Security FAQ / Questionnaire

This document provides answers to common questions from customer procurement and security assessment teams regarding SaaSJet’s governance, employee awareness, access control, audit practices, and compliance.

1. Security Governance & Policies

Has the Vendor completed any applicable third-party assessments or certifications (e.g., SOC 2, ISO 27001)?

Yes. SaaSJet is SOC 2 Type II compliant following an independent third-party audit. We also run an active bug bounty program, participate in the Atlassian Cloud Fortified program, and fully comply with Atlassian security requirements.

Does the Vendor have a designated security lead or team?

Yes, we have a designated Security Officer responsible for ensuring compliance with security best practices and overseeing data protection policies.

Does the Vendor have security policies?

Yes, SaaSJet maintains comprehensive security policies as part of our participation in the Atlassian Cloud Fortified program and SOC 2 compliance efforts.

2. Employee Awareness & Training

Do Vendor employees go through annual security training?

Yes. All vendor employees undergo mandatory security awareness training at least once per year, and in practice 1–2 times annually depending on role and responsibilities.

Do Vendor employees go through annual security training?

Yes. All vendor employees undergo mandatory security awareness training at least once per year, and in practice 1–2 times annually depending on role and responsibilities.

Do Vendor employees or contractors have access to client data?

Yes, access to client data is granted only to employees or contractors who require it for legitimate business purposes and is governed by strict security controls.

Access is provided based on the principle of least privilege, meaning individuals are granted the minimum level of access necessary to perform their job functions. Access rights are regularly reviewed and promptly revoked when no longer required.

Are subcontractors included in the above audit processes?

Yes, we extend our rigorous audit processes to all subcontractors to ensure compliance with security policies.

Are all employees and contractors with access to systems subject to background checks?

Yes. All employees and contractors with system access undergo background checks, including criminal background screening, in compliance with local regulations.

Do contracts with employees and contractors include confidentiality obligations?

Yes, every employee signs an NDA.

Do you have a Security Awareness Program for employees?

Yes.

Does the company require background checks on employees and contractors?

Yes.

When an employee of your company changes jobs or leaves the company, is their access promptly revoked?

Yes.

When an employee is terminated from your company, is their system access disabled immediately?

Yes.

3. Access Control & Identity Management

Does the Vendor limit access to client data to authorized personnel only?

Yes, we strictly limit access to client data to authorized personnel based on business necessity.

Does the Vendor limit access to client data to those with the principle of least privilege?

Yes, we adhere to the principle of Least Privilege, ensuring users have only the access necessary to perform their duties.

What is the system of record for identity?

We maintain a centralized system of record for identity. Google Workspace serves as the authoritative source for user identities and access status, with access granted and revoked based on role and employment status.

Does the Vendor perform monthly user audits?

Yes, we conduct regular user audits to verify and manage active accounts and access rights.

Does your product enable role-based access using user permissions?

Yes. Access is managed through Jira’s native roles, groups, and permission schemes, which our apps inherit and enforce.

Please confirm that MFA is required for all administrative accounts.

Yes.

Can the plugin access be limited via API tokens or authentication?

Not applicable (access is controlled within Jira via Atlassian permissions).

Do you have processes in place to support user access reviews and privilege changes?

Yes.

Does the system or application which will be supplied comply with SOC 2 and security standards for access management?

Yes, we make sure the systems follow our SOC 2 requirements and Atlassian’s security practices.

4. Audit & Monitoring

Does the Vendor maintain audit trails to identify who accessed data and when?

Yes, we maintain comprehensive audit trails to track data access and user activity.

Does the Vendor perform monthly user audits?

Yes, we conduct regular user audits to verify access rights and ensure compliance with internal security policies.

Are subcontractors included in the above audit processes?

Yes, we extend our rigorous audit processes to subcontractors to ensure compliance with our security standards.

Are detailed audit logs available for reporting?

We do not provide logs from our apps.

Do you conduct internal and external (ISO, SOC 2) audits?

Yes. We are SOC 2 Type II compliant, following an independent external audit, and conduct internal reviews to maintain compliance.

Do you monitor and alert on relevant security events?

Yes.

Do you use a centralized management tool for log collection or analysis?

Yes.

Describe what type of logs (security, audit, network, etc.) you maintain.

Event logs, server logs, system logs, authorization logs, and error logs.

Do you keep these logs for at least 180 days?

Yes.

Is it possible to forward these logs to your customers for their review?

No.

5. Data Handling, Architecture & Residency

Are SaaSJet apps built on Atlassian Forge or do they qualify as “Runs on Atlassian”?

SaaSJet is actively migrating its Jira Cloud apps to Atlassian Forge. Forge-based apps run entirely within Atlassian’s cloud infrastructure and align with Atlassian’s “Runs on Atlassian” principles, meaning customer data is processed and stored within Atlassian’s secure environment and does not leave the Atlassian platform.

What categories of customer data does SaaSJet process?

SaaSJet apps process only the minimum data required to deliver functionality (e.g., work item metadata, workflow status, timestamps). SaaSJet does not process customer credentials, passwords, or payment information.

Does SaaSJet store or transfer Personally Identifiable Information (PII) on its servers?

No. SaaSJet does not transfer or store PII on its servers. Some apps may read a user’s public display name from Jira to display it within the app UI (e.g., work item lists, user lists, exports, mentions) as part of in-product functionality.

Does SaaSJet store or persist customer data?

For Forge-based apps, customer data is processed and stored within Atlassian’s cloud infrastructure. For non-Forge or transitional services, any data processed by SaaSJet is limited to what is necessary, encrypted, and securely hosted on AWS infrastructure.

Where is customer data geographically stored?

Customer data is stored in accordance with Atlassian’s data residency policies for Jira Cloud. Where SaaSJet-managed infrastructure is used, SaaSJet cloud services are hosted in AWS data centers in the United States (including N. Virginia and Oregon).

Who does SaaSJet share personal data with?

SaaSJet shares personal data only when required by law or when necessary to deliver services (e.g., with cloud infrastructure providers such as AWS). Such providers act as processors on SaaSJet’s behalf and are contractually obligated to confidentiality and security standards.

6. Compliance & External Validation

Are you audited by a third party for the following standards?

Yes. We are audited by an independent third party and have achieved SOC 2 Type II compliance.

Does the Vendor have programs in place (including business continuity and disaster recovery testing)?

Yes, as a SaaS vendor, we maintain and test business continuity and disaster recovery programs to ensure operational resilience.

Has the BCP (Business Continuity Program) been tested?

Yes.

Does the Vendor have a Partner Security Management program?

Yes, we are participants of the Security Bug Bounty Program and follow partner security management best practices.

Do you have a sufficient vulnerability program in place?

Yes, we are participants of the Bugcrowd bug bounty program.

Do you have a sufficient patch management program in place?

Yes, our apps are part of the Atlassian Cloud Fortified program and follow Atlassian’s patching standards.

Describe GDPR compliance

We have implemented security and privacy controls aligned with GDPR principles and are actively working toward full GDPR compliance. Our data protection practices are supported by SOC 2 Type II – compliant controls.

Compliance: BSI IT-Grundschutz

Not applicable.

Compliance: FISMA

Not applicable.

Compliance: NIST

Not applicable.

Compliance: PCI-DSS

Not applicable.

Compliance: SOX

Not applicable.

Compliance: CIS

Not applicable.

Compliance: HIPAA

Not applicable.

7. Support, Service Levels

What support channels are available?

Support is available via email at support@saasjet.com and via SaaSJet’s Support Portal (recommended for tracking and prioritizing requests).

What are SaaSJet support hours?

Business hours are 9am–9pm CET, Monday through Friday.

If you don’t find the answer you’re looking for or would like more details, please contact us at support@saasjet.com or via SaaSJet’s Support Portal.