Security self-assessment program

Atlassian is introducing a new Privacy and Security tab in the Marketplace listing UI for cloud apps. This new tab will provide detailed information on the privacy, security, data handling, and compliance practices followed by cloud apps and will replace the Security Self Assessment as a Cloud Fortified requirement. The Security Self Assessment will be deprecated on August 13, 2023, 6 months after we begin accepting responses for this new Privacy & Security tab.

The security self-assessment program is a collaboration with our Marketplace Partners to increase security awareness and improve security practices.

To be eligible, you'll need to:

Have a public cloud app in the Marketplace
- If you have multiple cloud apps under your partner name, you only need to complete one application.
Complete your application and meet the assessment criteria
Re-apply annually

You can learn more about Program requirements below.

If you need to report a security bug or incident for your app, Report an issue at Developer and Marketplace support.

Key goals and objectives

The main goals of the security self-assessment program are to:

Increase customer confidence in apps
Provide customers with the necessary information to perform security evaluations
Improve security practices for cloud apps in the Marketplace

For customers, the program also promotes security mindfulness in three main areas:

Area	Details
Data security	The cloud partner has a clear data security policy. Data vulnerabilities are considered and handled.
Sensitive data handling	The cloud partner is mindful of the different types of data it handles and places extra security on sensitive data.
Backups and disaster recovery	The cloud partner backs up its data regularly and has a clear plan for data recovery in case of disaster.

Program requirements

The security self-assessment program requires you to:

Complete 13 security questions. You can view these in the assessment criteria below.
Have your application reviewed and approved by Atlassian
Work with Atlassian during the review process to pinpoint app vulnerabilities and identify improvements
Re-apply annually with updated information. If not, your application will expire.

If your app is approved, the "Security" section of your cloud app listing and partner profile page will display:

This partner has completed the security self-assessment and shared the results with Atlassian.

Cloud app partners are encouraged to complete a yearly self-assessment of their data security practices. This information is self-reported by partners, and Atlassian is not responsible for the security or integrity of this app.

Assessment criteria

The security self-assessment contains 13 security questions as part of your application.

Your answers will be:

Reviewed by Atlassian against the passing criteria
Kept private to Atlassian. If you like, you can opt-in to let Atlassian to share responses with customers.

No additional audit or testing is performed.

While program approval can give your customers peace of mind, they may take further steps to meet company security requirements. If this is the case, they may contact you for more information.

#	Question	Passing criteria
1a	Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.	Ideally No. If Yes, provide details of controls in place.
1b	If you have answered Yes to Question Number 1a, what is the jurisdiction(s) of where this data is hosted?	N/A Reference information.
2	Is your application designed to store sensitive information? (For example: Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms or proprietary models)	Ideally No. If Yes, provide details of controls in place.
3	Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy).	Yes, and provides details.
4	Do you have formal change control and release management processes to manage code changes? Please provide details (or provide a copy of the documented process).	Ideally Yes and provides process documents. If no, describe the current process.
5	Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?	Yes, and provides details.
6	Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?	N/A No accreditation required to pass, but beneficial.
7	Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment); and are you able to provide copies of results/findings? Example penetration testing report	Ideally Yes and provides results. Or Yes and describe process.
8	Do you have mechanisms to notify Atlassian in case of a security breach? An App Security Incident ticket should be filed with us immediately upon your detection of a security incident. You must stay available to communicate with our security team during resolution and inform our team via the ticket when the incident is resolved. While you are responsible for informing your affected customers as necessary, your communication with us helps us direct customers who have reached out to Atlassian for help. It also informs us in case we need to take necessary action to prevent additional breaches.	Yes, and provide details of the documented plan with notification and followup procedure.
9	Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?	Ideally No. If Yes, provide details of a tightly controlled system.
10	Are all personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information?	Yes if they have access to sensitive information. Otherwise not necessary.
11	Do you have a publicly documented process for managing security vulnerabilities in your application(s)? Example security vulnerability process	Yes, and provides the URL to the documentation. Or No, and describes handling of security vulnerability identified in the code.
12	Do you have Business Continuity and/or Disaster Recovery Plans? If Yes, please provide details including backup and redundancy mechanisms.	Yes, with description.
13	Do you have capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames. What is the maximum data loss period a customer can expect?	Yes, with backup every 24 hrs.

How to apply

Ensure you meet all requirements.
Visit Developer and Marketplace support. Under Security Programs, apply for the security self-assessment.
Keep the confirmation email you receive for your form submission. You can use the link to edit the form later.
You'll be contacted by our Marketplace team within 30 business days.

How to re-apply

You can re-apply to the security self-assessment program if:

Initially, you did not meet all the passing criteria
Since applying, you have made changes to your security protocol

To re-apply:

Re-open your confirmation email.
Select the link to edit your form.
On your form's ticket, add a comment. Indicate your wish to re-submit, and summarize the key changes that you've made.

Update your security details

If you change your security protocol, you'll need to reflect these updates on your application form. To update your security self-assessment:

Re-open your confirmation email.
Select the link to edit your form.
On your form's ticket, add a comment outlining the edits you'd like to make.
Within two weeks, the Marketplace team will contact you to confirm and update your application.

Program expiry

If your security self-assessment program application is approved, it will be valid for one year.

You'll receive a notification 30 days before expiry.

To prevent expiry, submit a new application each year.

Resources

Learn more about: