Information Security Policy

INTRODUCTION

Quirk Consulting takes security seriously. As a company we strive for perfection, but recognise it’s a never-ending journey, and this ethos applies to our security practices. Below we detail our current practices.

These Security Practices should be read in conjunction with our Privacy Policy and End User License Agreement

SECURITY VULNERABILITY

We align with the Security Severity Levels published by Atlassian, and we adhere to their security requirements for Cloud applications.

If you believe you have found or experienced a security vulnerability with an Quirk Consulting product or service please contact us.

JIRA CLOUD

All of your Jira issue / project / user data is kept in your Jira Cloud instance. Your data is never stored by our add-on servers. Our addons are simple, static javascript applications which run entirely in your browser. They retrieve the data they require directly from your Atlassian Cloud instance via the Jira API.

Our Jira Cloud versions require the following Atlassian Connect Permissions (Scopes): Read; Write; Delete.

As the product is delivered as a static, client-side add-on, the requests to read, create or update Jira data are made by the account of the person using the addon.

DEVELOPMENT WORKFLOW

Quirk Consulting maintains a prioritised backlog of features and enhancements that is structured according to customer value and key requests. Features are pulled from the backlog and decomposed as epics and user stories one at a time, and full capacity is allocated to said feature development until release.

When a release candidate has been identified, the code is packaged and tested in a variety of test environements with different Jira versions and data sets. This ensures we pick up and triage as many edge cases as possible prior to a production release.

Once all tests have passed, the release candidate is merged into the main branch of a git repository and tagged with the appropriate version. For Jira Cloud customers the feature is deployed and enabled automatically, whereas for Jira Server the package is manually uploaded to the Atlassian Marketplace for distribution.

INFRASTRUCTURE ACCESS

Build, test and deployment automation means Quirk Consulting Team Members do not require or have access to production infrastructure.

Team members that develop in our test environments use randomly generated passwords, plus Two Factor Authentication provided by Google where possible.