2023 Q1 Data Processing Addendum assessment

Audit date: 3rd May 2023

Category Activity Scope Status of the internal audit
Product Development Environment Product Team Workstations
  • Updated Virus Protection
  • Full Disk Encrytion
  • No unauthorized access

Product Team Workstations

We have validated the notebooks of all of our 25 product team members.
Source Code Management System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Bitbucket Cloud - META-INF

Source code management and Build system to store and build the code of our applications.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.
  • Write : Can push and merge source code modifications and trigger manual build pipelines.
  • Read : Can pull source code, read build logs and pull requests.

Repository1

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository2

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository3

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository4

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository5

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository6

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository7

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository8

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    9 Software Developer ( 2 Contractor )
    3 Test Engineer
    1 Support Agent
    2 Atlassian Consultant
    1 Technical Account
    1 CEO
  • Read
    1 Software Developer ( 1 Contractor )

Repository9

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    9 Software Developer ( 2 Contractor )
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository10

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository11

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository12

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository13

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 CEO
Artifact Management System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Jfrog Artifactory

Artifact management system to store the build logs and artifacts of your application.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.
  • Write : Can upload, delete, overwrite (in snapshot repositories) artifacts.
  • Read : Can list, download artifacts.

Repository1

  • Admin
    1 DevOps Engineer
  • Write
    1 Technical Account
  • Read
    8 Software Developer
    2 Test Engineer
    1 Product Owner

Repository2

  • Admin
    1 DevOps Engineer
  • Write
    1 Technical Account
  • Read
    8 Software Developer
    2 Test Engineer
    1 Product Owner
Staging Environment AWS Staging Environment
  • Cloud Console access is restricted only to authorized persons
  • SSH access is protected by keys and MFA
  • Database access is possible only from the internal network
  • Kubernetes access is possible only from the internal network
  • Only minimal permissions are granted
  • No unauthorized access

AWS Stage

Separated AWS Account for the Stage resources.

Permissions

  • StageAdmins : Can list, create, delete, modify AWS resources.
  • StageContainerImageAdmins : Can list, create, delete, modify (in snapshot repositories) Docker images.
  • StageContainerImageReaders : Can list Docker images.
  • StageSupport : an list, create, delete, modify Kubernetes resources and list Docker images.
  • InfraBackup : Can list, create, delete, modify items in the Backup S3 Bucket.
  • StageEticmaTechUsers : Can list, create, delete, modify ETICMA app related resources w/o MFA.
  • StageAdmins
    1 DevOps Engineer
    3 Infrastructure Engineer ( 3 Contractor )
    1 Software Developer
  • StageContainerImageAdmins
    1 Technical Account
  • StageContainerImageReaders
    1 Technical Account
  • StageSupport
    3 Software Developer
  • InfraBackup
    1 Technical Account
  • StageEticmaTechUsers
    1 Technical Account

AWS Stage Bastion

EC2 instance to access the Stage internal network and databases.

Permissions

  • Root : Can administer Linux OS.
  • User : Can log in and access the internal network of the Staging environment.
  • Root
    1 DevOps Engineer
    3 Infrastructure Engineer ( 3 Contractor )
    1 Software Developer
  • User
    3 Software Developer
Production Environment AWS Production Environment
  • Cloud Console access is restricted only to authorized persons
  • SSH access is protected by keys and MFA
  • Database access is possible only from the internal network
  • Kubernetes access is possible only from the internal network
  • Only minimal permissions are granted
  • No unauthorized access

AWS Prod

Separated AWS Account for the Prod resources.

Permissions

  • Admins : Can list, create, delete, modify AWS resources.
  • BillingAdmins : Can view billing details, costs, invoices.
  • ContainerImageAdmins : Can list, create, delete, modify Docker images.
  • Support : an list, create, delete, modify Kubernetes resources and list Docker images.
  • Admins
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
  • BillingAdmins
    1 DevOps Engineer
  • ContainerImageAdmins
    1 Technical Account
  • Support
    3 Software Developer

AWS Prod Bastion

EC2 instance to access the Prod internal network and databases.

Permissions

  • Root : Can administer Linux OS.
  • User : Can log in and access the internal network of the Production environment.
  • Root
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
  • User
    3 Software Developer
Log Analysis and Monitoring Datadog Loggin and Monitoring System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Datadog EU

Log management and monitoring tool for our staging and production applications.

Permissions

  • Admin : Can administer all resources. Can not delete logs.
  • Write : Can read, create, delete, modify monitors, dashboards. Can read logs.
  • Read : Can read monitors, dashboards, logs.
  • Admin
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
    1 Product Owner
    1 Technical Account
  • Write
    1 Software Developer
    1 Atlassian Consultant
  • Read
    6 Software Developer
    3 Test Engineer
    3 Support Agent
    1 Product Owner
    1 CEO

Datadog US

Log management and monitoring tool for our staging and production applications.

Permissions

  • Admin : Can administer all resources. Can not delete logs.
  • Write : Can read, create, delete, modify monitors, dashboards. Can read logs.
  • Read : Can read monitors, dashboards, logs.
  • Admin
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
    1 Product Owner
    1 Technical Account
  • Write
    1 Software Developer
    1 Atlassian Consultant
  • Read
    6 Software Developer
    3 Test Engineer
    3 Support Agent
    1 Product Owner
    1 CEO

 

2023 Q1 Data Processing Addendum assessment

Audit date: 3rd May 2023

Category Activity Scope Status of the internal audit
Product Development Environment Product Team Workstations
  • Updated Virus Protection
  • Full Disk Encrytion
  • No unauthorized access

Product Team Workstations

We have validated the notebooks of all of our 25 product team members.
Source Code Management System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Bitbucket Cloud - META-INF

Source code management and Build system to store and build the code of our applications.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.
  • Write : Can push and merge source code modifications and trigger manual build pipelines.
  • Read : Can pull source code, read build logs and pull requests.

Repository1

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository2

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository3

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository4

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository5

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository6

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository7

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    1 Support Agent
    1 CEO

Repository8

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    9 Software Developer ( 2 Contractor )
    3 Test Engineer
    1 Support Agent
    2 Atlassian Consultant
    1 Technical Account
    1 CEO
  • Read
    1 Software Developer ( 1 Contractor )

Repository9

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    9 Software Developer ( 2 Contractor )
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository10

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository11

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository12

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 Technical Account
    1 CEO

Repository13

  • Admin
    1 DevOps Engineer
    1 Software Developer
    2 Product Owner
  • Write
    7 Software Developer
    3 Test Engineer
    1 Support Agent
    1 CEO
Artifact Management System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Jfrog Artifactory

Artifact management system to store the build logs and artifacts of your application.

Permissions

  • Admin : Can create, delete repositories and modify repository settings.
  • Write : Can upload, delete, overwrite (in snapshot repositories) artifacts.
  • Read : Can list, download artifacts.

Repository1

  • Admin
    1 DevOps Engineer
  • Write
    1 Technical Account
  • Read
    8 Software Developer
    2 Test Engineer
    1 Product Owner

Repository2

  • Admin
    1 DevOps Engineer
  • Write
    1 Technical Account
  • Read
    8 Software Developer
    2 Test Engineer
    1 Product Owner
Staging Environment AWS Staging Environment
  • Cloud Console access is restricted only to authorized persons
  • SSH access is protected by keys and MFA
  • Database access is possible only from the internal network
  • Kubernetes access is possible only from the internal network
  • Only minimal permissions are granted
  • No unauthorized access

AWS Stage

Separated AWS Account for the Stage resources.

Permissions

  • StageAdmins : Can list, create, delete, modify AWS resources.
  • StageContainerImageAdmins : Can list, create, delete, modify (in snapshot repositories) Docker images.
  • StageContainerImageReaders : Can list Docker images.
  • StageSupport : an list, create, delete, modify Kubernetes resources and list Docker images.
  • InfraBackup : Can list, create, delete, modify items in the Backup S3 Bucket.
  • StageEticmaTechUsers : Can list, create, delete, modify ETICMA app related resources w/o MFA.
  • StageAdmins
    1 DevOps Engineer
    3 Infrastructure Engineer ( 3 Contractor )
    1 Software Developer
  • StageContainerImageAdmins
    1 Technical Account
  • StageContainerImageReaders
    1 Technical Account
  • StageSupport
    3 Software Developer
  • InfraBackup
    1 Technical Account
  • StageEticmaTechUsers
    1 Technical Account

AWS Stage Bastion

EC2 instance to access the Stage internal network and databases.

Permissions

  • Root : Can administer Linux OS.
  • User : Can log in and access the internal network of the Staging environment.
  • Root
    1 DevOps Engineer
    3 Infrastructure Engineer ( 3 Contractor )
    1 Software Developer
  • User
    3 Software Developer
Production Environment AWS Production Environment
  • Cloud Console access is restricted only to authorized persons
  • SSH access is protected by keys and MFA
  • Database access is possible only from the internal network
  • Kubernetes access is possible only from the internal network
  • Only minimal permissions are granted
  • No unauthorized access

AWS Prod

Separated AWS Account for the Prod resources.

Permissions

  • Admins : Can list, create, delete, modify AWS resources.
  • BillingAdmins : Can view billing details, costs, invoices.
  • ContainerImageAdmins : Can list, create, delete, modify Docker images.
  • Support : an list, create, delete, modify Kubernetes resources and list Docker images.
  • Admins
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
  • BillingAdmins
    1 DevOps Engineer
  • ContainerImageAdmins
    1 Technical Account
  • Support
    3 Software Developer

AWS Prod Bastion

EC2 instance to access the Prod internal network and databases.

Permissions

  • Root : Can administer Linux OS.
  • User : Can log in and access the internal network of the Production environment.
  • Root
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
  • User
    3 Software Developer
Log Analysis and Monitoring Datadog Loggin and Monitoring System
  • Login access is restricted only to authorized persons
  • Only minimal permissions are granted
  • No unauthorized access

Datadog EU

Log management and monitoring tool for our staging and production applications.

Permissions

  • Admin : Can administer all resources. Can not delete logs.
  • Write : Can read, create, delete, modify monitors, dashboards. Can read logs.
  • Read : Can read monitors, dashboards, logs.
  • Admin
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
    1 Product Owner
    1 Technical Account
  • Write
    1 Software Developer
    1 Atlassian Consultant
  • Read
    6 Software Developer
    3 Test Engineer
    3 Support Agent
    1 Product Owner
    1 CEO

Datadog US

Log management and monitoring tool for our staging and production applications.

Permissions

  • Admin : Can administer all resources. Can not delete logs.
  • Write : Can read, create, delete, modify monitors, dashboards. Can read logs.
  • Read : Can read monitors, dashboards, logs.
  • Admin
    1 DevOps Engineer
    2 Infrastructure Engineer ( 2 Contractor )
    1 Software Developer
    1 Product Owner
    1 Technical Account
  • Write
    1 Software Developer
    1 Atlassian Consultant
  • Read
    6 Software Developer
    3 Test Engineer
    3 Support Agent
    1 Product Owner
    1 CEO