SIG Lite 2023 Questionnaire
The Standardized Information Gathering (SIG) Lite questionnaire includes ~126 questions. Its purpose is to provide a broad, high-level overview of a third party's internal information security controls.
- 1 Section A: Enterprise Risk Management
- 2 Section B: Nth Party Management
- 3 Section C: Information Assurance
- 4 Section D - Asset & Information Management
- 5 Section E - Human Resource Security
- 6 Section F - Physical & Environmental Security
- 7 Section G - IT Operations Management
- 8 Section H - Access Control
- 9 Section I - Application Security
- 10 Section J: Cybersecurity Incident Management
- 11 Section K: Operational Resilience
- 12 Section L: Compliance Management
- 13 Section M: Endpoint Device Security
- 14 Section N: Network Security
- 15 Section O: Environmental, Social, and Governance (ESG)
- 16 Section P: Privacy
- 17 Section T: Threat Management
- 18 Section U: Server Security
- 19 Section V: Cloud Hosting Services
Section | Question | Question Summary | Answer (Yes, No, N/A) | Answer Notes |
---|---|---|---|---|
Section A: Enterprise Risk Management | A.1 Is there a formalized risk governance plan approved by management that defines the Enterprise Risk Management program requirements? | A risk governance (or management) plan is a document that is used to identify, review, manage and respond to risks. It is reviewed and maintained by an organization’s Executive Board (if applicable) and Senior Management to govern the relevant factors of risks to the organization. | Yes | We are small business (<50 ppl.) Same time we have Risk Management Program owned and governed by co-founders in collaboration with the whole team. The focus of our Risk Management programs is ultimately to increase trust and we want to provide our customers with confidence that risks are being managed appropriately. We classify and manage Technical, Management, Organizational, Commercial & External risks. |
Section B: Nth Party Management | B.1 Do fourth parties (e.g., backup, subcontractors, equipment support/maintenance, software support/maintenance, data recovery, hosting providers, etc.) have access to scoped systems and data or processing facilities? | The organization has a documented Fourth-Nth party (e.g.., Vendor, Subcontractor, Sub-Processor) information security assessment process that allows for the identification and treatment of identified risks. Scoped systems and data can be classified as computer hardware, software and/or non-public personal information that is stored, transmitted, or processed in scope of this engagement. | No | According to our DPA the list below is an exclusive list of Nth parties that have access scoped systems and data for processing. Processing details are outlined in Exhibits A & B of our DPA. |
Section C: Information Assurance | C.1 Is there an information security program that has been documented, approved by management, published, and communicated to constituents? | Organizations should define an “Information Security Policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives. At a lower level, the information security policy should be supported by topic-specific policies, which support the implementation of information security controls | Yes | Our "Information Security" Policies are available upon the request. |
C.2 Have any of the Information Security and IT processes been outsourced? |
| No | No, we believe this is too important to be outsourced. To assure proper ownership, responsibility and accountability it needs to be in house. | |
Section D - Asset & Information Management | D.1 Is there an asset management program approved by management, communicated to constituents and an owner to maintain, review, and manage asset controls? | An organization should ensure that assets are identified, classified, and that an inventory of all assets are documented and maintained. | Yes | We have a documented list of assets and owners assigned. List is reviewed regularly with owners to assure accountability. We also have “IT Assets“ Policy in scope of "Information Security" Policies that is regularly reviewed and adjusted if required. Available upon the request. |
D.2 Is there an acceptable use policy for information and associated assets that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review the policy? | An acceptable use policy forms part of an information security framework that defines what users are and are not allowed to do with data and IT systems under scope of service delivery | Yes | We have "Acceptable Use of Information Assets" Policy in scope of "Information Security" Policies. Available upon the request. | |
D.3 Is there a policy or procedure for information handling consistent with its classification that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review e.g., authorized parties, encryption, public cloud storage, removable media, classification labeling, etc.? | An organization should implement and maintain a risk classification process that evaluates the level of inherent risk to which an information resource is exposed. The risk classification drives the required set of controls that must be implemented. Application risk classifications must be performed annually, for all applications (including third party developed applications), and if any application changes are made, the application must be reassessed. | Yes | Part of our Risk Management Program. | |
D.4 Is there a records retention policy and retention schedule covering paper and electronic records, including email in support of applicable regulations, standards, and contractual requirements? |
| Yes | Please review "Records Retention" Policy in scope of "Information Security" Policies. Available upon the request. | |
D.5 Is scoped data sent or received electronically? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please refer to our DPA with regards classification of information and secure transfer details. Data Processing Addendum (DPA) Also part of "Information Security" Policies. Available upon the request. | |
D.6 Is regulated or confidential scoped data stored electronically with data protection safeguards e.g., full-disk encryption, databases, files, encryption keys, etc.? UPDATED 02/23/2024 |
| Yes | We encrypt data at rest (on disk/storage). We also use TLS/SSL connection between 3x data cluster nodes for data replication. Backup files in S3 AWS (Germany) are also encrypted. | |
Section E - Human Resource Security | E.1 Are Human Resource policies and/or procedures approved by management, communicated to constituents and an owner to maintain, and review? | An organization should establish a human resource security policy that includes but is not limited to the inclusion of background investigation policies and procedures that define background investigation verification requirements that should be carried out in accordance with industry best practices, relevant laws and international restrictions. | Yes | We have "Employees provisioning and de-provisioning procedure" that it constantly reviewed and updated upon execution as well as communicated to relevant personnel. Cloud be provided upon the request. We also do reasonable background checks according to applicable law while hiring people to our team and this part of “Employees provisioning“ checklist. |
Section F - Physical & Environmental Security | F.1 Is there a physical security program approved by management, communicated to constituents, and has an owner been assigned to maintain and review? | An organization should implement critical supporting utilities, such as climate control, fire suppressants and backup power supplies needed to support the business. A physical security program should include documentation on security controls designed and applied to protect any secure areas, including secure working areas, the perimeter of an organizations' premises, and should include identification of any appropriate environmental protection controls | Yes | When it comes to Datacenter Security we rely on Hetzner from our list. Hetzner physical security measures described in the following document Hetzner Physical & Environmental Security When it comes to the Office/Workspace we rely on “Information Security” and “Physical & Environmental Security” Policies. Available upon the request. |
F.2 Are visitors permitted in the facility? |
| No | When it comes to Datacenter Security we rely on Hetzner from our list. For people outside of the employment of Hetzner Online GmbH (data center visitors), entrance to the building is only permitted in the company of a Hetzner Online employee. - Ref to Physical access control (https://www.hetzner.com/AV/TOM_en.pdf) When it comes to the Office/Workspace we rely on “Information Security” and Physical & Environmental Security Policies. Available upon the request. | |
Section G - IT Operations Management | G.1 Does the organization's executive leadership ensure Information Technology Operation's policies, and procedures are established and aligned with organizational strategy, and communicated to the entire organization? | An organization should maintain policies and procedures regarding IT - Operations and governance to ensure the organization remains operational effective. | Yes | Part of out “Information Security” Policy. Available upon the request. |
G.2 Is there an operational Change Management/Change Control policy or program that has been documented, approved by management, communicated to appropriate constituents, and assigned an owner to maintain and review the policy? | An organization should ensure that operational procedures include a formal change control program. Changes to the organization, business processes, information processing facilities and systems that affect information security should be controlled. Managing operational changes can include changes to business processes, IT infrastructure and operations. Successful change management processes will set out rules for planning and testing of changes, assessments of the impact changes have to operations, a change review team, or function for approving and vetting changes, and provision of emergency change plans, and change fall-back processes following an unsuccessful change | Yes | All the changes to Production Systems are performed in accordance with Change/Release Management Process. Available upon request. All changes to “Information Security”, “Data Privacy” and Other Policies are governed by “Change Management/Change Control“. Available upon the request. | |
G.3 Are Information security requirements specified and implemented when new systems are introduced, upgraded, or enhanced? | Documented procedures should be developed for information security requirements of new systems. This should include requirements for:
| Yes | “General Requirements for Information Systems Security“ is available upon request | |
Section H - Access Control | H.1 Is there an access control program that has been approved by management, communicated to constituents and an owner to maintain and review the program? | An organization should develop and maintain an access control policy that governs the restrictions required to support business and information security requirements based on industry best practices and organizational standards. | Yes | "Access Control" Policy in scope of "Information Security" Policies. Available upon the request. |
H.2 Are constituents able to access scoped data? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | No | Access to PRODUCTION is restricted to a limited number of personnel with 2FA used plus VPN to access segregated PRODUCTION networks. | |
H.3 Is there a password policy for systems that transmit, process, or store scoped systems and data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? | An organization should establish a Corporate password control policy that ensures alignment with industry best practices and is followed by all constituents and third parties who have access to scoped systems and data. Scoped systems and data can be classified as computer hardware, software and/or non-public personal information that is stored, transmitted, or processed in scope for the engagement | Yes | "Password Control" Policy in scope of "Information Security" Policies. Available upon the request. | |
H.3.1 Does the password policy require keeping passwords confidential? | An organization should establish a Corporate password control policy that ensures alignment with industry best practices and is followed by all constituents and third parties who have access to scoped systems and data. | Yes | "Password Control" Policy in scope of "Information Security" Policies. Available upon the request. | |
Section I - Application Security | I.1 Are applications used to transmit, process or store scoped data? | An organization should manage the application development activities, methodologies, and application security risk as part of an overall risk governance framework. Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please refer to “Section 2: Data Protection” of our DPA. |
I.1.1 Are development, test, and staging environment separate from the production environment? | An organization should ensure secure code reviews are performed prior to promotion to Quality Analysis User Acceptance Testing (QA_UAT) to identify defects in secure coding. | Yes | PRODUCTION and DEVELOPMENT | STAGING are fully segregated environments. We also do not copy/use PRODUCTION data on any of the lower environments as well as not making copies to end user devices. We also follow the paradigm that development, review and test are all different people. So, on most of changes we do we have 2-3 pair of eyes before it reaches production system. | |
I.2 Is application development performed?
|
| Yes | We follow Continuous Delivery paradigm with all the required security measures and process incorporated into Application Development Lifecycle and Release/Change Management Process. | |
I.2.1 Is there a secure software development lifecycle policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? | Organizations should set rules for the development of software and systems, and development policies should be designed, to include:
| Yes | All the required security measures and process incorporated into Application Development Lifecycle and Release/Change Management Process. | |
I.3 Is a web site or web application supported, hosted or maintained that processes scoped systems and data? |
| Yes | Our Support Email is support@releasemanagement.app. Our Service Desk Portal is https://releasemanagement.atlassian.net/servicedesk/customer/portal/11. Our SLA is 24 hours. | |
I.3.1 Are security configuration standards documented for web server software? | Security configuration standards should consider the removal of default passwords and settings, and to identify the minimum services needed based on the operational requirements of the web server(s) Best practice standards such as the NIST SP 800-128 Guide for Configuration Management of Information Systems should be considered when managing configuration of systems and software | Yes | Please check “EXHIBIT B: Technical and Organizational Security Measures“ of our DPA. Data Processing Addendum (DPA) Also “General Requirements for Information Systems Security“ available upon the request. | |
I.3.2 Is an Application Programming Interface (API) available to clients? | API: A set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components. | Yes | We treat API provided to clients the same way as Web Applications delivered, so same security requirements and measures applied. | |
I.3.2.1 Is there a formal security program established to include API security reviews? |
| Yes | We treat API provided to clients the same way as Web Applications delivered, so same security requirements and measures applied. | |
Section J: Cybersecurity Incident Management | J.1 Is there an established Cybersecurity Incident Management Program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program? | An organization should have an established, formalized incident management program that includes processes for reporting a disruptive event, responsibilities of the incident response team, escalation procedures, remediation processes and periodic testing procedures. An established Cybersecurity Incident Management Program should detail the approach taken to incident response planning and preparation, including monitoring, detecting, analysing and reporting of information security events and incidents | Yes | Please check our Security Vulnerabilities Process. Security Vulnerabilities Process Also Incidents Management Policy is available up on the request. |
J.2 Is there a formal Incident Response Plan that includes an escalation procedure? | An organization should establish a formal privacy incident communication, notification and incident handling procedure, integrated with the organizations' security incident response and escalation procedures, to be executed in the event of unauthorized access, use, disclosure or breach of scoped data. | Yes | Yes, see previous answer | |
J.3 Are events on scoped systems or systems containing scoped data relevant to supporting incident investigation regularly reviewed using a specific methodology to uncover potential incidents? |
| Yes | Yes, part of Application Development Lifecycle, Incidents review, Logs and anomalies checks. | |
J.3.1 Does regular security monitoring include malware activity alerts such as uncleaned infections and suspicious activity | An organization should establish detection methods and techniques to alert the organization whenever incidents occur. | No | We have a couple of services running checking anomalies and reporting on any unexpected deviations. But the process is not automated yet. | |
Section K: Operational Resilience | K.1 Is there an established Business Resilience Program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program? |
| Yes | Yes, our “Business Continuity and Recovery Plans“ are available upon the request. We had to execute it on Feb 24th, 2022 with War in Ukraine that led to some corrections and adjustments in the plans as a follow up process. |
K.2 Is there a formal, documented information technology disaster recovery exercise and testing program in place? | An organization should conduct exercises and tests that validate the effectiveness of business continuity and disaster recovery procedures and capabilities, the readiness of its personnel to perform required actions and the viability of related communication mechanisms and procedures. | Yes | Part of “Business Continuity and Recovery Plans“, available upon the request. | |
K.3 Are there any dependencies on critical third party service providers? |
| Yes | The below list of Sub-processors are critical to an extent for Business Continuity with Hetzner standing out. | |
K.4 Is there a pandemic/infectious disease outbreak plan? | An organization should create and maintain infectious disease outbreak plans which consider outbreaks impacting internal parties, third parties and customers. | Yes | ”Infectious disease outbreak plan” is part of “Business Continuity and Recovery Plans“, available upon the request. | |
K.5 Is scoped data backed up and stored offsite? | An organization should create business recovery plans that will effectively guide the recovery of the critical business activities identified from the BIA. | Yes | Backups are in AWS (Germany). Our “Business Continuity and Recovery Plans“ are available upon the request. | |
K.6 Is there a formal process focused on identifying and addressing risks of disruptive events to business operations e.g. operational risk assessment? | An organization should create and maintain an in-depth business risk assessment that identifies and analyses the likelihood and impact of disruptive incidents to the organization and its clients/customers. | Yes | Risk Matrix, Performed list of Remediated Actions and future Actions Required are integral part of our Risk Management Program owned and governed by co-founders in collaboration with the whole team. | |
K.7 Are formal business continuity procedures developed and documented? | An organization should create and maintain an in-depth business risk assessment that identifies and analyses the likelihood and impact of disruptive incidents to the organization and its clients/customers. | Yes | Our “Business Continuity and Recovery Plans“ are available upon the request. | |
K.9 Is there a data retention policy or process with a retention schedule for scoped data? | Scoped data can be classified as a client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI) and/or non-public information that is stored, transmitted or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. | Yes | Please check “Section 2.13” of our DPA | |
Section L: Compliance Management | L.1 Are there policies and procedures to ensure compliance with applicable legislative, regulatory, and contractual requirements? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | Our DPA is compliant with GDPR, CCPA and other applicable laws for data privacy and protection. Data Processing Addendum (DPA) There’s a plan for 2024 to obtain ISO27k and SOC 2 certifications. Meanwhile, for the last 3 years we conducted dozens of assessments with our Enterprise clients InfoSec teams against ISO27k, SOC 2, HIPAA compliance programs so we have appropriate policies/controls in place. |
L.2 Is a web site(s) maintained or hosted for the purpose of advertising, offering, managing, or servicing accounts, products, or services to clients' customers? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | The purpose is defined in our DPA. | |
L.3 Is there a compliance program or set of policies and procedures to address bribery, corruption, prohibition of providing monetary offers, incentives, or improper actions that create unfair advantage in business practices? | An organization's risk management program should include a formal compliance and ethics program that ensures an organization's professional ethics and business practices are based on company values and standards of conduct and in accordance to its compliance obligations. | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. Please check “Business relationships and integrity” requirements we follow from “Supplier Code of Conduct“ below. | |
L.4 Is there a compliance program or set of policies and procedures that address Anti-Trust and Anti-Competitive Business Practices? |
| Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. Please check “Competition” requirements we follow from “Supplier Code of Conduct“ below. | |
L.5 Is there a documented internal compliance and ethics program? | An organization's risk management program should include a formal compliance and ethics program that ensures an organization's professional ethics and business practices are based on company values and standards of conduct and in accordance to its compliance obligations. | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. | |
L.6 Are documented policies and procedures maintained to enforce applicable legal, regulatory, or contractual cybersecurity compliance obligations? | An organization's approach to regulatory compliance and operational risk should include a formal program, compliance monitoring, and a governing body that ensures compliance with the organization's applicable legal, regulatory and standards requirements. | Yes | We have general Cyber Security Policy approved by management and communicated/enforced with complete team. We also acknowledge Cyber Risk as one of key risks in our Risk Management Program. And we took mitigation action and obtained Professional Liability/Errors and Omissions and Cyber Security Insurance and our governance program was reviewed by Insurer during assessment process. | |
L.7 Is there a compliance program or set of policies and procedures that address internal and external Fraud Detection and Fraud Prevention? |
| N/A | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Code of Conduct“. | |
Section M: Endpoint Device Security | M.1 Are End User Devices (desktops, laptops, tablets, smartphones) used for transmitting, processing, or storing Scoped data? | Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. The organization should implement and maintain end user or endpoint security configuration standards. | No | Access to PRODUCTION is restricted to a limited number of personnel with 2FA used plus VPN to access segregated PRODUCTION networks. PRODUCTION data are not copied to lower environments or End User Devices |
M.2 Does the organization maintain policies and procedures for the access to and the usage of collaborative computing devices or applications e.g., networked white boards, cameras, and microphones? | An organization should implement a formalized process requiring end users to be made aware of and accept remote desktop support sessions prior to another user taking control. | Yes | “Remote Access“ Policy in scope of "Information Security" Policies. Available upon the request. | |
Section N: Network Security | N.1 Is there an established Network Security Program policy that defines enterprise network security requirements that is approved by management, communicated to constituents, and has an owner to maintain and review? |
| Yes | In the scope of "Information Security" Policies. Available upon request. |
N.2 Is every connection to an external network terminated at a firewall e.g., the Internet, partner networks? |
| No | Release Management Apps establish communication with Jira and diverse third-party systems to guarantee essential functionality. Consequently, there is a necessity for external outgoing connections from the Production Systems. | |
N.3 Are all network devices patched with all, available high-risk security patches applied and verified? |
| Yes | “Patch Management Policy“ is available upon request | |
N.4 Is there a policy that defines the requirements for remote access from external networks to networks containing Scoped systems and data that has been approved by management and communicated to constituents? |
| Yes | “Remote Access“ Policy in scope of "Information Security" Policies. Available upon the request. Access to PRODUCTION is restricted to a limited number of personnel with 2FA used plus VPN to access segregated PRODUCTION networks. | |
N.6 Are Network Intrusion Detection / Prevention Systems (NIDS/NIPS) used to detect and/or prevent intrusions into the network? |
| No | Not something we have at the moment. Took an action item on it. Considering whether to implement now or get it out of the box with migration to AWS mid 2024. | |
N.7 Is there an DMZ environment within the network that transmits, processes, or stores Scoped systems and data e.g., web servers, DNS, directory services, remote access, etc.? |
| Yes | Part of “Information Security” policy that is available upon request | |
N.8 Is there a wireless policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain, and review the policy? |
| N/A | We do not operate or maintain any wireless networks. Access to company resources is exclusively available through the Internet, utilizing Transport Layer Security (TLS), Virtual Private Network (VPN), Two-Factor Authentication (2FA), and additional security measures outlined in other security policies. | |
N.9 Are there security and hardening standards (e.g., baseline configuration, patching, passwords, Access control) for network devices, including Firewalls, Switches, Routers and Wireless Access Points? |
| Yes | Part of “Information Security” and “Patch Management“ Policies that are available upon request. | |
N.10 Are default passwords changed or disabled prior to placing network devices into production? |
| Yes | Part of “Information Security” Policy that is available upon request. | |
Section O: Environmental, Social, and Governance (ESG) | O.1 Does the organization have and adhere to an environmental policy which sets out clear commitments and targets to improve the organization's environmental footprint? | An organization should establish a formalized approach for Environmental, Social, and Governance (ESG) by implementing programs or processes to meet these commitments. | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability |
O.2 Does the organization have material discharges to air as a direct result of its operations? |
| No | Our products and business purpose has nothing to do with “material discharges to air“ | |
O.3 Does the organization have processes in place to ensure that there are no material discharges to land or water as a direct result of business operations? |
| N/A | Our products and business purpose has nothing to do with “material discharges to land or water“ | |
O.4 Has the organization implemented procedures to ensure the safe use, handling, storage and disposal of hazardous/toxic chemicals and substances? |
| N/A | Our products and business purpose has nothing to do with “use, handling, storage and disposal of hazardous/toxic chemicals and substances“ | |
O.5 Does the organization maintain processes to ensure that there are no adverse impacts on biodiversity, including deforestation, ecosystem integrity, natural resource conservation and land degradation? |
| N/A | Our products and business purpose has nothing to do with “possible impacts on biodiversity, including deforestation, ecosystem integrity, natural resource conservation and land degradation“ | |
O.6 Is the organization fully compliant with relevant environmental permits/licenses/consents? |
| N/A | Our products and business purpose has nothing to do with it. | |
O.7 Does the organization have documented policies and procedures in place that address prevention of modern slavery? | Modern Slavery Policies are used to identify and address steps organizations take to prevent modern slavery within the business and across their supply chain. Modern slavery can include human trafficking, forced labor, debt bondage/bonded labor, descent-based slavery, slavery of children, forced and early marriage. Organizations should be aware of where regulation requires the creation of modern slavery policies or statements (e.g. the UK Modern Slavery Act 2015: https://www.legislation.gov.uk/ukpga/2015/30/contents/enacted ) | Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability | |
O.8 Does the organization ensure that sub-contractors are treated fairly, ethically and in accordance with local standards and regulations? |
| Yes | We assure there appropriate statements in their policies. | |
O.9 Does the organization have a documented policy on Health and Safety? |
| Yes | Please check Section “Safety and security“ of “Atlassian Supplier Code of Conduct“ below. | |
O.10 Has the organization established formal community relations programs to promote its involvement in the community? |
| Yes | Please check Section “Freedom of association“ of “Atlassian Supplier Code of Conduct“ below. | |
O.11 Does the organization have policies in place to ensure that their products and/or services do not generate health and safety concerns? |
| N/A | Our products and business purpose has nothing to do with “possible health and safety concerns“ | |
O.12 Does the organization have a formalized Environmental, Social, and Governance (ESG) program or set of policies and procedures approved by management and the Board of Directors? |
| Yes | We are part of Atlassian ecosystem and as supplier to Atlassian Marketplace we follow “Supplier Sustainability at Atlassian“ and “Supplier Code of Conduct“. https://www.atlassian.com/company/contact/suppliers/work-with-us/supplier-sustainability | |
O.13 Does the organization have a formal diversity, equity, and inclusion (DEI) statement or policy? |
| Yes | Please check Section “Diversity, equity, and inclusion (DEI)“ of “Atlassian Supplier Code of Conduct“ below. | |
O.14 Does the organization have a documented policy for Ethical Sourcing? |
| Yes | Please check Section “Diversity, equity, and inclusion (DEI)“ of “Atlassian Supplier Code of Conduct“ below. | |
Section P: Privacy | P.1 Is there collection, access, processing, disclosure, or retention of any classification of personal information or personal data of individuals on behalf of the client? |
| Yes | Please check our DPA and Privacy Policy Data Processing Addendum (DPA) https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 |
P.1.1 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as client-scoped employee data? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | Yes | Please refer to EXHIBIT A of our DPA | |
P.1.2 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as nonpublic personal information or personally identifiable financial information under the Gramm-Leach-Bliley Act (GLBA) and related Privacy and Security Safeguards Rules? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | No |
| |
P.1.3 Is client scoped data collected, accessed, processed, disclosed, or retained that can be classified as consumer report information or derived from a consumer report under the Fair and Accurate Credit Transactions Act (FACTA)? |
| No |
| |
P.1.4 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as Protected Health Information (PHI) or other higher healthcare classifications of privacy data under the U.S. Health Insurance Portability and Accountability Act (HIPAA)? |
| No |
| |
P.1.5 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under U.S. State Privacy Regulations e.g., CO, CA, CT, MA, NY, NV, VA, UT, WA, CO etc.? |
| Yes | In our DPA we refer to “U.S. Data Protection Law” as all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act. | |
P.1.6 Is client scoped data collected, accessed, transmitted, processed, disclosed, or retained that can be classified as European Union Personal Data or Sensitive Personal Data e.g., racial, or ethnic origin, genetic data, biometric data, health data, sexual orientation, criminal history? |
| Yes | European Union Personal Data only, NOT Sensitive Personal Data In our DPA “Europe” means, for the purposes of this DPA, the Member States of the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland. | |
P.1.7 Is client scoped data collected, transmitted, processed, disclosed, or retained that can be classified as Personal Information as defined by Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or Canadian Provincial Privacy Regulations? | An organization should define and maintain processes that identify privacy data classification, inventory and map data, and document the internal and external data processing environment used for scoped data within the provided systems/products/services. | Yes |
| |
P.1.8 Is client scoped data collected, accessed, transmitted, processed, or retained that can be classified under any other international privacy jurisdictions? If Yes, list the applicable international location in the Additional Information field. |
| Yes | In our DPA “Applicable Data Protection Law” means all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the Australian Data Protection Law, Brazilian Data Protection Law, European Data Protection Law, Japanese Data Protection Law, and U.S. Data Protection Law. | |
P.1.9 Is client scoped data of minors collected, transmitted, processed, disclosed, or stored as part of the services? If Yes, specify the age limitation in the Additional Information Field. |
| No |
| |
P.2 Has the organization developed and maintained a formal privacy program for the protection of personal information collected, accessed, transmitted, processed, disclosed, or retained on behalf of the client? |
| Yes | Please check EXHIBIT B of our DPA | |
P.2.3 Is documentation of the data processing environment including role of the processor (e.g., data flows, data maps, data inventories, business model etc.) maintained for the systems/products/services that process client scoped data based on data classification? |
| Yes | Please refer to Section 2.2 Relationship of the parties of the DPA | |
P.3 Is privacy awareness training conducted for new workers (e.g., officers, directors, employees, contractors) at the time of onboarding? |
| Yes | Part of "Employees provisioning and de-provisioning" Procedure | |
P.5 Are there documented policies and procedures that define limits to the collection and use of personal information to authorized users regarding limiting the personal information collected and used by authorized users e.g., minimum necessary, need to know, job role? |
| Yes | Please check our “Privacy Policy“ https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 | |
P.5.1 Are there documented policies and procedures that define limits to the collection and use of personal information e.g., minimum necessary, need to know, job role? |
| Yes | Please check our “Privacy Policy“ https://releasemanagement.atlassian.net/wiki/spaces/TRUSTRM/pages/2615574565 | |
P.5.2.1 Are procedures documented that outline the relevancy of the personal information collected, used, or processed to the defined purpose of authorized data processing in the contract and/or privacy notice? |
| Yes | Please check "EXHIBIT A" of our DPA | |
P.5.4 Is personal information collected directly from an individual by the organization on behalf of the client? |
| Yes |
| |
P.5.5 Is personal information provided to the organization directly by the client? |
| Yes | Please check "EXHIBIT A" of our DPA. There are different use cases. | |
P.6 Does the organization have or maintain internet-facing website(s), mobile applications, platform, or other digital services or applications that collect, use, disclose, process, or retain client-scoped data that are accessed directly by individuals? |
| No |
| |
P.7.5 Is there a Third Party Risk Management Program (including ongoing monitoring) in place to address data protection safeguards (administrative, technical, and physical safeguards for the security of the client scoped data? |
| Yes | Please check Sub-processors | |
P.8 Are documented policies and procedures maintained to detect and report privacy incidents e.g., unauthorized disclosure, misuse, alteration, destruction, or other compromise of client scoped data? | An organization should establish a formal privacy incident communication, notification and incident handling procedure, integrated with the organizations' security incident response and escalation procedures, to be executed in the event of unauthorized access, use, disclosure or breach of scoped data. | Yes | Please check Security Vulnerabilities Process | |
P.9 Do any other parties (e.g., affiliates, fourth-Nth parties, contractors, subcontractors, sub-processors, sub-service organizations, etc.) have access to, receive, process, or retain client scoped data? |
| No | Not, apart from what described here: Sub-processors | |
P.10.1 Are there enforcement mechanisms in place to address privacy inquiries, complaints, disputes and recourse for violations of privacy compliance? |
| Yes | Please check Security Vulnerabilities Process | |
Section T: Threat Management | T.1 Is there a centrally managed Vulnerability Management Program and associated Policy that has been approved by management, communicated to appropriate constituent and an owner assigned to maintain and review the policy? | An organization should perform penetration tests or ethical hacking of internal and external networks and systems. Industry standards such as OWASP or SANS Top 20 should be utilized as a foundation for detecting vulnerabilities and measuring the effectiveness of the application security controls in place. | Yes | Please check Security Vulnerabilities Process |
T.2 Does the organization maintain policies, standards, and procedures for identifying and managing cyber supply chain risks i.e., ensuring software and hardware components used as part of delivering a service or product do not present a risk? | An organization should ensure that internal and external systems are regularly scanned for compliance against industry security standards and that any applicable detected vulnerabilities are remediated. | Yes | Please check Security Vulnerabilities Process | |
Section U: Server SecurityUPDATED SEP 10, 2024 | U.1 Are Servers used for transmitting, processing, or storing scoped data? |
| Yes | As of September 14, 2024 We use distributed cluster in AWS (US, East). Till September 14, 2024 We used distributed cluster in two location in Europe (Germany, Finland). Also backups in AWS (Germany). |
U.1.1 Are server security standards reviewed and/or updated at least annually to account for any changes in environment, available security features and/or leading practices? | An organization should define and maintain a formal, documented configuration standard for building and managing target systems, including hardening requirements in accordance with external industry or vendor guidance. | Yes | Part of ”General Requirements for Information Systems Security” that is available upon request | |
U.1.2 Are all unnecessary/unused services uninstalled or disabled on all servers? |
| Yes |
| |
U.1.3 Are vendor default passwords removed, disabled, or changed prior to placing any device or system into production? |
| Yes |
| |
U.1.4 Are all systems and applications patched regularly? |
| Yes |
| |
U.1.5 Are Windows servers used to process, store or used for scoped services? |
| No |
| |
U.1.6 Is Unix or Linux used to process, store or used for scoped services? |
| Yes |
| |
U.1.7 Are AS/400s used to process, store or used for scoped services? |
| No |
| |
U.1.8 Are Mainframes used to process, store or used for scoped services? |
| No |
| |
U.1.9 Are Hypervisors used to manage systems used to transmit, process, or store Scoped data e.g., cloud hosting? |
| No |
| |
Section V: Cloud Hosting Services | V.1 Are Cloud Hosting services provided? | An organization hosting Cloud Services or a Cloud Service Provider (CSP), should have formalized security policies and controls in place protecting its service and deployment models that include the documentation of its security responsibilities. | Yes | We deliver both Downloadable and Hosted (Cloud) Apps for Jira |
| V.2 Is there a management approved process to ensure that backup image snapshots containing scoped data are authorized by outsourcer prior to being snapped? |
| Yes | All backups in AWS (Germany). |
| V.3 Does the Cloud Hosting Provider provide independent audit reports for their cloud hosting services e.g., Service Operational Control - SOC? |
| Yes | Please check https://www.hetzner.com/unternehmen/zertifizierung |