Data Security Statement
Data Security of the SoftComply Applications
How is data secured?
SoftComply Cloud apps are compliant with the Atlassian Cloud Security Program. Additionally, apps use all of the latest and most common transport layer security technologies (TLS, HSTS, etc). See more at Security requirements for cloud apps
Are you SOC 2 compliant? What security accreditations do you hold?
SoftComply apps are not SOC 2 compliant, however, we participate in and are compliant with the following programs owned by Atlassian:
Do you encrypt data at rest/in transit?
Apps use HTTPS for data encryption in transit.
Only SoftComply Risk Manager application and Document Manager application has data stored in backend database at Google Cloud. The data at rest is then encrypted with Google Cloud mechanisms.
Other apps use Atlassian Forge Storage to store data.
Do you conduct external (third-party) audits of the service? If so, please describe the scope and frequency of those audits?
We currently don’t conduct external audits of the app except for the BugCrowd open crowdsourced security program that we participate in.
Have the apps been security assessed?
As we are compliant with the Atlassian Security Program, a self-assessment is updated and sent to Atlassian every year. This is a company-wide security assessment, not per-product assessment.
Do you have a Security Incident Response Program?
Yes, more information is available on request or at App security incident management guidelines for Marketplace Partners .
Do you have Business Continuity and/or Disaster Recovery Plans?
We do have a Business Continuity Plan, and a Disaster Recovery Plan in place. We are fully hosted on Google Cloud, which is 100% fault tolerant. Additionally, we have redundancies built in, to keep the application running in the event of an outage in the region. Our servers are backed up daily.
Do you have capability to recover data for a specific customer in the case of a failure or data loss?
We do have the ability to recover data for a specific customer even though it can take some time, as our application is multi-tenant. Currently, data recovery can be requested through a support ticket.
Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment)?
We are enrolled in the Bug Bounty program run by BugCrowd as part of the Atlassian “Vendor Security Assessment” program. As part of the program security researchers pen test our application and report back all security vulnerabilities and we fix all the identified vulnerabilities as per the SLA’s setup by Atlassian for the program. If we continue to meet the requirements of the vendor security assessment program Atlassian confers a security badge on the app in the marketplace.
Is your application designed to store sensitive information? (For example: credit card data, personal data, financial data, source code, trading algorithms or proprietary models.)
SoftComply Risk Manager apps
No personal data is stored by SoftComply. Only SoftComply Risk Manager stores the configuration of the risk matrix and the risk table but no personal or user information whatsoever. All user information is stored in Jira by Atlassian. SoftComply Risk Manager Plus is a Forge application thus the data is stored and maintained by Atlassian.
SoftComply Document Manager app
We store the Atlassian user ID and email address in the Forge storage (within Atlassian) to be able to run the service. We also store data entered in fields, which may be sensitive depending on the actual content entered by the user. Processing of this data is limited to storage and transfer. For regulatory purposes we store the audit trail of documents and our App.
This data is stored on Google Cloud services and is encrypted at rest and use HTTPS for data encryption in transit. Access to the database is controlled. Access to data is allowed only for troubleshooting purposes and only after written consent from the customer.
All Data is stored in the European Union.
Do you have a Privacy Policy? Please provide details (or provide a copy of the policy).
Our privacy policy can be accessed on our website at Privacy Policy – SoftComply .
Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.
SoftComply Risk Manager
No customer data is stored in SoftComply’s database. Only the following configuration is stored:
Risk Matrix configuration,
Risk Table configuration.
All data is encrypted in transit and at rest.
Other Risk Manager family apps:
No customer data is stored in SoftComply’s database.
SoftComply Document Manager app:
We store the Atlassian user ID and email address in the Forge storage (within Atlassian) to be able to run the service. We also store data entered in fields, which may be sensitive depending on the actual content entered by the user. Processing of this data is limited to storage and transfer. For regulatory purposes we store the audit trail of documents and our App.
This data is stored on Google Cloud services and is encrypted at rest and use HTTPS for data encryption in transit. Access to the database is controlled. Access to data is allowed only for troubleshooting purposes and only after written consent from the customer.
We do NOT store data contained in Confluence pages.
All Data is stored in the European Union.
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
We don’t have any security relevant certificates yet.