Cloud System security questionnaire(클라우드 시스템 보안 설문지)

We post all compliance and certifications to our website:

https://compliance.atlassian.com/

To read more about our Compliance Framework, see

: https://www.atlassian.com/trust/compliance/common-controls-framework

Our production systems for Jira and Confluence are hosted in AWS regions USEast
US-West, Ireland, Frankfurt, Singapore and Sydney availability regions within Amazon AWS services.

For more information, see :

https://www.atlassian.com/trust/reliability/infrastructure

At this time, most customers cannot define which jurisdictions their data travels through. We have optimized for latency, and you data will be housed in the region closest to your users.

We offer data residency for our Enterprise, Premium and Standard Cloud customers.

For more information, please see:

https://www.atlassian.com/enterprise/cloud.

https://www.atlassian.com/software/dataresidency

Our partner data centers are SOC-2 compliant.

These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management.

Access to the data centers is limited to authorized personnel only, as verified by biometric identity verification measures.

Physical security measures include: onpremises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.

AWS maintains multiple certifications for the protection of their data centers.

AWS physical protection assurance information can be found at

: http://aws.amazon.com/compliance/

Our Atlassian offices are guided by our internal Physical and Environmental
Security Policy including monitoring physical ingress and egress points.

For network access we use a centralized LDAP enabled directory implementing role based access control based on defined profiles.

Users are given appropriate access rights based upon these profiles, driven via workflow from our HR
management system.

Internal production network access rules are maintained using explicitly designated Security Groups within AWS VPC environments.

There's an Access Control Policy and its implementation is controlled every 3 months

Currently, the Atlassian Security Team merges data from various logging sources in our Centralized Logging Platform.

All logs are reviewed within our SIEM platform(Splunk).

Atlassian has an established workflow linking our HR management system and our access provisioning system.

We use role based access control based on pre-defined user profiles. All user accounts must be
approved by management prior to their access to data, applications, infrastructure or network components.

Our SRE team maintains an account on all hosted systems and applications for the purposes of
maintenance and support.

This support team accesses hosted applications and data only for purposes of application health
monitoring and performing system or application maintenance, and upon customer request via our support system.

The SRE team performs logical access review for the mission critical systems monthly. Disabling of a single VPN account would remove all production access.

Additional authentication mechanisms are also in place that are required for access to production systems.

Atlassian understands how important it is for you to be notified promptly of any data breach. That is why Atlassian has built out an extensive cross-functional team and process to handle security incidents as described at

: https://www.atlassian.com/trust/security/security-incidentmanagement

Atlassian has a strong track record of timely and proactive notification of incidents, and working with our customers on any necessary mitigations.

Because it is critical that Atlassian's security incident response teams to immediately focus on triage and mitigation of an incident as it develops, we cannot agree to a 72 hour timeline.

Instead, we offer customers notification 'without undue delay', which follows the legal requirement
under GDPR for data processors, which meets the legal needs of most of our customers.

Incidents can range from simple to incredibly complex, so while we can offer what is necessary under the law we cannot agree to a 'one-size fits all' timeline.

high-level data flow diagram can be found at

: https://confluence.atlassian.com/cloud/atlassian-cloudarchitecture-973494795.html

Atlassian maintains a Data Retention and Destruction Standard, which designates how long we need to maintain data of different types.

For customer data, On termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to
Atlassian will be removed within 14 days.

The team’s data will remain in encrypted backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with our Atlassian data retention policy.

In the event that a database restore is necessary within 90 days of a requested data deletion, the
operations team will re-delete the data as soon as reasonably possible after the live production system is fully restored.

Data is classified in line with our Atlassian Data Security & Information Lifecycle Policy, and controls implemented based on that.

저장되는 데이터의 이전/파기 방법/파기 인증 방법이

명시되어 있는가?

For customer data, On termination of an Atlassian contract, the data belonging to a customer team will be removed from the live production database and all file attachments uploaded directly to Atlassian will be removed within 14 days.

The team’s data will remain in encrypted backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with our Atlassian data retention policy

Our Jira and Confluence Cloud products are available in US-East and US-West regions of AWS, the AWS Ireland region, the AWS Frankfurt region, the AWS Sydney region and the AWS Singapore region.

Location of data is homed in the region closest to the majority of your users upon sign-up. Fore more information, see :
https://www.atlassian.com/trust/reliability/infrastructure .

We offer data residency for our Enterprise, Premium and Standard Cloud customers.

For more information, please see:

https://www.atlassian.com/enterprise/cloud

and https://www.atlassian.com/software/dataresidency

For our Atlassian Cloud services, Disaster Recovery plans are tested at least quarterly.

Multiple region availability is monitored in real time.

Automated region failover tests are performed each week on pre-production environment.

Automated configuration data restoration tests are performed daily on Production. All of Atlassian services perform Availability Zone resiliency test on pre-production environment every quarter.

For more information on our Business Continuity program,
see : https://www.atlassian.com/trust/security/security-practices#faqd323ae61-59b8-4ddb-96d4-30716b603e3e

We maintain a minimum of two data center AZ(availability zones) within each AWS Region.

We do not have 'cold DR sites'.

Atlassian's DR/BCP documents are considered internal and are not externally published.
Our Business Continuity and Disaster Recovery (BCDR) policy is in place and is reviewed on an annual basis by the
Business Continuity / Disaster Recovery steering committee.
For more information,

see : https://www.atlassian.com/trust/security/securitypractices#faqd323ae61-59b8-4ddb-96d4-30716b603e3e

and https://www.atlassian.com/trust/security/data-management.