Security and Reliability

How is user data secured?

Zephyr Squad is compliant with the Atlassian Security Program. Additionally, Zephyr Squad uses HTTPS for data encryption in transit and AWS mechanisms for encryption at rest.

Are you SOC 2 compliant? What security accreditations do you hold?

Zephyr Squad is not SOC 2 compliant, however, we participate in and are compliant with the following programs owned by Atlassian:

Do you encrypt data at rest/in transit?

Zephyr Squad uses HTTPS for data encryption in transit and AWS mechanisms for encryption at rest. The only exception is the storage of attachments which, although is protected by authorization mechanisms, files are not encrypted at rest.

Do you conduct external (third-party) audits of the service? If so, please describe the scope and frequency of those audits.

We currently don’t conduct external audits of the app.

Has the add-on been security assessed – can we see the result?

As we are compliant with the Atlassian Security Program, a self-assessment is updated and sent to Atlassian every year. This is a company-wide assessment, not a per-product assessment.

Do you have a Security Incident Response Program?

Yes, more information is available on request.

Do you have Business Continuity and/or Disaster Recovery Plans?

We do have a Business Continuity Plan, and a Disaster Recovery Plan in place. We are fully hosted on AWS, which is 100% fault tolerant. Additionally, we have redundancies built in, to keep the application running in the event of an outage in the region. Our servers are backed up multiple times a day. The backups are stored in a different location so that we do not have a single point of failure so we can recover from any outage.

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

We do have the ability to recover data for a specific customer, as our application is multi-tenant, and we support tenant isolation. Currently, data recovery can be requested through a support ticket, and we can make the data backup available in 24–48 hours.

Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment)?

We are enrolled in the Bug Bounty program run by Bugcrowd as part of the Atlassian “Vendor Security Assessment” program. As part of the program security researchers pen-test our application and report back all security vulnerabilities and we fix all the identified vulnerabilities as per the SLA’s setup by Atlassian for the program. If we continue to meet the requirements of the vendor security assessment program Atlassian confers a security badge on the app in the marketplace.

Is your application designed to store sensitive information? (For example: credit card data, personal data, financial data, source code, trading algorithms. or proprietary models.)

No personal data is stored inside Zephyr Squad. The app only stores user identifiers and any user information displayed in the app comes from Jira. However, we recommend users not to upload sensitive information.

Do you have an Information Security Policy with supporting Standards and Procedures? Please provide details (or provide a copy of the policy).

SmartBear has an Information Security Policy. The ISMS is aligned with NIST CSF and CIS Controls. Please see IS 000 – Information Security Policy. Our privacy policy can be accessed on our website at smartbear.com/privacy.

Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.

No customer data is stored in Zephyr Squad’s database, but only identifiers including, but not limited to:

  • Project ID and key

  • Issue ID and key

  • User ID

All data is encrypted in transit and at rest.

Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?

We don’t have any security-relevant certificates yet.

Publication date: