Data Security of the SoftComply Risk Manager
How is use data secured?
SoftComply Risk Manager app on Jira Cloud (henceforth Risk Manager) is compliant with the Atlassian Cloud Security Program. Additionally, Risk Manager uses all of the latest and most common transport layer security technologies (TLS, HSTS, etc). See more at Security requirements for cloud applications.
Are you SOC 2 compliant? What security accreditations do you hold?
Risk Manager is not SOC 2 compliant, however, we participate in and are compliant with the following programs owned by Atlassian:
Do you encrypt data at rest/in transit?
Risk Manager uses HTTPS for data encryption in transit and Google Cloud mechanisms for encryption at rest.
Do you conduct external (third-party) audits of the service? If so, please describe the scope and frequency of those audits?
We currently don’t conduct external audits of the app except for the BugCrowd open crowdsourced security program that we participate in.
Has the app been security assessed?
As we are compliant with the Atlassian Security Program, a self-assessment is updated and sent to Atlassian every year. This is a company-wide security assessment, not per-product assessment.
Do you have a Security Incident Response Program?
Yes, more information is available on request or at App security incident management guidelines for Marketplace Partners .
Do you have Business Continuity and/or Disaster Recovery Plans?
We do have a Business Continuity Plan, and a Disaster Recovery Plan in place. We are fully hosted on Google Cloud, which is 100% fault tolerant. Additionally, we have redundancies built in, to keep the application running in the event of an outage in the region. Our servers are backed up daily.
Do you have capability to recover data for a specific customer in the case of a failure or data loss?
We do have the ability to recover data for a specific customer even though it can take some time, as our application is multi-tenant. Currently, data recovery can be requested through a support ticket.
Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment)?
We are enrolled in the Bug Bounty program run by BugCrowd as part of the Atlassian “Vendor Security Assessment” program. As part of the program security researchers pen test our application and report back all security vulnerabilities and we fix all the identified vulnerabilities as per the SLA’s setup by Atlassian for the program. If we continue to meet the requirements of the vendor security assessment program Atlassian confers a security badge on the app in the marketplace.
Is your application designed to store sensitive information? (For example: credit card data, personal data, financial data, source code, trading algorithms or proprietary models.)
No personal data is stored by SoftComply. SoftComply only stores the configuration of the risk matrix and the risk table but no personal or user information whatsoever. All user information is stored in Jira by Atlassian.
Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.
No customer data is stored in SoftComply’s database. Only the following configuration is stored:
Risk Matrix configuration,
Risk Table configuration.
All data is encrypted in transit and at rest.
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
We don’t have any security relevant certificates yet.