Customer data
Do you store customer data from the customer Atlassian instance?
Smart Guess stores no data away from customers Atlassian instances. Smart Guess builds on the Atlassian Forge platform, which is 'built on a foundation of security'. All data Smart Guess stores are using the Forge storage framework. Atlassian and Smart Guess have a shared responsibility model where Smart Guess is using the CustomUI - Forge module. Atlassian and Smart Guess security responsibilities are defined here: Atlassian shared responsibility model.
More information on Security measures can be found here:
Employee access
Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?
Smart Guess employees have no access to customer data.
Do you have a process in place that aligns user access based on job description and/or responsibility? (i.e., user access to all related backend infrastructure and services like to the OS, DB, whatever constitutes as services/IS that the application runs on or integrates with)
Yes, employees are given access only to the tools and services they need to perform their jobs.
Do you have a process in place that ensures user login IDs, that have OS, database, application access, are disabled in a timely manner (e.g., within 1hr, 12hrs, or 24hrs., etc.) subsequent to employee termination?
Yes, the manager responsible for the employee or contractor in question disables access to all services the user has access to before the end of the working day, the same day the employee leaves.
Sensitive data
Is your application designed to store sensitive information? (For example, Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms, or proprietary models)
Smart Guess's applications do not store any sensitive data.
Audits
Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?
Following audits are run throughout the application development lifecycle:
- Snyk Code performs static application security testing and runs automatically to detect security vulnerabilities in real-time during development
- Snyk Open Source runs automatically on open source libraries to proactively detect security vulnerabilities in libraries
- Amazon CloudWatch is used to automatically audit and detect anomalous behavior on Aws services in use
Furthermore, a security consultant performs penetration testing on the Smart Guess application once a year as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with the Security bug-fix policy.
Security bug-fix policy - managing security vulnerabilities
Do you have a process in place for managing security vulnerabilities in your applications?
Yes, based on Atlassian's security bug fix policy, Smart Guess has a process for handling security vulnerabilities in its products.
Security bug fix Service Level Objectives
Smart Guess sets service-level objectives for fixing security vulnerabilities based on the Atlassian definition of security severity levels. The following timeframes are defined for fixing security issues in Smart Guess products.
Security Vulnerability Resolution Timeframes
These timeframes apply to all Smart Guess products:
- Critical severity bugs to be fixed within 2 weeks of being verified
- High severity bugs to be fixed within 4 weeks of being verified
- Medium severity bugs to be fixed within 6 weeks of being verified
- Low severity bugs to be fixed within 25 weeks of being verified
Critical Vulnerabilities
When a Critical security vulnerability is discovered by Smart Guess or reported by a third party, Smart Guess will issue a new, fixed release for the current version of the affected product as soon as possible.
Non-critical vulnerabilities
When a security issue of a High, Medium, or Low severity is discovered, Smart Guess will aim to release a fix within the service level objectives listed above.
Accreditation
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
Smart Guess ehf. is not accredited at this time. However, the Atlassian Cloud platform and the Amazon Services operating the development, staging, and production environments are both accredited.
Penetration testing
Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment)?
Yes, manual penetration testing on the Smart Guess application is performed once a year by a security consultant as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with Smart Guess's security bug fix policy.
Data Recovery
Do you have the capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss, including time frames.
The capability to recover data for a specific customer is not part of Smart Guess ehf. responsibilities. Smart Guess builds on the Atlassian Forge platform, where all customer data is stored using the Forge storage framework. This means the responsibility for customer data is part of Atlassian’s responsibilities in line with the:
Disaster Recovery
Do you have Business Continuity and/or Disaster Recovery Plans?
The following processes are in place and are run automatically:
- Daily local backups of Smart Guess ehf. computers, relevant data, and configuration
- Daily backups of Smart Guess ehf. critical data are uploaded to a cloud backup service provided by a globally recognized provider
- The backup service provider monitors backup results
Restore methodology is documented and tested once every year.