Security Policy
This Security Policy outlines the measures and procedures put in place by TNG Technology Consulting GmbH (“TNG”) to ensure the security of data processed by our Server/Data Center and Cloud apps as well as the Server/Data Center and Cloud apps itself. We take security seriously and are committed to protecting our Server/Data Center and Cloud apps from security threats.
If you become aware of any security incident, please report it to us via atlassian-apps@tngtech.com promptly.
Security programs
We aim to have all our Cloud apps participating in Atlassian’s security bug bounty program. A bug bounty program is one of the most powerful tools to help detect vulnerabilities in applications and services. It continuously improves the security posture by leveraging crowdsourced vulnerability discovery methods.
All of our Cloud apps take part in internal penetration testing sessions which are conducted by IT experts from TNG who do not work on our Cloud apps on a day-to-day basis.
Vulnerability management
We adhere to the resolution timeframes of Atlassian’s security bug fix policy.
Data protection
All of our Cloud apps are written using Atlassian Forge.
In particular, they are hosted by Atlassian and keep all data in Atlassian’s infrastructure. Therefore, all data stored and processed by these apps remains in Atlassian’s infrastructure.
Apps for Server and Data Center are installed directly in the End User’s Atlassian system. Therefore, all data stored and processed by these apps remains in the End User’s infrastructure.
In principle, our apps do not transmit any data to us or any other external third-party system. If transmissions to external systems are a functional part of the app, they happen transparently, encrypted in transit and under the customer’s control.
You can find more information about this in our https://tngtech.atlassian.net/wiki/spaces/START/pages/262768.
Data resilience
As all data of our Cloud apps is stored within Atlassian’s infrastructure, we rely on on Atlassian’s backup and recovery mechanisms.
As all data of our apps for Server and Data Center is stored within End User’s infrastructure, we rely on on the End User’s backup and recovery mechanisms.
API key management
Any third party API keys provided by the end user will remain in the apps and will only be used for the agreed use in the apps.
Internal security measures
We have laid down an internal security policy and implemented response protocols to respond to security incidents promptly and effectively.
All employees have committed themselves to confidentiality, in particular regarding personal data.
Knowledge on data protection regulations is maintained with yearly briefings.
We make use of single sign-on (SSO) and multi-factor authentication (MFA) with hardware tokens for all personalized accounts.
All personalized accounts have individual passwords that must fulfill current recommendations for secure passwords.
Our workstations are individually assigned and not shared between employees.
Data on hard drives of all workstations is fully encrypted.
Security patches are installed regularly.
All employees are ordered to lock their workstations on absence.
Access is granted by roles. We follow a “need to know” principle and only grant access to information if it is absolutely required for an employee to conduct their official duties.
When developing our apps, we strictly separate development, staging, and production environments.
We've moved our documentation to a new dedicated site! If you have any questions, please reach out to us via our service desk