Colined Security and Privacy Policy for Atlassian Marketplace

First published on 18 March 2018. Last updated on 01 June 2024

Disclaimer

At Colined we understand that ensuring the security of your data and the reliability of our software are of utmost importance to you. Here’s why certifications like ISO and SOC, while valuable, are not relevant to our specific business model and size:

1. Company Size and Certification Costs

Our company, being a small development team of fewer than 10 people, focuses on delivering high-quality software solutions efficiently. Certifications such as ISO and SOC require significant financial and resource investments that are more suited to larger organizations. These costs can be prohibitive for a company of our size and might not be justified given our scale and operations.

2. Nature of Our Business and Data Handling

Our primary focus is on developing third-party apps for Atlassian Jira, which are client-side operated. This means that all data processing and storage occur on your end. We do not store, process, or transmit any customer data through our infrastructure. As such, many of the compliance requirements related to data handling, which these certifications address, do not apply to us.

3. Alternative Assurance Measures

• We adhere to industry-standard security practices in our development processes to ensure the software we deliver is secure and robust.
• We maintain transparency in our development and security practices and are open to providing detailed documentation or accommodating client-specific security requirements.
• Our small size allows us to be agile and responsive, tailoring our solutions to meet your unique security needs more effectively than a one-size-fits-all certification might.

We hope this explanation clarifies why formal certifications, while valuable in certain contexts, are not necessary or relevant for our business model. Rest assured, we are committed to delivering secure and reliable software solutions to meet your needs.

Types of apps

Colined has two types of Apps on the Atlassian Marketplace:

1. Hosted Apps for Atlassian Cloud products that are delivered via the Atlassian Connect framework. These are our Cloud Apps.
2. Downloadable products that are installed in a server instance of the applicable Atlassian product hosted and managed by the client. These are our Server/Data Center Apps.

Cloud Apps

Cloud may be a true pain for your security department. We had that understanding in mind from the day one of the development. And we are doing the best we can to provide you with well secured services.

Data Storage and Facilities

Colined uses DigitalOcean to host its cloud hosted App components, saved data and log information. Vendor representatives are responsible for provisioning, monitoring and maintaining the Digital Ocean infrastructure required to support Cloud App.

Data is hosted in California, United States.

DigitalOcean security policy is described in corresponding document.

Types of Data

Account Data: data that is required for license validation of the customer instance, provided and generated by Atlassian. Each web request, from and to JIRA Cloud, is authenticated and authorized before access is allowed, and all communication is secured through SSL (https). For troubleshooting purposes this data is stored for a period up to 30 days.

Session Data: Source data for report generation (issue id, board id, etc.) is provided and generated by Atlassian from each customer’s use. This data is stored for product analytics and performance monitoring for a period up to 30 days.

Private Data: usernames and emails, summary and description of the issues, names of boards, filters and etc. This data is passed from Atlassian servers to user browser directly, is not passed to the App and therefore is neither collected, nor stored.

App Settings: permissions and other global application defaults are stored on the App side.

Saved reports: settings for saved reports such as name, source and other configuration parameters. This data is saved on the App side until deleted by user.

Backups

Data is fully backed up 4 times a day.

People and Access

Only Cloud App Developers or Support Engineers have access to the DigitalOcean platform hosting our Cloud Apps. They only have access to the application data to perform system or application support purposes.

HTTPS and SSH are the only protocols available to our cloud platform. SSH access is limited to Cloud App Support Engineers. SSH access is restricted to known trusted internal networks with key-based authentication.

Our platform is micro-service based which is also layered into public and internal/private. Each one of these services is responsible for its own data and provides its own access controls. We will also ship and monitor logs from these micro-services which we alert if abnormal behaviour is detected.

Customers are responsible for maintaining the security of their own login information.

GDPR Complaince

All Colined Apps follow Atlassians guidelines on the GDPR Complaince. More info can be found here:

• Atlassian Migration Guide
• Atlassian GDPR Complaince

Any customer can request deletion of the saved data related to their instance via Service Desk request.

Atlassian requirements for Cloud apps

Trust, security, reliability and privacy are cornerstones of the relationship between Atlassian customers and third-party Marketplace Partners. Marketplace trust programs and signals exist to help customers easily identify apps that have gone above and beyond Atlassian’s general standards to deliver an exceptionally secure and reliable cloud experience. Read more

Colined participates in all of security initiativies and programs required by Atlassian.

Cloud Fortified
Cloud Fortified apps offer additional security, reliability and support through:

• Cloud security participation
• Reliability checks
• 24hr support response time
• and more

Security Self-Assessment Program
The program aims to encourage security mindfulness in three main areas:

1. Data security: the cloud partner has a clear data security policy. Data vulnerabilities are considered and handled.
2. Sensitive data handling: the cloud partner is mindful of the different types of data it handles and places extra security on sensitive data.
3. Backups and disaster recovery: the cloud partner backs up its data regularly and has a clear plan for data recovery in case of disaster.

The security self-assessment contains 13 security questions with the following passing criteria. Your self-assessment answers are reviewed by Atlassian staff against passing criteria. Your answers are kept private to Atlassian. No additional audit or testing is performed. While passing this criteria gives customers some peace of mind about your security protocols, customers are advised to take additional necessary steps to meet company security requirements. So you may be contacted by customers directly for more information regarding security. Read more

Bug Bounty Program
The Atlassian Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers. Marketplace Partners who join this program allow the security researchers to test their applications for security vulnerabilities who are then rewarded based on severity of the vulnerability discovered. The result is a cost efficient solution for Marketplace Partners to discover and fix vulnerabilities in their apps on an ongoing basis which results in more secure apps for customers. Read more

CAIQ-lite Security Self-Assessment Program
Marketplace Partner Security Self-Assessment program involves the following:

• A vendor self assessment of cloud applications in the marketplace and your organization’s overall approach to security against the CAIQ Lite, an industry recognised cloud security benchmark. Marketplace vendors complete this process using the Whistic platform.

• A review by Atlassian of vendor responses to identify gaps in the vendor’s security posture.

• Communication between Atlassian and the vendor regarding security posture, and identifying critical control gaps and other areas for remediation.

The questionnaire consists of 73 questions that vendor is required to respond to, giving Atlassian an understanding as to whether various security controls are in place. Vendor is required to indicate whether controls are in place, with Yes, No or N/A, and a brief explanation.

Server/Data Center Apps

Overview

With Server Apps all data and code is fully controlled by the customer. The only optional type of data that Colined can get from you are Metrics. They are application usage fate metrics, stored for analysis and reporting in order for us to monitor the application performance. This includes anonymized organization data but no individual data. Users can turn off data collection in the App settings. In this case there will be no information passed out of the JIRA instance.

While our Data Center apps operate within your controlled environment, we are dedicated to maintaining the highest security standards in our development practices. We work diligently to ensure that our software is secure, reliable, and compatible with your security requirements. Together, we can achieve a secure and efficient operational environment.

1. Secure Development Practices

• Code Quality: We adhere to best practices in software development, including code reviews, static code analysis, and automated testing to ensure the highest quality and security of our codebase.
• Secure Coding Standards: Our developers are trained in secure coding practices to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Dependency Management: We regularly update and patch third-party libraries and dependencies to mitigate risks from known vulnerabilities.

2. Customer Environment Security

• No Customer Data Storage: Our Data Center apps do not store, transmit, or process customer data outside the customer’s environment. All data interactions occur within the customer’s infrastructure, ensuring that sensitive information remains under their control.
• Environment Compatibility: We ensure our apps are fully compatible with the security features and configurations of the Atlassian Data Center products, leveraging their robust security mechanisms.

3. Regular Updates and Patching

• Timely Releases: We provide regular updates to our apps to address any security vulnerabilities, enhance features, and ensure compatibility with the latest versions of Atlassian Data Center products.
• Security Patches: In case of any identified security issues, we prioritize releasing patches promptly to mitigate potential risks.

4. Incident Response and Support

• Responsive Support: Our support team is available to assist with any security-related issues or inquiries. We aim to respond swiftly and effectively to address any concerns our customers might have.
• Incident Management: In the unlikely event of a security incident, we have a structured incident response plan in place to quickly identify, contain, and remediate the issue, minimizing any impact on our customers.

5. Customer Responsibility

• Environment Security: Since our apps operate within the customer’s Data Center environment, customers are responsible for securing their own infrastructure, including network security, access controls, and data protection measures.
• Compliance and Configuration: Customers should ensure that their environment complies with relevant security standards and regulations and is configured according to best practices to maximize the security of our apps.

Periodic Review

The Document is valid from the day it was published until further notice. This Document should be reviewed at a minimum once per fiscal year; however, in lieu of a review during any period specified, the current document will remain in effect.

Colined as Document Owner is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.

Business Relationship Contact: support@colined.com

Maximum Review Period: Yearly (12 months)