Data Security
How is user data secured?
Zephyr Squad is compliant with the Atlassian Security Program. Additionally, Zephyr Squad uses HTTPS for data encryption in transit and AWS mechanisms for encryption at rest.
Are you SOC 2 compliant? What security accreditations do you hold?
Zephyr Squad is not SOC 2 compliant, however, we are participating in and compliant with the following programs owned by Atlassian:
Do you encrypt data at rest/in transit?
We have encryption in transit for all application data.
Do you conduct external (third-party) audits of the service?
We currently don’t conduct external audits of the app.
Will this app be part of Cloud Fortified Apps?
Yes, this is in progress and should be completed by the end of 2021 Q4.
What security measures/review are in place at SmartBear for Zephyr Squad?
We follow secure SDLC practices and have a public bug bounty program for pen-testing the application.
Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment)?
We are enrolled in the Bug Bounty program run by Bugcrowd as part of the Atlassian “Vendor Security Assessment” program. As part of the program security, researchers pen-test our application and report back all security vulnerabilities, and we fix all the identified vulnerabilities as per the SLAs set up by Atlassian for the program. If we continue to meet the requirements of the vendor security assessment program, Atlassian confers a security badge on the app in the marketplace.
Do you have a Security Incident Response Program?
Yes, we have an Incident reporting process and an incident response team in place.
Do you have Business Continuity and/or Disaster Recovery Plans?
We do have a Business Continuity Plan, and a Disaster Recovery Plan in place. We are fully hosted on AWS, which is 100% fault tolerant. Additionally, we have redundancies built in, to keep the application running in the event of an outage in the region. Our servers are backed up daily; the backups themselves are stored in a different location so that we don’t have a single point of failure, so we can recover from any outage.
Do you have the capability to recover data for a specific customer in the case of a failure or data loss?
We do have the ability to recover data for a specific customer, as our application is multi-tenant, and we support tenant isolation. Currently, data recovery can be requested through a support ticket, and we can make the data backup available in 24-48 hours. Please note that we retain backup files for a maximum of 22 days; thus, we're unable to supply backups older than this duration.
Has there been a pen test – can we view the results?
The pen testing of the application is done as part of the Marketplace Security Bug Bounty program. We don’t share the results publicly, but you can check the vendor security assessment badge for the app on the marketplace which is conferred on apps that meet Atlassian-prescribed SLAs for triaging and fixing security vulnerabilities.
Is your application designed to store sensitive information? (For example: credit card data, personally identifiable information, financial data, source code, trading algorithms, or proprietary models.)
We don’t store PII data as we are GDPR-compliant, and Jira does not share any PII data with app vendors.
Do you have an Information Security Policy with supporting Standards and Procedures? Please provide the details (or provide a copy of the policy).
SmartBear has an Information Security Policy. The ISMS is aligned with NIST CSF and CIS Controls. Please see IS 000 – Information Security Policy. Our privacy policy can be accessed on our website at smartbear.com/privacy.
Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.
We will store the Zephyr-specific data on the Zephyr Squad Cloud instance. Encryption in transit ensures that the data is securely transferred to our cloud location. Once in the cloud, we have access control and environment isolation to prevent unauthorized access to the data.
Are you accredited to any relevant security standards (for example, SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
We don’t have any security relevant certificates yet.