Security and technical FAQ

Security FAQ

What type of data will be stored/processed/accessed?

Actonic’s Data Protection and Security Toolkit can access all the Jira and Confluence data, issues and fields, defined in the search scope during the PD scanning process. However, it does not store any PD in our application or outside Jira or Confluence.

 

The PII/PD search process consists of a few steps:

  1. Define the scope

  2. Add search patterns

  3. Add actions which will be executed for found content

  4. Start the search process

  5. Check the execution results

How does the app get and modify data?

To get and modify data in Jira and Confluence, our app is using public Jira and Confluence REST APIs. For example, with the Jira cloud REST API, we are getting issues and fields to check them for personal data during the PD search scanning process.

Our app is using all the required Authorization and Security technologies provided by Atlassian:

Does the app store data from the PII search process?

No, our app does not even store the found data, only the search hits and the location of the PD/PII data.

What platform and programming language was used to develop the application?

To develop our app, we used the Atlassian Connect framework for communications. For back end, we used NodeJS for back-end and for frontend JavaScript.

Which authentication protocols and technologies are supported?

Our Data Protection and Security Toolkit works with the Jira and Confluence authentication system and supports all available authentication settings.

How do you achieve security of data at rest?

Both versions of the Data Protection and Security Toolkit (Jira and Confluence) are available over SSL only. We are using valid (not a self-signed) browser-trusted certificate, without any human intervention. All the communications between “Client ↔︎ Jira (or Confluence) application ↔︎ Our app” are encrypted.

How is data from customers separated from other customers (if the solution is offered in a multi-tenant model)?

We have measures in place to ensure that all the customers are logically separated, so that the actions of one customer cannot compromise the data of other customers.

In both in Jira and Confluence cloud app versions, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Connect framework, and managed by the “Tenant Context Service” (TCS).

This concept ensures that:

  • Each customer’s data is kept logically segregated from other tenants when at-rest.

  • Any requests that are processed by Jira or Confluence app versions have a “tenantspecific” view, so other tenants are not impacted.

How is the security monitoring for this app performed?

Our security monitoring includes the following:

  • Role based mechanism to access all the parts of infrastructure separately.

  • The app creates a massive collection of event logs for analysis and investigation.

  • Regularly reviewing of logs to improve alerting mechanisms or to manually identify security incidents.

How often do you perform security testing?

 As a part of our internal audit process, once per quarter.

What is your security incident management process?

Our “security incident management plan” is not publicly available at the moment. In case of any incidents, please contact support@actonic.atlassian.net

Usage FAQ

Does the solution provide role-based access permissions to users?

Data Protection and Security Toolkit is using built-in permission models and allows to use its functions for Jira and Confluence admins only.

Is it possible to customize the roles according to our business needs?

Sure, it is! The access to Data Protection and Security Toolkit for Jira is managed by “Administer Jira” global permission. The access to Data Protection and Security Toolkit for Confluence is managed by “Confluence admin” global permission. Learn more

What are the minimum requirements for supported browsers?

Desktop browsers:

  • Microsoft Edge - Latest stable version supported

  • Mozilla Firefox (all platforms) - Latest stable version supported

  • Google Chrome (Windows and Mac) - Latest stable version supported

  • Safari (Mac) - Latest stable version on latest OS release supported

Can we restrict access to the application from a specific customer public IP gateway?

Yes, as a part of Jira or Confluence security configuration.

“IP allow listing” is available with Premium plans for Jira Software, Jira Service Management, and Confluence. Learn more about Jira Cloud plans and Confluence Cloud plans.

Which license do I choose when purchasing an app?

Purchase the license tier that matches the number of users you have licensed for your host product. For example, if you have a 25-user Confluence license, purchase the Confluence app at the 25-user tier. The app will only function if its license matches or exceeds the tier of the host product – even if only some of your licensed users need to use the app.

For Jira, you must purchase the app license that matches the highest Jira application tier. For example, if you have a 500-User Jira Software license, and a 20-Agent Jira Service Management license, your Jira apps must be at the 500-User level.