I have a question regarding the Security Self-Assessment Program. Some of the questions talk about storing customer data, for instance 1a:
“Do you store customer data from the customer Atlassian instance? If so, please outline any protection mechanisms you will have in place to protect this customer data.”
Who is meant by “you”? If I store customer data via forge’s storage API, is that considered “us” storing data? Or is this only pertinent for data stored outside the Atlassian ecosystem?
Thanks for any help or clarification.
I would recommend that you state that customer data is stored using the forge storage API.
But as that data is stored by Atlassian’s service, you can answer No.
Completion of the questionnaire will either go straight through and be approved, or start a dialogue between you and Atlassian. If they are not satisfied with your first answer, then more conversation will be required.
The storage API was created so that you don’t have to roll your own storage, so storing data using the recommended mechanism is going to help matters.