Clarification on security topics
Exactly which logs and types of data do you store?
re: logs - we store only the Jira application log.
re: database - we store the following data:
a) host details
- the identifying key for the Jira Cloud instance that hosts Risk Register
- the base URL of the Jira Cloud instance
- the Support Entitlement Number (SEN) of the Jira Cloud instance
- version of the Jira Cloud instance
- version of the add-on framework running in the Jira Cloud instance
- the OAuth 2.0 client ID for Risk Register
- status of the Risk Register add-on in the Jira Cloud instance
b) add-on settings (data from the Settings page in the Admin area)
c) project settings, for each Jira project in which risk management is enabled:
- the numeric project ID (e.g. 10701)
- the numeric ID of the issue type representing risks (e.g. 10100)
d) register details, for each user-defined risk register:
- the name of the risk register
- the user keys of risk register administrators
- the numeric IDs of projects included in the risk register (e.g. 10000)
Importantly, the database does not include any data about the risks themselves; those data are stored as entity properties on the relevant issues, and as custom fields inside Jira Cloud.
How is this server secured?
The Risk Register add-on runs in Docker containers, hosted by AWS in eu-central-1 (Frankfurt).
The application runs on a Layer-2 virtual private network. Only the Risk Register application, and not the database, is accessible from the Internet. Access is strictly controlled via virtual firewall rules.
Database backups are stored in Amazon S3, within the eu-central-1 region. Access is restricted to the CTO exclusively via AWS Identity and Access Management (IAM) user credentials.