Security FAQ
General
Where is ProForma’s infrastructure hosted?
ProForma Form data is stored directly in Jira. Form templates are stored as entity properties on the Jira project. Forms on Jira issues are stored as entity properties on the issue.
For cloud customers, data is momentarily transmitted to the ProForma AWS servers in order to render and save form data. Customer data is only held in memory momentarily and is not stored in any database.
For Jira Server and Data Center customers, ThinkTilt’s servers do not process customer data. The one exception to this are the anonymous usage analytics that ProForma collects. Customers have the option of disabling these analytics.
Does data leave our Jira instance/environment with this add-on?
No. All ProForma Form data is stored either on the issue itself (for forms attached to an issue), or the project (form templates). All data is stored as entity properties of the relevant object.
Will any changes be done to the host application after this add-on is installed? Will it modify the source code in anyway? Or is it an extension of the code?
This is P2 extension to Jira. It does not modify the underlying Jira source code.
Does Proforma maintain Business continuity/DR Plans? How frequently are the backup and redundancy mechanisms tested?
Yes. Business continuity plans are in place.
Application backups are performed nightly. All backup data is encrypted. As we do not store customer data we are are able to add or remove services as needed.
How many customers are currently using this add-on? Name a few.
Currently, ThinkTilt has over 2,000 customers. These include:
Airbnb
Apple
Atlassian
Disney
Spotify
US Army
Breach notification policy – How soon will customers be notified if there is a data breach involving customer data?
We will notify of any known breach as soon as possible. We will seek to address the issue in line with our published SLA at www.thinktilt.com/sla, which also follows the standards published by Atlasssian.
Security Assessments
ThinkTilt’s management team has over 15 years of experience building enterprise ready SaaS applications. We take privacy and security very seriously and follow industry best practices were applicable to an organization of our size.
Our current security certification/assessments include:
GDPR Certification
Internal annual review of our controls and practices
Successful completion of Atlassian’s Security Self-Assessment program
Ongoing participation in the Atlassian Bug Bounty program
Synk to continuously scan and identify vulnerabilities in open source libraries and containers included in ProForma code
All changes to production code reviewed by other members of the development team prior to release
Semi-annual internal code-review/bug-hunt for vulnerabilities
Policies and Organizational Structure
Senior management oversight of operations
Policies approved by the Board of Directors
Documented information security policy and procedures including an information security policy, incident response policy, disaster recover policy, amongst other policies and procedures. These policies also identify relevant functions and responsibilities.
Annual review security policies as part of our recertification under the Atlassian Marketplace Security Program.
Formal change management process for all production changes
Documented and tested incident response plan to include identification, containment, eradication, and recovery of incidents
Data retention and disposal policy
Insurance
ThinkTilt carries insurance to address the following threats:
Business Interruptions
Casualty (general liability)
Cyber Threat
Errors and Omissions
Fidelity
Physical Damage
Repair/Replacement of Media
Other
Security Awareness and Training
Security policy and procedures that clearly define information security responsibilities for all employees and contractors
Staff required to complete security training
Programmers and engineers trained in secure coding practices
Employee hiring and termination processes in place
Non-disclosure agreements signed by all employees and contractors
Physical & Environmental Security
No customer data stored on any of ThinkTilt servers or systems
Physical access controls in place for facilities and controlled areas
Environmental controls including Fire Protection, Water Detection, Uninterrupted Power Supplies and Climate controls
Annual tests of all environmental controls
System Operations & Network Security
Servers maintained by AWS, with appropriate virus protection and patch management
Firewalls and Intrusion Detection and Prevention Systems in place
Encryption of all transmissions of customer-identifiable data
Periodic infrastructure vulnerability scans
Logical Security
Internal access and authorization given on a “need to know” basis
Password security standard maintained for all of the applications and systems
All users of our system uniquely identifiable (e.g. no shared accounts)
Multi-Factor Authentication implemented for remote access to the network by employees, administrators and third parties
Formal, documented auditing and monitoring procedures for user accounts (creation, maintenance, review, protection, and retention)
Atlassian provides a key which allows our app to access and write data into a Jira cloud instance. This key is kept in a secured DB that cannot be accessed directly by anyone.
We have no access to customer data or hardware in server.
Application Development
Separate development, test and production environments
Segregation of responsibilities between the production and the test environment
Versioning control
Application developed in adherence to the SDLC methodology
Application security testing a part of the product life cycle development
Controls maintained over source code library maintained
Application Security
Single Sign-On – provided as part of Jira and maintained by Atlassian
Second-Factor Authentication – provided as part of Jira and maintained by Atlassian
Controls maintained over data accuracy within the application
Controls maintained over data completeness and data maintenance
Controls maintained over data storage
Controls maintained over detecting processing exceptions
Backup data securely stored and transmitted at an alternate location