Security Policy

This Security Policy outlines the measures and procedures put in place by TNG Technology Consulting GmbH (“TNG”) to ensure the security of data processed by our Server/Data Center and Cloud apps as well as the Server/Data Center and Cloud apps itself. We take security seriously and are committed to protecting our Server/Data Center and Cloud apps from security threats.

If you become aware of any security incident, please report it to us via atlassian-apps@tngtech.com promptly.

Security programs

• We aim to have all our Cloud apps participating in Atlassian’s security bug bounty program. A bug bounty program is one of the most powerful tools to help detect vulnerabilities in applications and services. It continuously improves the security posture by leveraging crowdsourced vulnerability discovery methods.

• All of our Cloud apps take part in internal penetration testing sessions which are conducted by IT experts from TNG who do not work on our Cloud apps on a day-to-day basis.

Vulnerability management

• We adhere to the resolution timeframes of Atlassian’s security bug fix policy.

Data protection

• All of our Cloud apps are written using Atlassian Forge.

• In particular, they are hosted by Atlassian and keep all data in Atlassian’s infrastructure. Therefore, all data stored and processed by these apps remains in Atlassian’s infrastructure.

• Apps for Server and Data Center are installed directly in the End User’s Atlassian system. Therefore, all data stored and processed by these apps remains in the End User’s infrastructure.

• In principle, our apps do not transmit any data to us or any other external third-party system. If transmissions to external systems are a functional part of the app, they happen transparently, encrypted in transit and under the customer’s control.

• You can find more information about this in our Privacy Policy.

Data resilience

• As all data of our Cloud apps is stored within Atlassian’s infrastructure, we rely on on Atlassian’s backup and recovery mechanisms.

• As all data of our apps for Server and Data Center is stored within End User’s infrastructure, we rely on on the End User’s backup and recovery mechanisms.

API key management

• Any third party API keys provided by the end user will remain in the apps and will only be used for the agreed use in the apps.

Internal security measures

• We have laid down an internal security policy and implemented response protocols to respond to security incidents promptly and effectively.

• All employees have committed themselves to confidentiality, in particular regarding personal data.

• Knowledge on data protection regulations is maintained with yearly briefings.

• We make use of single sign-on (SSO) and multi-factor authentication (MFA) with hardware tokens for all personalized accounts.

• All personalized accounts have individual passwords that must fulfill current recommendations for secure passwords.

• Our workstations are individually assigned and not shared between employees.

• Data on hard drives of all workstations is fully encrypted.

• Security patches are installed regularly.

• All employees are ordered to lock their workstations on absence.

• Access is granted by roles. We follow a “need to know” principle and only grant access to information if it is absolutely required for an employee to conduct their official duties.

• When developing our apps, we strictly separate development, staging, and production environments.