Check out Azure DevOps for Jira by Move Work Forward security deep dive.
Guide: help.moveworkforward.com/azur...
Azure DevOps for Jira app: marketplace.atlassian.com/app...
Azure DevOps for Jira by Move Work Forward
e-Cyber Security Questions
Q: Is data stored outside of Atlassian products?
A: We store the Personal Access Token and some metadata in our encrypted storage.
Q: Which data can this app read/write?
A: Currently, Azure DevOps for Jira needs the following read-only scopes for the Personal Access Token - Code, Build, Release. The global configuration permissions does not write anything. The only write option available is for the end user from the Jira issue view when a feature branch is created. For this operation, the end-user needs to login with his/her Azure DevOps credentials.
Q: Are there additional compliance certifications?
A: Move Work Forward is SOC 2 Type II Compliance. You can learn more in our Trust Center provided by Vanta - trust.moveworkforward.com/
Additionally, we participate in Cloud Fortified and Bug Bounty programs.
Q: Is DPA available?
A: Yes, www.moveworkforward.com/licen... is the draft and we need to sign it with each company separately. You can find the link in the footer of our website.
Q: What is the classification of data involved?
A: We query or receive via subscriptions/webhooks payloads from Microsoft that pay contain user data. It is the data about pushes, pull requests, branches and pipeline runs. It passes our system, so it can be logged in AWS Cloud Watch (we have 7 days retention).
Q: Who is data owner / data controller / data processor?
A: We are the data processor.
Q: Accesses via which devices: mobile devices, private devices, company devices?
A: As of 14 Jun 2024, only 3 people have production access from company laptops. We adhere to all SOC 2 Type II compliance requirements.
Q: Operational concept regarding IT security check. Where are the servers located, subject of firewalls, virus scanners, patch process. What security certifications or security whitepapers can be provided by the vendor (ISO, ..)?
A: Our backend system is in AWS us-east-1 region. It is fully Serverless (AWS Lambda, API Gateway, SQS, DynamoDB). Every employee or contractor uses Vanta to monitor his/her laptop, we execute reference checks and constant security trainings.
Q: Are there Penetration test results provided by the vendor?
A: We use Bug Crowd Bug Bounty program that employs white-hat hackers to penetrate our apps. We don’t have a public report.
#azuredevops #atlassian #jira #moveworkforward #howto #security