Security
This page explains our security posture, which aims to assist customers in meeting their own compliance requirements.
Compliance
SOC2
The Plugin People are currently undergoing SOC2 compliance involving 3rd party auditors covering our company development practices and policies but does not include CSUMC this year.
GDPR
The Plugin People have outsourced the Data Protection Officer role; audits are expected soon.
CSUM Cloud app doesn’t store PII data and doesn’t egress any data. No external servers are involved, its deployed through the Atlassian Forge framework.
HIPAA
We do not currently have a HIPAA compliance program underway. If you have questions, reach out to support@thepluginpeople.com
Governance
The Plugin People establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies are based on the following foundational principles:
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege
Security controls should be implemented and layered according to the principle of defense-in-depth
Security controls should be applied consistently across all areas of the enterprise
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increasingly auditable, and decreasing friction
Data Protection
Data at request invocation
The only data CSUMC App stores currently is global configuration, the output of CSUMC is simply Confluence groups with user members.
System level audit logs are generated by CSUMC that contain user accountIds and groupIds, stored by Atlassian.
Data in transit
CSUMC only communicates over secure transports. As a Forge app, all requests are performed through the back-end resolver(s) https://developer.atlassian.com/platform/forge/runtime-reference/forge-resolver/#usage---custom-ui. Unauthenticated or unlicensed requests are not permitted.
Data Residency
CSUMC is deployed by Atlassian through the Atlassian Forge Framework, data residency is driven the Atlassian published compatibility of apps on the Forge Framework.
As a compute only Forge app that does not perform any external data storage, CSUMC is eligible for realm pinning and data migration by default and all logs and forge storage data is backed up and migrated by Atlassian: https://developer.atlassian.com/platform/forge/data-residency/#eligibility
Secret management
Any credentials marked secure are stored using the Forge Storage secrets API: https://developer.atlassian.com/platform/forge/runtime-reference/storage-api-secret/.
Secrets are retrieved on an ‘as-needed’ basis in the back-end resolver and are not exposed through logs or the UI.
Product Security
Penetration Testing
As yet we have not done this. It is planned for future.
Public Bug Bounty
As yet we have not done this. It is planned for future.
Vulnerability Scanning
We make use of dependency analysis triggered at build time (https://snyk.io/).
Enterprise Security
Endpoint protection
All corporate devices are Linux based and use full desk encryption, have regular software updates, use screen-locks and password managers that are themselves encrypted and password accessible. USB devices are rarely needed but are full disk encrypted if used.
Two factor authentication (2FA)
The only access we have is to Atlassian hosted system logs, for which we use Atlassian ID, that has 2FA.
Remote access
The only access we have is to Atlassian hosted system logs, for which we use Atlassian ID.
Education
All staff receive on-boarding security awareness training. Any vulnerabilities found are discussed with the team to share learning.
Identity and access management
Only applicable developers have access to Atlassian hosted system logs. Removing such access is handled through our termination process.
Data Privacy
We are very aware that your sensitive data flows through our app/system/logs and are very clear that your data is yours, we make no use it beyond what you would expect to deliver the functionality of the app and for us to support you in the usage of the app.
Further reading:
Our Privacy Policy
A list of our sub processors is found on Schedule 1 of our Cloud Software Product EULA