Last updatedMay 17, 2018
Improve this page

Cloud security program

To report a security incident for your app, please file an App Security Incident ticket.

Security is an important concern for our customers. The cloud security program is a collaboration between Atlassian and app vendors to increase security awareness and improve security practices. The goal is to increase customer confidence in apps and provide them with necessary information to perform security evaluations.  The program involves an annual security self-assessment that Atlassian reviews and approves. During the review process, Atlassian works with the vendor to pinpoint vulnerabilities and identify improvements. Once approved, the application expires after one year, and vendors must re-apply with updated information each year.

If you have a publicly listed cloud app in the Marketplace, you can apply. Your application applies to all public cloud apps under your vendor name. Vendors that meet passing criteria have the following text in the "Security" section of their cloud app listings and their vendor profile page:

This vendor has completed the security self-assessment and shared the results with Atlassian.

Cloud app vendors are encouraged to complete a yearly self-assessment of their data security practices. This information is self-reported by vendors, and Atlassian is not responsible for the security or integrity of this app.

Objectives 

The program aims to encourage security mindfulness in three main areas:

AreaDetails
Data securityThe cloud vendor has a clear data security policy. Data vulnerabilities are considered and handled.
Sensitive data handlingThe cloud vendor is mindful of the different types of data it handles and places extra security on sensitive data.
Backups and disaster recoveryThe cloud vendor backs up its data regularly and has a clear plan for data recovery in case of disaster.

Requirements 

The security self-assessment contains 13 security questions with the following passing criteria. Your self-assessment answers are reviewed by Atlassian staff against passing criteria. Your answers are kept private to Atlassian. No additional audit or testing is performed. While passing this criteria gives customers some peace of mind about your security protocols, customers are advised to take additional necessary steps to meet company security requirements. So you may be contacted by customers directly for more information regarding security.  

#QuestionPassing criteria
1aDo you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.Ideally No. If Yes, provide details of controls in place.
1bIf you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted?N/A Reference information.
2Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models)Ideally No. If Yes, provide details of controls in place.
3Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy).Yes, and provides details.
4Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process).Ideally Yes and provides process documents. If no, describe the current process.
5Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?Yes, and provides details.
6Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?N/A No accreditation required to pass, but beneficial.
7Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings? Example penetration testing reportIdeally Yes and provides results. Or Yes and describe process.
8Do you have mechanisms to notify Atlassian in case of a security breach? An App Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches.Yes, and provide details of the documented plan with notification and followup procedure.
9Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?Ideally No. If Yes, provide details of a tightly controlled system.
10Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?Yes if they have access to sensitive information. Otherwise not necessary.
11Do you have a publicly documented process for managing security vulnerabilities in your application(s)? Example security vulnerability processYes, and provides the URL to the documentation. Or No, and describes handling of security vulnerability identified in the code.
12Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms.Yes, with description.
13Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect?Yes, with backup every 24 hrs.

Applying to the cloud security program

First, ensure you meet all requirements. Then:

  1. Fill out an application for the cloud security program.
  2. Keep the confirmation email you receive for your form submission. You may use that link to edit the form later.
  3. Our friendly Marketplace team will respond within 30 business days.  

Re-applying to the cloud security program

If you did not meet all passing criteria initially, have since made changes to your security protocol and wish to reapply, please do the following:

  1. Locate the confirmation email you received when you submitted the form initially.
  2. Make the necessary edits.
  3. Add a comment to indicate that you wish to re-submit, and summarize the key changes that you have made.  

Updating security changes

Should your security protocol change, please promptly update your application form as follows:

  1. Locate the confirmation email you received when you submitted the form initially.
  2. Make the necessary edits.
  3. Add a comment to summarize the key changes that you have made.

Expired applications

Approved applications are active for one year. You will be notified 30 days before the end of the one year period. Please apply with a new application each year.

Resources 

For more information on how to secure your app, please read Securing your Add-on.

For more information on how Atlassian handles security, please visit Security at Atlassian.