SIG Lite 2023 Questionnaire
- Yuri (Unlicensed)
- Yuri Lapin
The Standardized Information Gathering (SIG) Lite questionnaire includes ~126 questions. Its purpose is to provide a broad, high-level overview of a third party's internal information security controls.
- 1 Section A: Enterprise Risk Management
- 2 Section B: Nth Party Management
- 3 Section C: Information Assurance
- 4 Section D - Asset & Information Management
- 5 Section E - Human Resource Security
- 6 Section F - Physical & Environmental Security
- 7 Section G - IT Operations Management
- 8 Section H - Access Control
- 9 Section I - Application Security
- 10 Section J: Cybersecurity Incident Management
- 11 Section K: Operational Resilience
- 12 Section L: Compliance Management
- 13 Section M: Endpoint Device Security
- 14 Section N: Network Security
- 15 Section O: Environmental, Social, and Governance (ESG)
- 16 Section P: Privacy
- 17 Section T: Threat Management
- 18 Section U: Server Security
- 19 Section V: Cloud Hosting Services
Section | Question | Question Summary | Answer (Yes, No, N/A) | Answer Notes |
|---|---|---|---|---|
Section A: Enterprise Risk Management | A.1 Is there a formalized risk governance plan approved by management that defines the Enterprise Risk Management program requirements? | A risk governance (or management) plan is a document that is used to identify, review, manage and respond to risks. It is reviewed and maintained by an organization’s Executive Board (if applicable) and Senior Management to govern the relevant factors of risks to the organization. | Yes | We maintain a Risk Management Policy and an up-to-date Risk Registry, both owned and governed by our Compliance Manager, who is a member of the Executive Team. Our Risk Management program is focused on building trust and providing our customers with confidence that risks are being appropriately identified, assessed, and managed. We classify and address various categories of risk, including Technical, Managerial, Organizational, Commercial, and Third-Party risks. |
Section B: Nth Party Management | B.1 Do fourth parties (e.g., backup, subcontractors, equipment support/maintenance, software support/maintenance, data recovery, hosting providers, etc.) have access to scoped systems and data or processing facilities? | The organization has a documented Fourth-Nth party (e.g.., Vendor, Subcontractor, Sub-Processor) information security assessment process that allows for the identification and treatment of identified risks. Scoped systems and data can be classified as computer hardware, software and/or non-public personal information that is stored, transmitted, or processed in scope of this engagement. | No | According to our Data Processing Agreement (DPA), the list below represents the exclusive set of Nth parties with access to scoped systems and data for processing purposes. Processing details are outlined in Exhibits A & B of our DPA. |
Section C: Information Assurance | C.1 Is there an information security program that has been documented, approved by management, published, and communicated to constituents? | Organizations should define an “Information Security Policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives. At a lower level, the information security policy should be supported by topic-specific policies, which support the implementation of information security controls | Yes | Our "Information Security Policies” are available upon the request. More information could be found at trust.releasemanagement.app
|
C.2 Have any of the Information Security and IT processes been outsourced? |
| No | No, we believe this is too important to be outsourced. To ensure proper ownership, responsibility, and accountability, it must remain in-house. | |
Section D - Asset & Information Management | D.1 Is there an asset management program approved by management, communicated to constituents and an owner to maintain, review, and manage asset controls? | An organization should ensure that assets are identified, classified, and that an inventory of all assets are documented and maintained. | Yes | We maintain a documented list of assets with assigned owners. This list is reviewed regularly with the respective owners to ensure accountability. Additionally, we have an "IT Assets" Policy, which is part of our broader Information Security Policies. This policy is regularly reviewed and updated as needed, and is available upon request. |
D.2 Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review the policy? | An acceptable use policy forms part of an information security framework that defines what users are and are not allowed to do with data and IT systems under scope of service delivery | Yes | We have an "Acceptable Use Policy" as part of our broader Information Security Policies. It is available upon request. More information could be found at trust.releasemanagement.app | |
D.3 Is there a policy or procedure for information handling consistent with its classification that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review e.g., authorized parties, encryption, public cloud storage, removable media, classification labeling, etc.? | An organization should implement and maintain a risk classification process that evaluates the level of inherent risk to which an information resource is exposed. The risk classification drives the required set of controls that must be implemented. Application risk classifications must be performed annually, for all applications (including third party developed applications), and if any application changes are made, the application must be reassessed. | Yes | Part of our Risk Management Program. | |
D.4 Is there a records retention policy and retention schedule covering paper and electronic records, including email in support of applicable regulations, standards, and contractual requirements? |
| Yes | Please refer to the "Data Retention" section within our Data Management Policy. The policy is available upon request. More information could be found at trust.releasemanagement.app
| |
D.5 Is scoped data sent or received electronically? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please refer to our DPA with regards classification of information and secure transfer details. Data Processing Addendum (DPA) Also part of "Information Security Policies”. Available upon the request. More information could be found at trust.releasemanagement.app | |
D.6 Is regulated or confidential scoped data stored electronically with data protection safeguards e.g., full-disk encryption, databases, files, encryption keys, etc.? |
| Yes | We encrypt all data at rest (on disk/storage). TLS/SSL is used for secure communication between the three data cluster nodes to ensure encrypted data replication. Backup files stored in AWS S3 (Germany) are also encrypted. | |
Section E - Human Resource Security | E.1 Are Human Resource policies and/or procedures approved by management, communicated to constituents and an owner to maintain, and review? | An organization should establish a human resource security policy that includes but is not limited to the inclusion of background investigation policies and procedures that define background investigation verification requirements that should be carried out in accordance with industry best practices, relevant laws and international restrictions. | Yes | We have a "Human Resource Security Policy," which includes our "Employee Provisioning and De-provisioning Procedure." This procedure is continuously reviewed, updated upon execution, and communicated to relevant personnel. The policy can be provided upon request. We also conduct appropriate background checks in accordance with applicable laws as part of the employee provisioning process. This is included in our provisioning checklist. |
Section F - Physical & Environmental Security | F.1 Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review? | An organization should implement critical supporting utilities, such as climate control, fire suppressants and backup power supplies needed to support the business. A physical security program should include documentation on security controls designed and applied to protect any secure areas, including secure working areas, the perimeter of an organizations' premises, and should include identification of any appropriate environmental protection controls | Yes | For cloud security, we rely on AWS, which is listed among our approved sub-processors: For office and workspace security, we follow our "Information Security" and "Physical & Environmental Security" policies. These are available upon request. |
F.2 Are visitors permitted in the facility? |
| No | For cloud security, we rely on AWS, which is listed among our approved sub-processors: For office and workspace security, we follow our "Information Security" and "Physical & Environmental Security" policies. These are available upon request. | |
Section G - IT Operations Management | G.1 Does the organization's executive leadership ensure Information Technology Operation's policies, and procedures are established and aligned with organizational strategy, and communicated to the entire organization? | An organization should maintain policies and procedures regarding IT - Operations and governance to ensure the organization remains operational effective. | Yes | This is part of our "Information Security" and "Operations Security" policies. Both are available upon request. More information could be found at trust.releasemanagement.app |
G.2 Is there an operational Change Management/Change Control policy or program that has been documented, approved by management, communicated to appropriate constituents, and assigned an owner to maintain and review the policy? | An organization should ensure that operational procedures include a formal change control program. Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. Managing operational changes can include changes to business processes, IT infrastructure and operations. Successful change management processes will set out rules for planning and testing of changes, assessments of the impact changes have to operations, a change review team, or function for approving and vetting changes, and provision of emergency change plans, and change fall-back processes following an unsuccessful change | Yes | All changes to Production Systems are performed in accordance with our Change/Release Management Process and are available upon request. Similarly, all updates to our “Information Security,” “Data Privacy,” and other policies are governed by our Change Management/Change Control procedures. These documents are also available upon request. | |
G.3 Are Information security requirements specified and implemented when new systems are introduced, upgraded, or enhanced? | Documented procedures should be developed for information security requirements of new systems. This should include requirements for:
| Yes | The “General Requirements for Information Systems Security” document is available upon request. | |
Section H - Access Control | H.1 Is there an access control program that has been approved by management, communicated to constituents and an owner to maintain and review the program? | An organization should develop and maintain an access control policy that governs the restrictions required to support business and information security requirements based on industry best practices and organizational standards. | Yes | The "Access Control" Policy is part of our broader Information Security Policies and is available upon request. More information could be found at trust.releasemanagement.app |
H.2 Are constituents able to access scoped data? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | No | Access to production environments is restricted to a limited number of authorized personnel. Access requires both two-factor authentication (2FA) and a VPN connection to securely reach segregated production networks. | |
H.3 Is there a password policy for systems that transmit, process, or store scoped systems and data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? | An organization should establish a Corporate password control policy that ensures alignment with industry best practices and is followed by all constituents and third parties who have access to scoped systems and data. Scoped systems and data can be classified as computer hardware, software and/or non-public personal information that is stored, transmitted, or processed in scope for the engagement | Yes | The "Password Control" Policy is part of our broader Information Security Policies and is available upon request. More information could be found at trust.releasemanagement.app | |
H.3.1 Does the password policy require keeping passwords confidential? | An organization should establish a Corporate password control policy that ensures alignment with industry best practices and is followed by all constituents and third parties who have access to scoped systems and data. | Yes | The "Password Control" Policy is part of our broader Information Security Policies and is available upon request. More information could be found at trust.releasemanagement.app | |
Section I - Application Security | I.1 Are applications used to transmit, process or store scoped data? | An organization should manage the application development activities, methodologies, and application security risk as part of an overall risk governance framework. Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please refer to “Section 2: Data Protection” of our DPA. |
I.1.1 Are development, test, and staging environment separate from the production environment? | An organization should ensure secure code reviews are performed prior to promotion to Quality Analysis User Acceptance Testing (QA_UAT) to identify defects in secure coding. | Yes | Production and Development/Staging environments are fully segregated. We do not copy or use production data in lower environments, nor do we allow copies to be stored on end-user devices. Additionally, we follow a clear separation of duties: development, review, and testing are performed by different individuals. Most changes undergo review by two to three team members before being deployed to production. | |
I.2 Is application development performed?
|
| Yes | We follow the Continuous Delivery paradigm, with all necessary security measures and processes integrated into our Secure Application Development Lifecycle (SDLC) and Release/Change Management procedures. | |
I.2.1 Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? | Organizations should set rules for the development of software and systems, and development policies should be designed, to include:
| Yes | All necessary security measures and processes integrated into our Secure Application Development Lifecycle (SDLC) and Release/Change Management procedures. | |
I.3 Is a web site or web application supported, hosted or maintained that processes scoped systems and data? |
| Yes | Our Support Email is support@releasemanagement.app. Our Service Desk Portal is https://releasemanagement.atlassian.net/servicedesk/customer/portal/11. Our SLA is 24 hours. | |
I.3.1 Are security configuration standards documented for web server software? | Security configuration standards should consider the removal of default passwords and settings, and to identify the minimum services needed based on the operational requirements of the web server(s) Best practice standards such as the NIST SP 800-128 Guide for Configuration Management of Information Systems should be considered when managing configuration of systems and software | Yes | Please check “EXHIBIT B: Technical and Organizational Security Measures“ of our DPA. Data Processing Addendum (DPA) Also “General Requirements for Information Systems Security“ available upon the request. | |
I.3.2 Is an Application Programming Interface (API) available to clients? | API: A set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components. | Yes | We treat APIs provided to clients with the same level of security as our web applications. The same security requirements and measures are applied to both. | |
I.3.2.1 Is there a formal security program established to include API security reviews? |
| Yes | We treat APIs provided to clients with the same level of security as our web applications. The same security requirements and measures are applied to both. | |
Section J: Cybersecurity Incident Management | J.1 Is there an established Cybersecurity Incident Management Program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? | An organization should have an established, formalized incident management program that includes processes for reporting a disruptive event, responsibilities of the incident response team, escalation procedures, remediation processes and periodic testing procedures. An established Cybersecurity Incident Management Program should detail the approach taken to incident response planning and preparation, including monitoring, detecting, analysing and reporting of information security events and incidents | Yes | Please check our Security Vulnerabilities Process. Security Vulnerabilities Process Also Incidents Management Policy is available up on the request. |
J.2 Is there a formal Incident Response Plan that includes an escalation procedure? | An organization should establish a formal privacy incident communication, notification and incident handling procedure, integrated with the organizations' security incident response and escalation procedures, to be executed in the event of unauthorized access, use, disclosure or breach of scoped data. | Yes | Yes, see previous answer | |
J.3 Are events on scoped systems or systems containing scoped data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents? |
| Yes | Yes, part of Application Development Lifecycle, Incidents review, Logs and anomalies checks. | |
J.3.1 Does regular security monitoring include malware activity alerts such as uncleaned infections and suspicious activity | An organization should establish detection methods and techniques to alert the organization whenever incidents occur. | Yes | We have several services in place that monitor for anomalies and report any unexpected deviations. The process is semi-automated. | |
Section K: Operational Resilience | K.1 Is there an established Business Resilience Program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program? |
| Yes | Yes, our “Business Continuity and Recovery Plans“ are available upon the request.
|
K.2 Is there a formal, documented information technology disaster recovery exercise and testing program in place? | An organization should conduct exercises and tests that validate the effectiveness of business continuity and disaster recovery procedures and capabilities, the readiness of its personnel to perform required actions and the viability of related communication mechanisms and procedures. | Yes | Part of “Business Continuity and Recovery Plans“, available upon the request. | |
K.3 Are there any dependencies on critical third party service providers? |
| Yes | The below list of Sub-processors are critical to an extent for Business Continuity. | |
K.4 Is there a pandemic/infectious disease outbreak plan? | An organization should create and maintain infectious disease outbreak plans which consider outbreaks impacting internal parties, third parties and customers. | Yes | ”Infectious disease outbreak plan” is part of “Business Continuity and Recovery Plans“, available upon the request. | |
K.5 Is scoped data backed up and stored offsite? | An organization should create business recovery plans that will effectively guide the recovery of the critical business activities identified from the BIA. | Yes | Backups are in AWS (Germany). Our “Business Continuity and Recovery Plans“ are available upon the request. | |
K.6 Is there a formal process focused on identifying and addressing risks of disruptive events to business operations e.g. operational risk assessment? | An organization should create and maintain an in-depth business risk assessment that identifies and analyses the likelihood and impact of disruptive incidents to the organization and its clients/customers. | Yes | The Risk Matrix, a documented list of Remediated Actions, and Planned Future Actions are integral parts of our Risk Management Program. This program is owned and governed by our Compliance Manager (a member of the Executive Team) in collaboration with the entire team. | |
K.7 Are formal business continuity procedures developed and documented? | An organization should create and maintain an in-depth business risk assessment that identifies and analyses the likelihood and impact of disruptive incidents to the organization and its clients/customers. | Yes | Our “Business Continuity and Recovery Plans“ are available upon the request. | |
K.9 Is there a data retention policy or process with a retention schedule for scoped data? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please check “Section 2.13” of our DPA | |
Section L: Compliance Management | L.1 Are there policies and procedures to ensure compliance with applicable legislative, regulatory, and contractual requirements? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | Our Data Processing Agreement (DPA) is compliant with GDPR, CCPA, and other applicable data privacy and protection laws: We are currently SOC 2 Type I certified, with SOC 2 Type II certification expected by September 16, 2025. |
L.2 Is a web site(s) maintained or hosted for the purpose of advertising, offering, managing, or servicing accounts, products, or services to clients' customers? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | The purpose is defined in our DPA. | |
L.3 Is there a compliance program or set of policies and procedures to address bribery, corruption, prohibition of providing monetary offers, incentives, or improper actions that create unfair advantage in business practices? | An organization's risk management program should include a formal compliance and ethics program that ensures an organization's professional ethics and business practices are based on company values and standards of conduct and in accordance to its compliance obligations. | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. Please check “Business relationships and integrity” requirements we follow from “Supplier Code of Conduct“ below. | |
L.4 Is there a compliance program or set of policies and procedures that address Anti-Trust and Anti-Competitive Business Practices? |
| Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. Please check “Competition” requirements we follow from “Supplier Code of Conduct“ below. | |
L.5 Is there a documented internal compliance and ethics program? | An organization's risk management program should include a formal compliance and ethics program that ensures an organization's professional ethics and business practices are based on company values and standards of conduct and in accordance to its compliance obligations. | Yes | We have both a “Human Resource Security Policy” and a “Code of Conduct” in place. | |
L.6 Are documented policies and procedures maintained to enforce applicable legal, regulatory, or contractual cybersecurity compliance obligations? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | We have a general Cyber Security Policy that is approved by management and communicated to, as well as enforced across, the entire team. We recognize cyber risk as a key component of our Risk Management Program. To mitigate this risk, we have obtained Professional Liability (Errors and Omissions) and Cyber Security Insurance. Additionally, our governance program was reviewed by the insurer during the assessment process. | |
L.7 Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention? |
| Yes | We have both a “Human Resource Security Policy” and a “Code of Conduct” in place. | |
Section M: Endpoint Device Security | M.1 Are End User Devices (desktops, laptops, tablets, smartphones) used for transmitting, processing, or storing Scoped data? | Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. The organization should implement and maintain end user or endpoint security configuration standards. | No | Access to production is restricted to a limited number of personnel and requires two-factor authentication (2FA) along with VPN access to segregated production networks. Production data is not copied to lower environments or end-user devices. |
M.2 Does the organization maintain policies and procedures for the access to and the usage of collaborative computing devices or applications e.g., networked white boards, cameras, and microphones? | An organization should implement a formalized process requiring end users to be made aware of and accept remote desktop support sessions prior to another user taking control. | Yes | The “Remote Access” Policy is part of our Information Security Policies and is available upon request. | |
Section N: Network Security | N.1 Is there an established Network Security Program policy that defines enterprise network security requirements that is approved by management, communicated to constituents, and has an owner to maintain and review? |
| Yes | This is part of our “Network Security Policy,” which falls under our broader Information Security Policies. It is available upon request. |
N.2 Is every connection to an external network terminated at a firewall e.g., the Internet, partner networks? |
| No | Release Management Apps establish communication with Jira and various third-party systems to ensure core functionality. As a result, outbound connections from production systems are required. | |
N.3 Are all network devices patched with all, available high-risk security patches applied and verified? |
| Yes | “Patch Management Policy“ is available upon request | |
N.4 Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped systems and data that has been approved by management and communicated to constituents? |
| Yes | The “Remote Access” Policy is part of our broader Information Security Policies and is available upon request. Access to production systems is restricted to a limited number of authorized personnel. Access requires both two-factor authentication (2FA) and a VPN connection to reach segregated production networks. | |
N.6 Are Network Intrusion Detection / Prevention Systems (NIDS/NIPS) used to detect and/or prevent intrusions into the network? |
| No | Appropriate Cloudflare configuration is a work in progress. | |
N.7 Is there an DMZ environment within the network that transmits, processes, or stores Scoped systems and data e.g., web servers, DNS, directory services, remote access, etc.? |
| Yes | This is part of our “Information Security” Policy, which is available upon request. | |
N.8 Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain, and review the policy? |
| N/A | We do not operate or maintain any wireless networks. Access to company resources is provided exclusively via the Internet, using Transport Layer Security (TLS), Virtual Private Network (VPN), Two-Factor Authentication (2FA), and additional security measures as outlined in our other security policies. | |
N.9 Are there security and hardening standards (e.g., baseline configuration, patching, passwords, Access control) for network devices, including Firewalls, Switches, Routers and Wireless Access Points? |
| Yes | This is covered under our “Information Security,” “Network Security,” and “Patch Management” policies, which are available upon request. | |
N.10 Are default passwords changed or disabled prior to placing network devices into production? |
| Yes | This is part of our “Information Security” and “Access Control“ Policies, which is available upon request. | |
Section O: Environmental, Social, and Governance (ESG) | O.1 Does the organization have and adhere to an environmental policy which sets out clear commitments and targets to improve the organization's environmental footprint? | An organization should establish a formalized approach for Environmental, Social, and Governance (ESG) by implementing programs or processes to meet these commitments. | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability |
O.2 Does the organization have material discharges to air as a direct result of its operations? |
| N/A | Our products and business activities do not involve any material discharges to air. | |
O.3 Does the organization have processes in place to ensure that there are no material discharges to land or water as a direct result of business operations? |
| N/A | Our products and business activities have no relation to material discharges to land or water. | |
O.4 Has the organization implemented procedures to ensure the safe use, handling, storage and disposal of hazardous/toxic chemicals and substances? |
| N/A | Our products and business activities do not involve the use, handling, storage, or disposal of hazardous or toxic chemicals and substances. | |
O.5 Does the organization maintain processes to ensure that there are no adverse impacts on biodiversity, including deforestation, ecosystem integrity, natural resource conservation and land degradation? |
| N/A | Our products and business activities have no connection to potential impacts on biodiversity, including deforestation, ecosystem integrity, natural resource conservation, or land degradation. | |
O.6 Is the organization fully compliant with relevant environmental permits/licenses/consents? |
| N/A | Our products and business activities have no involvement with the matter described. | |
O.7 Does the organization have documented policies and procedures in place that address prevention of modern slavery? | Modern Slavery Policies are used to identify and address steps organizations take to prevent modern slavery within the business and across their supply chain. Modern slavery can include human trafficking, forced labor, debt bondage/bonded labor, descent-based slavery, slavery of children, forced and early marriage. Organizations should be aware of where regulation requires the creation of modern slavery policies or statements (e.g. the UK Modern Slavery Act 2015: https://www.legislation.gov.uk/ukpga/2015/30/contents/enacted ) | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability | |
O.8 Does the organization ensure that sub-contractors are treated fairly, ethically and in accordance with local standards and regulations? |
| Yes |
| |
O.9 Does the organization have a documented policy on Health and Safety? |
| Yes | Please check Section “Safety and security“ of “Atlassian Supplier Code of Conduct“ below. | |
O.10 Has the organization established formal community relations programs to promote its involvement in the community? |
| Yes | Please check Section “Freedom of association“ of “Atlassian Supplier Code of Conduct“ below. | |
O.11 Does the organization have policies in place to ensure that their products and/or services do not generate health and safety concerns? |
| N/A | Our products and business operations do not involve any potential health and safety concerns. | |
O.12 Does the organization have a formalized Environmental, Social, and Governance (ESG) program or set of policies and procedures approved by management and the Board of Directors? |
| Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability | |
O.13 Does the organization have a formal diversity, equity, and inclusion (DEI) statement or policy? |
| Yes | Please check Section “Diversity, equity, and inclusion (DEI)“ of “Atlassian Supplier Code of Conduct“ below. | |
O.14 Does the organization have a documented policy for Ethical Sourcing? |
| Yes | Please check Section “Diversity, equity, and inclusion (DEI)“ of “Atlassian Supplier Code of Conduct“ below. | |
Section P: Privacy | P.1 Is there collection, access, processing, disclosure, or retention of any classification of personal information or personal data of individuals on behalf of the client? |
| Yes | Please check our DPA and Privacy Policy Data Processing Addendum (DPA) https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 |
P.1.1 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as client-scoped employee data? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | Yes | Please refer to EXHIBIT A of our DPA | |
P.1.2 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as nonpublic personal information or personally identifiable financial information under the Gramm-Leach-Bliley Act (GLBA) and related Privacy and Security Safeguards Rules? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | No |
| |
P.1.3 Is client scoped data collected, accessed, processed, disclosed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Transactions Act (FACTA)? |
| No |
| |
P.1.4 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as Protected Health Information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act (HIPAA)? |
| No |
| |
P.1.5 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations e.g., CO, CA, CT, MA, NY, NV, VA, UT, WA, CO etc.? |
| Yes | In our DPA we refer to “U.S. Data Protection Law” as all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act. | |
P.1.6 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as European Union Personal Data or Sensitive Personal Data e.g., racial, or ethnic origin, genetic data, biometric data, health data, sexual orientation, criminal history? |
| Yes | European Union Personal Data only, NOT Sensitive Personal Data In our DPA “Europe” means, for the purposes of this DPA, the Member States of the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland. | |
P.1.7 Is client scoped data collected, transmitted, processed, disclosed, or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | Yes |
| |
P.1.8 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any other international privacy jurisdictions? If Yes, list the applicable international location in the Additional Information field. |
| Yes | In our DPA “Applicable Data Protection Law” means all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Law. | |
P.1.9 Is client scoped data of minors collected, transmitted, processed, disclosed, or stored as part of the services? If Yes, specify the age limitation in the Additional Information Field. |
| No |
| |
P.2 Has the organization developed and maintained a formal privacy program for the protection of personal information collected, accessed, transmitted, processed, disclosed, or retained on behalf of the client? |
| Yes | Please check EXHIBIT B of our DPA | |
P.2.3 Is documentation of the data processing environment including role of the processor (e.g., data flows, data maps, data inventories, business model etc.) maintained for the systems/products/services that process client scoped data based on data classification? |
| Yes | Please refer to Section 2.2 Relationship of the parties of the DPA | |
P.3 Is privacy awareness training conducted for new workers (e.g., officers, directors, employees, contractors) at the time of onboarding? |
| Yes | This is part of the "Employee Provisioning and De-Provisioning" procedure. | |
P.5 Are there documented policies and procedures that define limits to the collection and use of personal information to authorized users regarding limiting the personal information collected and used by authorized users e.g., minimum necessary, need to know, job role? |
| Yes | Please check our “Privacy Policy“ https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 | |
P.5.1 Are there documented policies and procedures that define limits to the collection and use of personal information e.g., minimum necessary, need to know, job role? |
| Yes | Please check our “Privacy Policy“ https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 | |
P.5.2.1 Are procedures documented that outline the relevancy of the personal information collected, used, or processed to the defined purpose of authorized data processing in the contract and/or privacy notice? |
| Yes | Please check "EXHIBIT A" of our DPA | |
P.5.4 Is personal information collected directly from an individual by the organization on behalf of the client? |
| Yes |
| |
P.5.5 Is personal information provided to the organization directly by the client? |
| Yes | Please check "EXHIBIT A" of our DPA. There are different use cases. | |
P.6 Does the organization have or maintain internet-facing website(s), mobile applications, platform, or other digital services or applications that collect, use, disclose, process, or retain client-scoped data that are accessed directly by individuals? |