Do you store customer data from the customer Atlassian instance?
Smart Guess stores no data away from customers Atlassian instances. Smart Guess builds on the Atlassian Forge platform, which is 'built on a foundation of security'. All data Smart Guess stores are using the Forge storage framework. Atlassian and Smart Guess have a shared responsibility model where Smart Guess is using the CustomUI - Forge module. Atlassian and Smart Guess security responsibilities are defined here: Atlassian shared responsibility model.
More information on Security measures can be found here:
Do your employees (e.g., developers or system administrators) have access to Atlassian customer data? How is this access controlled and monitored?
Smart Guess employees have no access to customer data.
Do you have a process in place that aligns user access based on job description and/or responsibility? (i.e., user access to all related backend infrastructure and services like to the OS, DB, whatever constitutes as services/IS that the application runs on or integrates with)
Yes, employees are given access only to the tools and services they need to perform their jobs.
Do you have a process in place that ensures user login IDs, that have OS, database, application access, are disabled in a timely manner (e.g., within 1hr, 12hrs, or 24hrs., etc.) subsequent to employee termination?
Yes, the manager responsible for the employee or contractor in question disables access to all services the user has access to before the end of the working day, the same day the employee leaves.
Is your application designed to store sensitive information? (For example, Credit card data, Personally Identifiable Information, Financial data, Source code, Trading algorithms, or proprietary models)
Smart Guess's applications do not store any sensitive data.
Do you undertake audits or other reviews to ensure that security controls are being implemented and operating effectively?
Following audits are run throughout the application development lifecycle:
Furthermore, a security consultant performs penetration testing on the Smart Guess application once a year as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with the Security bug-fix policy.
Do you have a process in place for managing security vulnerabilities in your applications?
Yes, based on Atlassian's security bug fix policy, Smart Guess has a process for handling security vulnerabilities in its products.
Security bug fix Service Level Objectives
Smart Guess sets service-level objectives for fixing security vulnerabilities based on the Atlassian definition of security severity levels. The following timeframes are defined for fixing security issues in Smart Guess products.
Security Vulnerability Resolution Timeframes
These timeframes apply to all Smart Guess products:
When a Critical security vulnerability is discovered by Smart Guess or reported by a third party, Smart Guess will issue a new, fixed release for the current version of the affected product as soon as possible.
When a security issue of a High, Medium, or Low severity is discovered, Smart Guess will aim to release a fix within the service level objectives listed above.
Are you accredited to any relevant security standards (e.g., SSAE16 SOC1/2/3, ISO27001, PCI DSS)?
Do you undertake penetration testing (or similar technical security testing, code review, or vulnerability assessment)?
Yes, manual penetration testing on the Smart Guess application is performed once a year by a security consultant as part of the Atlassian - Security Self Assessment Program.
All critical vulnerabilities found during audits are resolved in line with Smart Guess's security bug fix policy.
Do you have the capability to recover data for a specific customer in the case of a failure or data loss? Please outline your processes and recovery capabilities for data loss, including time frames.
The capability to recover data for a specific customer is not part of Smart Guess ehf. responsibilities. Smart Guess builds on the Atlassian Forge platform, where all customer data is stored using the Forge storage framework. This means the responsibility for customer data is part of Atlassian’s responsibilities in line with the:
Do you have Business Continuity and/or Disaster Recovery Plans?
The following processes are in place and are run automatically:
Restore methodology is documented and tested once every year.