Trust Center

Self-Assessment Responses

Section Heading Control Heading CAIQ IDQuestion TextAnswerNotes/Comment
Application & Interface SecurityApplication SecurityAIS-01.2Do you use an automated source code analysis tool to detect security defects in code prior to production?YesWe automate the detection & update of vulnerable dependencies. Read more
AIS-01.5 (SaaS only)Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?YesAll security defects found during review or testing are remediated prior to deployment to production.
Customer Access Requirements AIS-02.1Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?YesWe provide full details of this via our customer agreement and privacy policy on our website.
Data Integrity AIS-03.1Does your data management policies and procedures require audits to verify data input and output integrity routines?YesOur software is built to check the validity of data input prior to ingestion and to sanitize API outputs. This is checked and audited via extensive end-to-end tests, human review, and penetration testing. We also fully rely on Jira's data integrity functionality as we do not store customer data on our own infrastructure.
Audit Assurance & ComplianceIndependent Audits AAC-02.1Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?YesWe don't have SOC II or ISO 27001 audits yet, but we intend to make as much detail about our audits public as is safe & reasonable. We also have the ISO 27001 report of our service provider linked in our Trust Center.
AAC-02.2Do you conduct network penetration tests of your cloud service infrastructure at least annually?YesFind out more details about our Bug Bounty Program and other initiatives in the Trust Center.
AAC-02.3Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?YesFind out more details about our Bug Bounty Program and other initiatives in the Trust Center.
Information System Regulatory Mapping AAC-03.1Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?YesWe review the regulatory landscape on a quarterly basis and make changes to our internal policies & documentation as a result.
Business Continuity Management & Operational ResilienceBusiness Continuity Testing BCR-02.1Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?YesWe review our business continuity plan on an annual basis (or upon significant organizational and environmental change) and make changes to our internal policies & documentation as a result.
Policy BCR-10.1Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?YesContinuously update our customer documentation, our internal documentation & staff training material. We use source control systems to store and publish these to ensure there is change tracking.
Retention Policy BCR-11.1Do you have technical capabilities to enforce tenant data retention policies?YesWe retain installation data provided to us. However, as we do not host customer data, most of the obligation lies with Atlassian.
BCR-11.3Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?YesWe regularly backup installation data in order to ensure continuous operation for our customers
BCR-11.7Do you test your backup or redundancy mechanisms at least annually?Yes
Change Control & Configuration ManagementUnauthorized Software Installations CCC-04.1Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?YesWe automate the provisioning of infrastructure we use to deliver our services and manual installation of software on these instances does not happen. We use container technologies to ensure that the application stack is consistent.
Datacenter SecurityAsset Management DCS-01.2Do you maintain a complete inventory of all of your critical assets located at all sites/ or geographical locations and their assigned ownership?YesWe don't have a datacenter or any physical critical assets. Digitally critical assets and their ownership are listed in our business continuity plan.
Controlled Access Points DCS-02.1Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented for all areas housing sensitive data and information systems?Not applicableWe are a remote first company and we do not house a data center or any other sensitive data or information systems.
User Access DCS-09.1Do you restrict physical access to information assets and functions by users and support personnel?Not applicable
Encryption & Key ManagementEncryption EKM-03.1Do you encrypt tenant data at rest (on disk/storage) within your environment?Not applicableWe do not host any tenant data
Governance and Risk ManagementPolicy GRM-06.1Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?YesYou can find our public Information Security Policy in the Trust Center
Policy Enforcement GRM-07.1Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?YesThese actions are enforced by our employment contracts and defined in our policies.
Policy Reviews GRM-09.1Do you notify your tenant's when you make material changes to your information security and/or privacy policies?Yes
GRM-09.2Do you perform, at minimum, annual reviews to your privacy and security policies?Yes
Human ResourcesAsset Returns HRS-01.1Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets?Yes
Background Screening HRS-02.1Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification?Yes
Employment Agreements HRS-03.1Do your employment agreements incorporate provisions and/or terms in adherence to established information governance and security policies?Yes
Employment Termination HRS-04.1Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination?Yes
Training / Awareness HRS-09.5Are personnel trained and provided with awareness programs at least once a year?Yes
Identity & Access ManagementAudit Tools Access IAM-01.1Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)?YesOnly authorized engineers are granted access to our information security systems.
User Access Policy IAM-02.1Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?YesWe have an offboarding plan for staff that leave, only authorized engineers are able to access the production environment.
Policies and Procedures IAM-04.1Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?Yes
Source Code Access Restriction IAM-06.1Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?YesAll of our source code is stored on cloud based source control providers. Only approved staff members are granted access to private repositories.
User Access Restriction / Authorization IAM-08.1Do you document how you grant, approve and enforce access restrictions to tenant/customer credentials following the rules of least privilege?YesWe do not grant access to customer credentials in general. In support processes, customers can grant access to dedicated support staff.
User Access Revocation IAM-11.1Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties?Yes
Security Incident Management, E-Discovery, & Cloud ForensicsIncident Management SEF-02.1Do you have a documented security incident response plan?YesThis is required for us to comply with Atlassian's security policies
Incident Reporting SEF-03.1Are workforce personnel and external business relationships adequately informed of their responsibility, and, if required, consent and/or contractually required to report all information security events in a timely manner?YesWe have dedicated security contacts with Atlassian that are required to comply with this policy
SEF-03.2Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations?Yes
Supply Chain Management, Transparency, and AccountabilityIncident Reporting STA-02.1Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?YesIncident reports will be made available via email to dedicated customer technical contacts and through our website
Third Party Agreements STA-05.5Do you have the capability to recover data for a specific customer in the case of a failure or data loss?Not applicableData is not hosted by us and the restore needs to happen on the customer instance by Atlassian
Threat and Vulnerability ManagementAntivirus / Malicious Software TVM-01.1Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?Yes
Vulnerability / Patch Management TVM-02.5Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?YesOur infrastructure is configured to run automatic security updates on all machines. Our deployed containers are monitored for vulnerabilities and patched according to our bug fix policy.