnormal behaviour is detected.

Customers are responsible for maintaining the security of their own login information.

GDPR Complaince

All Colined Apps follow Atlassians guidelines on the GDPR Complaince. More info can be found here:

Any customer can request deletion of the saved data related to their instance via Service Desk request.

Atlassian requirement for Cloud apps

Colined participates in all of security initiativies and programs required by Atlassian.

Security Self-Assessment Program
The program aims to encourage security mindfulness in three main areas:

  1. Data security: the cloud partner has a clear data security policy. Data vulnerabilities are considered and handled.
  2. Sensitive data handling: the cloud partner is mindful of the different types of data it handles and places extra security on sensitive data.
  3. Backups and disaster recovery: the cloud partner backs up its data regularly and has a clear plan for data recovery in case of disaster.

The security self-assessment contains 13 security questions with the following passing criteria. Your self-assessment answers are reviewed by Atlassian staff against passing criteria. Your answers are kept private to Atlassian. No additional audit or testing is performed. While passing this criteria gives customers some peace of mind about your security protocols, customers are advised to take additional necessary steps to meet company security requirements. So you may be contacted by customers directly for more information regarding security. Read more

Bug Bounty Program
The Atlassian Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers. Marketplace Partners who join this program allow the security researchers to test their applications for security vulnerabilities who are then rewarded based on severity of the vulnerability discovered. The result is a cost efficient solution for Marketplace Partners to discover and fix vulnerabilities in their apps on an ongoing basis which results in more secure apps for customers. Read more

CAIQ-lite Security Self-Assessment Program
In short, the Marketplace Partner Security Self-Assessment program involves the following:

A vendor self assessment of your cloud applications in the marketplace and your organization’s overall approach to security against the CAIQ Lite, an industry recognised cloud security benchmark. As a Marketplace vendor, you will complete this process using the Whistic platform.

A review by Atlassian of vendor responses to identify gaps in the vendor’s security posture.

Communication between Atlassian and the vendor regarding your security posture, and identifying critical control gaps and other areas for remediation.

The questionnaire consists of 73 questions that you will be required to respond to, giving Atlassian an understanding as to whether various security controls are in place. You will be required to indicate whether controls are in place, with Yes, No or N/A, and a brief explanation. 19 of the 73 controls have been designated as ‘critical’, as Atlassian have assessed them as significant factors in contributing to a secure marketplace ecosystem. Any gaps in critical controls will be a high priority for remediation.

Server Apps

With Server Apps all data and code is fully controlled by the customer. The only optional type of data that Colined can get from you are Metrics. They are application usage fate metrics, stored for analysis and reporting in order for us to monitor the application performance. This includes anonymized organization data but no individual data. Users can turn off data collection in the App settings. In this case there will be no information passed out of the JIRA instance.

Periodic Review

The Document is valid from the Effective Date outlined herein and is valid until further notice. This Document should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current document will remain in effect.

The Business Relationship Manager (Document Owner) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.

Business Relationship Manager: Dmitry Astapkovich

Maximum Review Period: Yearly (12 months)

Previous Review Date: 26 Aug. 2020

Next Review Date: 22 Jan. 2021

Haven't found the answer?

Please let us know about it!

Contact us