What type of data will be stored/processed/accessed?
Actonic’s GDPR and Security app can access all the Jira and Confluence data, issues and fields, defined in the search scope during the PD scanning process. However, it does not store any PD in our application or outside Jira or Confluence.
The PII/PD search process consists of a few steps:
Define the scope
Add search patterns
Add actions which will be executed for found content
Start the search process
Check the execution results
How does the app get and modify data?
To get and modify data in Jira and Confluence, our app is using public Jira and Confluence REST APIs. For example, with the Jira cloud REST API, we are getting issues and fields to check them for personal data during the PD search scanning process.
Our app is using all the required Authorization and Security technologies provided by Atlassian:
Does the app store data from the PII search process?
No, our app does not even store the found data, only the search hits and the location of the PD/PII data.
What platform and programming language was used to develop the application?
Which authentication protocols and technologies are supported?
Our GDPR app works with the Jira and Confluence authentication system and supports all available authentication settings.
How do you achieve security of data at rest?
Both versions of the GDPR app (Jira and Confluence) are available over SSL only. We are using valid (not a self-signed) browser-trusted certificate, without any human intervention. All the communications between “Client ↔︎ Jira (or Confluence) application ↔︎ Our app” are encrypted.
How is data from customers separated from other customers (if the solution is offered in a multi-tenant model)?
We have measures in place to ensure that all the customers are logically separated, so that the actions of one customer cannot compromise the data of other customers.
In both in Jira and Confluence cloud app versions, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Connect framework, and managed by the “Tenant Context Service” (TCS).
This concept ensures that:
Each customer’s data is kept logically segregated from other tenants when at-rest.
Any requests that are processed by Jira or Confluence app versions have a “tenantspecific” view, so other tenants are not impacted.
How is the security monitoring for this app performed?
Our security monitoring includes the following:
Role based mechanism to access all the parts of infrastructure separately.
The app creates a massive collection of event logs for analysis and investigation.
Regularly reviewing of logs to improve alerting mechanisms or to manually identify security incidents.
How often do you perform security testing?
As a part of our internal audit process, once per quarter.
What is your security incident management process?
Our “security incident management plan” is not publicly available at the moment. In case of any incidents, please contact email@example.com
Does the solution provide role-based access permissions to users?
GDPR app is using built-in permission models and allows to use its functions for Jira and Confluence admins only.
Is it possible to customize the roles according to our business needs?
Sure, it is! The access to GDPR for Jira is managed by “Administer Jira” global permission. The access to GDPR for Confluence is managed by “Confluence admin” global permission. Learn more
What are the minimum requirements for supported browsers?
Microsoft Edge - Latest stable version supported
Mozilla Firefox (all platforms) - Latest stable version supported
Google Chrome (Windows and Mac) - Latest stable version supported
Safari (Mac) - Latest stable version on latest OS release supported
Can we restrict access to the application from a specific customer public IP gateway?
Yes, as a part of Jira or Confluence security configuration.