1 Compliance
- 1.1 SOC2
- 1.2 GDPR
- 1.3 HIPAA
2 Governance
3 Data Protection
- 3.1 Data at request invocation
- 3.2 Data in transit
- 3.3 Data Residency
- 3.4 Secret management
4 Product Security
- 4.1 Penetration Testing
- 4.2 Public Bug Bounty
- 4.3 Vulnerability Scanning
5 Enterprise Security
- 5.1 Endpoint protection
- 5.2 Two factor authentication (2FA)
- 5.3 Remote access
- 5.4 Education
- 5.5 Identity and access management
6 Data Privacy

This page explains our security posture, which aims to assist customers in meeting their own compliance requirements.

Compliance

SOC2

The Plugin People are currently undergoing SOC2 compliance involving 3rd party auditors covering our company development practices and policies but does not include CSUMC this year.

GDPR

The Plugin People have outsourced the Data Protection Officer role; audits are expected soon.

CSUM Cloud app doesn’t store PII data and doesn’t egress any data. No external servers are involved, its deployed through the Atlassian Forge framework.

HIPAA

We do not currently have a HIPAA compliance program underway. If you have questions, reach out to support@thepluginpeople.com

Governance

The Plugin People establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege
Security controls should be implemented and layered according to the principle of defense-in-depth
Security controls should be applied consistently across all areas of the enterprise
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increasingly auditable, and decreasing friction

Data Protection

Data at request invocation

The only data CSUMC App stores currently is global configuration, the output of CSUMC is simply Confluence groups with user members.

System level audit logs are generated by CSUMC that contain user accountIds and groupIds, stored by Atlassian.

Data in transit

CSUMC only communicates over secure transports. As a Forge app, all requests are performed through the back-end resolver(s) https://developer.atlassian.com/platform/forge/runtime-reference/forge-resolver/#usage---custom-ui. Unauthenticated or unlicensed requests are not permitted.

Data Residency

CSUMC is deployed by Atlassian through the Atlassian Forge Framework, data residency is driven the Atlassian published compatibility of apps on the Forge Framework.

As a compute only Forge app that does not perform any external data storage, CSUMC is eligible for realm pinning and data migration by default and all logs and forge storage data is backed up and migrated by Atlassian: https://developer.atlassian.com/platform/forge/data-residency/#eligibility

Secret management

Any credentials marked secure are stored using the Forge Storage secrets API: https://developer.atlassian.com/platform/forge/runtime-reference/storage-api-secret/.

Secrets are retrieved on an ‘as-needed’ basis in the back-end resolver and are not exposed through logs or the UI.

Product Security

Penetration Testing

As yet we have not done this. It is planned for future.

Public Bug Bounty

As yet we have not done this. It is planned for future.

Vulnerability Scanning

We make use of dependency analysis triggered at build time (Developer security | Snyk).

Enterprise Security

Endpoint protection

All corporate devices are Linux based and use full desk encryption, have regular software updates, use screen-locks and password managers that are themselves encrypted and password accessible. USB devices are rarely needed but are full disk encrypted if used.

Two factor authentication (2FA)

The only access we have is to Atlassian hosted system logs, for which we use Atlassian ID, that has 2FA.

Remote access

The only access we have is to Atlassian hosted system logs, for which we use Atlassian ID.

Education

All staff receive on-boarding security awareness training. Any vulnerabilities found are discussed with the team to share learning.

Identity and access management

Only applicable developers have access to Atlassian hosted system logs. Removing such access is handled through our termination process.

Data Privacy

We are very aware that your sensitive data flows through our app/system/logs and are very clear that your data is yours, we make no use it beyond what you would expect to deliver the functionality of the app and for us to support you in the usage of the app.