2019 Q4 Data Processing Addendum assessment

2019 Q4 Data Processing Addendum assessment

Audit date: 4 November 2019

Category Activity Short description Status of the internal audit
Developer environment Developer's computers verification
  • Virus protection effect
  • Full Disc Encryption (BitLocker) is in effect

We have validated the notebooks of all of our 4 developers.

On each computer

  • the virus protection was active
  • every notebook was encrypted using Bitlocker's full disc encryption
Source code management systems verification
  • Bitbucket can be accessed only through VPN
  • Only authorized persons have permissions to Bitbucket
  • Only minimal permissions are granted

We have validated access and permissions to our internal (Bitbucket) source code management system.

  • Bitbucket can be accessed only by the authenticated users
    • The product owners (2 users) have full admin permissions
    • In addition to the product owners, the following users have login access to Bitbucket:
      • The developers (2 users)
      • The support team (2 users)
      • The product test team (1 user - subcontractor: CodeCanvas)
      • Technical user for test automation user (1 technical user - subcontractor: CodeCanvas)
      • AWS environments support team (1 user - subcontractor: Enoventum)
  • On repository level, for our Cloud apps (Email This Issue, Content Exporter, Atlassian Connect framework, Logging framework), only the least privileges are granted, which are:
    • product owners have full admin rights
    • in addition to product owners, 1 senior developer has admin permission to Email This Issue's repositories.
    • all other users have only the minimally necessary read/write permissions
  • During the audit, we have removed 2 subcontractor users, who are not working on our apps any more
Package and artifact management system verification
  • JFrog can be accessed only through VPN
  • Only authorized persons have permissions to JFrog
  • Only minimal permissions are granted

We have validated access and permissions to our internal (JFrog's Artifactory) package and artifact management system.

  • JFrog Artifactory be accessed only by the authenticated users
    • One product owner has full admin permissions
    • In addition to this, the following users have access to Artifactory:
      • The developers (2 users)
      • Technical release user (1 technical user for release management)
      • Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
  • On repository level, only the least privileges are granted, which are:
    • Read access for all logged in users
    • Read, annotate, deploy and delete permissions for the test automation user on the build log repository
    • Read, annotate, deploy and delete permissions for the release user on the release and snapshot repositories
Build systems verification
  • Bamboo can be accessed only through VPN
  • Only authorized persons have permissions to Bamboo
  • Only minimal permissions are granted

We have validated access and permissions to our internal (Bamboo) build system

  • Bamboo be accessed only by the authenticated users
    • The two product owners and one senior developer have full admin permissions
    • In addition to this, the following users have access to Bamboo:
      • Developers (1 users)
      • Test team (2 users - subcontractor: CodeCanvas)
      • Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
  • On repository level, for our Cloud apps, only the least privileges are granted, which are:
    • View access for all logged in users
    • Create plan and admin project for the senior developer
Stage environment Cloud Amazon Stage verification
  • AWS access is restricted to authorized persons only
  • Only minimal permissions are granted
  • Kubernetes SSH access is protected by keys
  • Database access is allowed only from fix IP
  • There was no unauthorized access

We have validated access, permissions, network policies in our stage Amazon AWS environment. Our stage Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS).

  • Our stage environment is completely separated from the production environment, it has a dedicated AWS account and can be accessed by the following users:
    • One product owner (1 user)
    • One senior developer (1 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On environment (AWS account) level, only the least privileges are granted, which are:
    • Admin permission for the
      • product owner
      • senior developer
      • AWS support team
  • On network level
    • Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
    • Access to the databases are allowed only from
      • The AWS environment's internal network
      • Fixed IP of META-INF's build server
      • Fixed IP of subcontractor CodeCanvas (for database level testing)
      • External database access is done by SSL/TLS connection
  • We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
Production environment Cloud Amazon Production verification
  • AWS access is restricted to authorized persons only
  • Only minimal permissions are granted
  • Kubernetes SSH access is protected by keys
  • Database access is allowed only from fix IP
  • There was no unauthorized access

We have validated access, permissions, network policies in our production Amazon AWS environment. Our production Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS).

  • Our production environment is completely separated from the stage environment, it has a dedicated AWS account and can be accessed by the following users:
    • One product owner (1 user)
    • One senior developer (1 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On environment (AWS account) level, only the least privileges are granted, which are:
    • Admin permission for the
      • product owner
      • senior developer
    • Read-only access for the
      • AWS support team
  • On network level
    • Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
    • Access to the databases are allowed only from
      • The AWS environment's internal network
      • Fixed IP of META-INF's build server
      • Fixed IP of subcontractor Enoventum (for database upgrades and maintenance)
      • External database access is done by SSL/TLS connection
  • We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
Log analysis Cloud Datadog Stage verification
  • Only authorized persons have permissions to Datadog
  • Only minimal permissions are granted

We have validated access, permissions to DataDog. This service is used to collect and search logs from our stage and production AWS enviroments.

  • Our Datadog environment can be accessed by the following users:
    • One DataDog owner account (1 technical user)
    • One product owner (1 user)
    • The developer team (2 user)
    • The support team (2 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On log analysis and search, for our Cloud apps, only the least privileges are granted, which are:
    • Admin access
      • One product owner
      • One DataDog owner account (1 technical user)
    • View access for all logged in users
Cloud Datadog Production verification
  • Only authorized persons have permissions to Datadog
  • Only minimal permissions are granted

In-depth expertise, knowledge transfer and Atlassian apps from the highest-level Atlassian partner.

Solutions
ITSM
Jira Audit
Cloud Migration
Enterprise Service Management
Services
Atlassian Consulting
Atlassian Licenses
Atlassian Training
Atlassian Support
Email This Issue Services
Apps
Email This Issue for Jira
Glass Documentation for Jira
Content Exporter for Confluence
Advanced Content Navigator for Confluence
About META-INF
Meet the team
Partner Program
Let's Partner Up
Career
Contact

© 2007 - 2024 META-INF, Atlassian Platinum Solution Enterprise Partner & Platinum Marketplace Partner. All rights reserved.

Privacy Policy

2019 Q4 Data Processing Addendum assessment

2019 Q4 Data Processing Addendum assessment

Audit date: 4 November 2019

Category Activity Short description Status of the internal audit
Developer environment Developer's computers verification
  • Virus protection effect
  • Full Disc Encryption (BitLocker) is in effect

We have validated the notebooks of all of our 4 developers.

On each computer

  • the virus protection was active
  • every notebook was encrypted using Bitlocker's full disc encryption
Source code management systems verification
  • Bitbucket can be accessed only through VPN
  • Only authorized persons have permissions to Bitbucket
  • Only minimal permissions are granted

We have validated access and permissions to our internal (Bitbucket) source code management system.

  • Bitbucket can be accessed only by the authenticated users
    • The product owners (2 users) have full admin permissions
    • In addition to the product owners, the following users have login access to Bitbucket:
      • The developers (2 users)
      • The support team (2 users)
      • The product test team (1 user - subcontractor: CodeCanvas)
      • Technical user for test automation user (1 technical user - subcontractor: CodeCanvas)
      • AWS environments support team (1 user - subcontractor: Enoventum)
  • On repository level, for our Cloud apps (Email This Issue, Content Exporter, Atlassian Connect framework, Logging framework), only the least privileges are granted, which are:
    • product owners have full admin rights
    • in addition to product owners, 1 senior developer has admin permission to Email This Issue's repositories.
    • all other users have only the minimally necessary read/write permissions
  • During the audit, we have removed 2 subcontractor users, who are not working on our apps any more
Package and artifact management system verification
  • JFrog can be accessed only through VPN
  • Only authorized persons have permissions to JFrog
  • Only minimal permissions are granted

We have validated access and permissions to our internal (JFrog's Artifactory) package and artifact management system.

  • JFrog Artifactory be accessed only by the authenticated users
    • One product owner has full admin permissions
    • In addition to this, the following users have access to Artifactory:
      • The developers (2 users)
      • Technical release user (1 technical user for release management)
      • Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
  • On repository level, only the least privileges are granted, which are:
    • Read access for all logged in users
    • Read, annotate, deploy and delete permissions for the test automation user on the build log repository
    • Read, annotate, deploy and delete permissions for the release user on the release and snapshot repositories
Build systems verification
  • Bamboo can be accessed only through VPN
  • Only authorized persons have permissions to Bamboo
  • Only minimal permissions are granted

We have validated access and permissions to our internal (Bamboo) build system

  • Bamboo be accessed only by the authenticated users
    • The two product owners and one senior developer have full admin permissions
    • In addition to this, the following users have access to Bamboo:
      • Developers (1 users)
      • Test team (2 users - subcontractor: CodeCanvas)
      • Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
  • On repository level, for our Cloud apps, only the least privileges are granted, which are:
    • View access for all logged in users
    • Create plan and admin project for the senior developer
Stage environment Cloud Amazon Stage verification
  • AWS access is restricted to authorized persons only
  • Only minimal permissions are granted
  • Kubernetes SSH access is protected by keys
  • Database access is allowed only from fix IP
  • There was no unauthorized access

We have validated access, permissions, network policies in our stage Amazon AWS environment. Our stage Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS).

  • Our stage environment is completely separated from the production environment, it has a dedicated AWS account and can be accessed by the following users:
    • One product owner (1 user)
    • One senior developer (1 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On environment (AWS account) level, only the least privileges are granted, which are:
    • Admin permission for the
      • product owner
      • senior developer
      • AWS support team
  • On network level
    • Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
    • Access to the databases are allowed only from
      • The AWS environment's internal network
      • Fixed IP of META-INF's build server
      • Fixed IP of subcontractor CodeCanvas (for database level testing)
      • External database access is done by SSL/TLS connection
  • We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
Production environment Cloud Amazon Production verification
  • AWS access is restricted to authorized persons only
  • Only minimal permissions are granted
  • Kubernetes SSH access is protected by keys
  • Database access is allowed only from fix IP
  • There was no unauthorized access

We have validated access, permissions, network policies in our production Amazon AWS environment. Our production Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS).

  • Our production environment is completely separated from the stage environment, it has a dedicated AWS account and can be accessed by the following users:
    • One product owner (1 user)
    • One senior developer (1 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On environment (AWS account) level, only the least privileges are granted, which are:
    • Admin permission for the
      • product owner
      • senior developer
    • Read-only access for the
      • AWS support team
  • On network level
    • Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
    • Access to the databases are allowed only from
      • The AWS environment's internal network
      • Fixed IP of META-INF's build server
      • Fixed IP of subcontractor Enoventum (for database upgrades and maintenance)
      • External database access is done by SSL/TLS connection
  • We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
Log analysis Cloud Datadog Stage verification
  • Only authorized persons have permissions to Datadog
  • Only minimal permissions are granted

We have validated access, permissions to DataDog. This service is used to collect and search logs from our stage and production AWS enviroments.

  • Our Datadog environment can be accessed by the following users:
    • One DataDog owner account (1 technical user)
    • One product owner (1 user)
    • The developer team (2 user)
    • The support team (2 user)
    • AWS support team (1 user - subcontractor: Enoventum)
  • On log analysis and search, for our Cloud apps, only the least privileges are granted, which are:
    • Admin access
      • One product owner
      • One DataDog owner account (1 technical user)
    • View access for all logged in users
Cloud Datadog Production verification
  • Only authorized persons have permissions to Datadog
  • Only minimal permissions are granted

Átfogó szakértelem, tudástranszfer és Atlassian alkalmazások a legmagasabb szintű Atlassian-partnertől.

Megoldások
IT szolgáltatásmenedzsment
Jira projekt audit
Atlassian migrálás a felhőbe
Vállalati szolgáltatásmenedzsment
Szolgáltatások
Atlassian Tanácsadás
Atlassian Licencek
Atlassian Képzés
Atlassian Support
Email This Issue for Jira szolgáltatások
Alkalmazások
Email This Issue for Jira
Glass Documentation for Jira
Content Exporter for Confluence
Advanced Content Navigator for Confluence
Rólunk
A csapat
Partnereink
Legyünk partnerek
Karrier
Kapcsolat
Tudástár
Sikertörténetek
Blog
Események
Letölthető anyagok
Dokumentáció
Demók
Jogi dokumentumok
Logo Kit

© 2007 - 2024 META-INF, Atlassian Platinum Solution Enterprise Partner & Platinum Marketplace Partner. Minden jog fenntartva.

Adatvédelmi tájékoztató

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesAccept