General

Where is ProForma’s infrastructure hosted?

ProForma Form data is stored directly in Jira. Form templates are stored as entity properties on the Jira project. Forms on Jira issues are stored as entity properties on the issue.

For cloud customers, data is momentarily transmitted to the ProForma AWS servers in order to render and save form data. Customer data is only held in memory momentarily and is not stored in any database.

For Jira Server and Data Center customers, ThinkTilt’s servers do not process customer data. The one exception to this are the anonymous usage analytics that ProForma collects. Customers have the option of disabling these analytics.

Does data leave our Jira instance/environment with this add-on?

No. All ProForma Form data is stored either on the issue itself (for forms attached to an issue), or the project (form templates). All data is stored as entity properties of the relevant object.

Will any changes be done to the host application after this add-on is installed? Will it modify the source code in anyway? Or is it an extension of the code?

This is P2 extension to Jira. It does not modify the underlying Jira source code.

Does Proforma maintain Business continuity/DR Plans? How frequently are the backup and redundancy mechanisms tested?

Yes. Business continuity plans are in place.

Application backups are performed nightly. All backup data is encrypted. As we do not store customer data we are are able to add or remove services as needed.

How many customers are currently using this add-on? Name a few.

Currently, ThinkTilt has over 2,000 customers. These include:

  • Airbnb

  • Apple

  • Atlassian

  • Disney

  • Spotify

  • US Army

Breach notification policy – How soon will customers be notified if there is a data breach involving customer data?

We will notify of any known breach as soon as possible. We will seek to address the issue in line with our published SLA at www.thinktilt.com/sla, which also follows the standards published by Atlasssian.

Security Assessments

ThinkTilt’s management team has over 15 years of experience building enterprise ready SaaS applications. We take privacy and security very seriously and follow industry best practices were applicable to an organization of our size.

Our current security certification/assessments include:

(tick) GDPR Certification

(tick) Internal annual review of our controls and practices

(tick) Successful completion of Atlassian’s Security Self-Assessment program

(tick) Ongoing participation in the Atlassian Bug Bounty program

(tick) Synk to continuously scan and identify vulnerabilities in open source libraries and containers included in ProForma code

(tick) All changes to production code reviewed by other members of the development team prior to release

(tick) Semi-annual internal code-review/bug-hunt for vulnerabilities

Policies and Organizational Structure

(tick) Senior management oversight of operations

(tick) Policies approved by the Board of Directors

(tick) Documented information security policy and procedures including an information security policy, incident response policy, disaster recover policy, amongst other policies and procedures. These policies also identify relevant functions and responsibilities.

(tick) Annual review security policies as part of our recertification under the Atlassian Marketplace Security Program. 

(tick) Formal change management process for all production changes

(tick) Documented and tested incident response plan to include identification, containment, eradication, and recovery of incidents

(tick) Data retention and disposal policy

Insurance

ThinkTilt carries insurance to address the following threats:

(tick) Business Interruptions

(tick) Casualty (general liability)

(tick) Cyber Threat

(tick) Errors and Omissions

(tick) Fidelity

(tick) Physical Damage

(tick) Repair/Replacement of Media

(tick) Other

Security Awareness and Training

(tick) Security policy and procedures that clearly define information security responsibilities for all employees and contractors

(tick) Staff required to complete security training

(tick) Programmers and engineers trained in secure coding practices

(tick) Employee hiring and termination processes in place

(tick) Non-disclosure agreements signed by all employees and contractors

Physical & Environmental Security

(tick) No customer data stored on any of ThinkTilt servers or systems

(tick) Physical access controls in place for facilities and controlled areas

(tick) Environmental controls including Fire Protection, Water Detection, Uninterrupted Power Supplies and Climate controls

(tick) Annual tests of all environmental controls

System Operations & Network Security

(tick) Servers maintained by AWS, with appropriate virus protection and patch management

(tick) Firewalls and Intrusion Detection and Prevention Systems in place

(tick) Encryption of all transmissions of customer-identifiable data

(tick) Periodic infrastructure vulnerability scans

Logical Security

(tick) Internal access and authorization given on a “need to know” basis

(tick) Password security standard maintained for all of the applications and systems

(tick) All users of our system uniquely identifiable (e.g. no shared accounts)

(tick) Multi-Factor Authentication implemented for remote access to the network by employees, administrators and third parties

(tick) Formal, documented auditing and monitoring procedures for user accounts (creation, maintenance, review, protection, and retention)

Atlassian provides a key which allows our app to access and write data into a Jira cloud instance. This key is kept in a secured DB that cannot be accessed directly by anyone.

We have no access to customer data or hardware in server.

Application Development

(tick) Separate development, test and production environments

(tick) Segregation of responsibilities between the production and the test environment

(tick) Versioning control

(tick) Application developed in adherence to the SDLC methodology

(tick) Application security testing a part of the product life cycle development

(tick) Controls maintained over source code library maintained

Application Security

(tick) Single Sign-On – provided as part of Jira and maintained by Atlassian

(tick) Second-Factor Authentication – provided as part of Jira and maintained by Atlassian

(tick) Controls maintained over data accuracy within the application

(tick) Controls maintained over data completeness and data maintenance

(tick) Controls maintained over data storage

(tick) Controls maintained over detecting processing exceptions

(tick) Backup data securely stored and transmitted at an alternate location