Onward App Security

Introduction

Security is built into the core of all our applications. Onward’s apps are built on Atlassian Forge. Forge is Atlassian’s serverless app development platform, designed for building secure, reliable, and scalable apps. Forge’s compute and storage features allowed us to build our apps hosted entirely on Atlassian infrastructure. Built on Forge makes Onward’s apps native to Atlassian. To our customers this means that their data never leaves the Atlassian hosted environment. 

With Forge, customers are in control of how and when data leaves Atlassian cloud. Forge takes care of authentication, identity, scaling, and tenancy. Forge apps run inside a second security layer that enforces tenancy isolation and data egress restriction by design. Our apps adhere to the shared responsibility model, for what’s shared between you and Atlassian.

Onward’s apps are certified to the highest security standards that Atlassian recommends for marketplace apps. This link describes the various levels and all Onward apps have earned the Cloud Fortified badge. Our apps are also SOC II Type I certified. Please reach out to us at support@onwardb.com for a copy of the report.

Below table provides more information on what Cloud Fortified entails.

Our apps are also Marketplace Security Bug Bounty Program participants. This bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. The Marketplace Security Bug Bounty program is a collaboration between Atlassian and Marketplace Partners aiming to continuously improve the security posture of Atlassian Marketplace apps by leveraging crowdsourced vulnerability discovery methods available through bug bounty.

The program aims to give Marketplace Partners the tools to facilitate post-production vulnerability discovery in a cost-efficient way. If you are looking to start or extend your security story, the Marketplace Bug Bounty Program is a convenient way to ensure the security of your apps. The bug bounty program helps increase trust with customers. From the program, we can generate third-party penetration test reports for our customers. 

Please email support@onwardb.com if you have any questions.

FAQs

How is data secured?

Onward’s apps are compliant with the Atlassian Cloud Security Program. Onward’s apps are built on Atlassian Forge. Forge’s compute and storage features allowed us to build our apps hosted entirely on Atlassian infrastructure. Built on Forge makes Onward’s apps fully native to Atlassian, and there is no reliance on any additional cloud or other platforms. To our customers this means that their data never leaves the Atlassian hosted environment. 

Do you encrypt data at rest/in transit?

Apps use HTTPS for data encryption in transit. The data at rest is within Atlassian managed storage and infrastructure.

Do you use any external cloud services for processing or data storage?

Our applications are built on Atlassian Forge and run natively within the Atlassian infrastructure. We do not store any data outside of a customer’s Atlassian instance. To overcome certain Forge limitations, we use a lightweight pass-through service on AWS Lambda (less than 5% of our customers need this).

Do you back up data for disaster recovery?

The Atlassian Cloud backs up the entire hosted storage for disaster recovery. This includes content stored from our apps since they use Atlassian Forge storage API.

Do you conduct external (third-party) audits of the service? If so, please describe the scope and frequency of those audits?

We are part of Atlassian Bug Bounty security program. An Ongoing Bounty Program is a cutting-edge approach to an application assessment or penetration test. Traditional penetration tests use only one or two personnel to test an entire scope of work, while an Ongoing Bounty leverages a crowd of security researchers. This increases the probability of discovering esoteric issues that automated testing cannot find and that traditional vulnerability assessments may miss in the same testing period. Please email support@onwardb.com to get the latest copy of the pen testing and security posture report generated by Bug Bounty program.

Have the apps been security assessed?

As we are compliant with the Atlassian Security Program, a self-assessment is updated and sent to Atlassian every year. This is a company-wide security assessment.

Do you have a Security Incident Response Program?

Yes, more information is available on request or at App security incident management guidelines for Marketplace Partners .

Do you undertake penetration testing (or similar technical security testing, code review or vulnerability assessment)?

We are enrolled in the Bug Bounty program run by BugCrowd as part of the Atlassian “Vendor Security Assessment” program. As part of the program security researchers pen test our application and report back all security vulnerabilities and we fix all the identified vulnerabilities as per the SLA’s setup by Atlassian for the program. If we continue to meet the requirements of the vendor security assessment program Atlassian confers a security badge on the app in the marketplace.

Is your application designed to store sensitive information? (For example: credit card data, personal data, financial data, source code, trading algorithms or proprietary models.)

No personal data is stored in Onward’s apps. All data is stored within Atlassian hosted infrastructure or Jira/JSM.

Do you have a Privacy Policy? Please provide details (or provide a copy of the policy).

Our privacy policy can be accessed on our website at https://onwardb.com/privacy/ .

Do you store customer data from the customer Atlassian instance? 

No customer data is stored in Onward’s app storage. Only the following configuration is stored within customer’s Atlassian instance as we are using Forge development platform. All other data is stored on Jira tasks themselves.

OnRamp - Flow configuration, Tasks, System endpoint configuration including URL, connection tokens or passwords.

OnLink - System endpoint configuration including URL, connection tokens or passwords.

OnRewards - peer recognition awards, comments, connection info to Tango - our gift card processor

Are you accredited to any relevant security standards (e.g., SOC 1/2/3, ISO27001, PCI DSS)?

In addition to the technical and organizational measures mentioned in the Forge DPA, Forge complies with major security standards. Forge, as part of the Atlassian Platform, has successfully completed the ISO 27001 and SOC 2 evaluation process. Compliance reports and certificates for the Atlassian Platform, which includes Forge, may be downloaded from the Atlassian Compliance Resource Center. See this reference. Our apps adhere to the shared responsibility model Atlassian has prescribed.