Security FAQ

Customer data

Do you store customer data from the customer Atlassian instance?

Smart Guess stores no customer data from customer Atlassian instances. Smart Guess builds on the Atlassian Forge platform and displays the user's name and avatars. This information is retrieved on demand from the Atlassian Jira API, shown to users, and is never stored.

Employee access

Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?

Envision employees have no access to customer data.

Do you have a process in place that aligns user access based on job description and/or responsibility? (i.e., user access to all related backend infrastructure and services like to the OS, DB, whatever constitutes as services/IS that the application runs on or integrates with)

Yes, employees are given access only to the tools and services they need to perform their jobs.

Do you have a process in place that ensures user login IDs, that have OS, database, application access, are disabled in a timely manner (e.g., within 1hr, 12hrs, or 24hrs., etc.) subsequent to employee termination?

Yes, the manager responsible for the employee or contractor in question disables access to all services the user has access to before the end of the working day, the same day the employee leaves.

Sensitive data

Is your application designed to store sensitive information? (For example, Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms, or proprietary models)

Envision's applications do not store any sensitive data.

Audits

Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?

Following audits are run throughout the application development lifecycle:

  • Snyk Code performs static application security testing and runs automatically to detect security vulnerabilities in real-time during development
  • Snyk Open Source runs automatically on open source libraries to proactively detect security vulnerabilities in libraries
  • Amazon CloudWatch is used to automatically audit and detect anomalous behavior on Aws services in use

Furthermore, a security consultant performs penetration testing on the Smart Guess application once a year as part of the Atlassian - Security Self Assessment Program.

All critical vulnerabilities found during audits are resolved in line with the Security bug-fix policy.

Security bug-fix policy - managing security vulnerabilities

Do you have a process in place for managing security vulnerabilities in your applications?

Yes, based on Atlassian's security bug fix policy, here is how Envision handles security vulnerabilities in its products.

Security bug fix Service Level Objectives

Envision sets service level objectives for fixing security vulnerabilities based on the Atlassian definition of security severity levels. The following timeframes are defined for fixing security issues in Envision products.

Security Vulnerability Resolution Timeframes

These timeframes apply to all Envision products:

  • Critical severity bugs to be fixed within 2 weeks of being verified
  • High severity bugs to be fixed within 4 weeks of being verified
  • Medium severity bugs to be fixed within 6 weeks of being verified
  • Low severity bugs to be fixed within 25 weeks of being verified

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Envision or reported by a third party, Envision will issue a new, fixed release for the current version of the affected product as soon as possible.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Envision will aim to release a fix within the service level objectives listed above.

Accreditation

Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?

Envision ehf. is not accredited at this time. However, the Atlassian Cloud platform and the Amazon Services who operate the development, staging, and production environments are both accredited.

Penetration testing

Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment)?

Yes, manual penetration testing on the Smart Guess application is performed once a year by a security consultant as part of the Atlassian - Security Self Assessment Program.

All critical vulnerabilities found during audits are resolved in line with Envision's security bug fix policy.

Data Recovery

Do you have the capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames.

The capability to recover data for a specific customer is not part of Envision ehf. responsibilities. Smart Guess builds on the Atlassian Forge platform where all customer data is stored using the Forge storage framework. This means the responsibility for customer data is part of Atlassian’s responsibilities in line with:

Disaster Recovery

Do you have Business Continuity and/or Disaster Recovery Plans?

The following processes are in place and are run automatically:

  • Daily local backups of Envision ehf. computers, relevant data, and configuration
  • Daily backups of Envision ehf. critical data are uploaded to a cloud backup service provided by a globally recognized provider
  • Backup results are monitored by the backup service provider

Restore methodology is documented and tested once every year.