Do you store customer data from the customer Atlassian instance?
Smart Guess stores no customer data from customer Atlassian instances. Smart Guess builds on the Atlassian Forge platform and displays the user's name and avatars. This information is retrieved on demand from the Atlassian Jira API, shown to users, and is never stored.
Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?
Envision employees have no access to customer data.
Do you have a process in place that aligns user access based on job description and/or responsibility? (i.e., user access to all related backend infrastructure and services like to the OS, DB, whatever constitutes as services/IS that the application runs on or integrates with)
Yes, employees are given access only to the tools and services they need to perform their jobs.
Do you have a process in place that ensures user login IDs, that have OS, database, application access, are disabled in a timely manner (e.g., within 1hr, 12hrs, or 24hrs., etc.) subsequent to employee termination?
Yes, the manager responsible for the employee or contractor in question disables access to all services the user has access to before the end of the working day, the same day the employee leaves.
Is your application designed to store sensitive information? (For example, Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms, or proprietary models)
Envision's applications do not store any sensitive data.
Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?
Following audits are run throughout the application development lifecycle:
Furthermore, a security consultant performs penetration testing on the Smart Guess application once a year as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with the Security bug-fix policy.
Do you have a process in place for managing security vulnerabilities in your applications?
Yes, based on Atlassian's security bug fix policy, here is how Envision handles security vulnerabilities in its products.
Security bug fix Service Level Objectives
Envision sets service level objectives for fixing security vulnerabilities based on the Atlassian definition of security severity levels. The following timeframes are defined for fixing security issues in Envision products.
Security Vulnerability Resolution Timeframes
These timeframes apply to all Envision products:
When a Critical security vulnerability is discovered by Envision or reported by a third party, Envision will issue a new, fixed release for the current version of the affected product as soon as possible.
When a security issue of a High, Medium or Low severity is discovered, Envision will aim to release a fix within the service level objectives listed above.
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment)?
Yes, manual penetration testing on the Smart Guess application is performed once a year by a security consultant as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with Envision's security bug fix policy.
Do you have the capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss including time frames.
The capability to recover data for a specific customer is not part of Envision ehf. responsibilities. Smart Guess builds on the Atlassian Forge platform where all customer data is stored using the Forge storage framework. This means the responsibility for customer data is part of Atlassian’s responsibilities in line with:
Do you have Business Continuity and/or Disaster Recovery Plans?
The following processes are in place and are run automatically:
Restore methodology is documented and tested once every year.