;
GET STARTED

Do you have any questions or need assistance? Get in touch → Support Portal

Mindpro — Security Measures

Learn about our practices, processes, and commitments to your security and data.

INTRODUCTION
Mindpro, who provides the portfolio of cloud apps in the Atlassian Marketplace, is a brand name for the innovation and software development department at e-Core IT Solutions (“Company”, “we”, “us”, or “our”). Given this legal structure, Mindpro abides by e-Core LLC Information Security policies, which can be requested on demand at: [email protected] or by raising a security request here.

At Mindpro, the security of your data is our top priority. We are committed to providing our customers with secure and reliable applications that meet the highest industry standards. This page outlines the comprehensive security measures we have implemented to protect your data when you use our Atlassian Cloud apps.

We have implemented a robust security program that includes administrative, technical, and physical safeguards to protect your data from unauthorized access, use, or disclosure. Our security program is based on a combination of industry best practices, and we are constantly working to improve our security posture to meet the evolving threat landscape.


SECURITY TEAM
As part of our company structure, we have a dedicated InfoSec team at e-Core composed of three security specialists, with specific roles described below. This team works closely with Mindpro’s development and support teams to address any privacy, security, or compliance needs.

  • Governance Specialist – Focal point for laws and regulations related to information security.
  • Cybersecurity Specialist – Focal point for information security tools, including device management, antivirus, alert systems, vulnerability identification systems, and password vaults.
  • Senior Security Analyst – Focal point for numerous security activities, from reviewing policies and participating in audits to managing tools that protect the company.


SECURITY MANAGEMENT
Learn more about our secure development, change, release, and incident management practices:

Secure Development 
These are some of the secure development practices we apply in our activities:

  • We groom developers security champions with dedicated time to learn and implement security practices in your app and we have periodic technical security training for the whole team.
  • All personnel required to sign Non-Disclosure Agreement (NDA) or Confidentiality Agreements (CA) as a condition of employment to protect customer information.
  • We have enforced Multi-Factor Authentication (MFA) in all system access and in all our source code repositories.
  • We do regular peer-reviews of code and infrastructure within our development team to ensure high code quality and security awareness.
  • For every change in code, GitHub actions are run, which build the app and scan for vulnerabilities in code using Snyk, Sonar and NPM audit tools. If any critical or high vulnerability is found, the build is set a “failed” and is not merged into the main branch. Then it is corrected until it passes.
  • In addition to these practices, we self-check other security rules from top security standards such OWASP Top 10 (Open Web Application Security Project) and other frameworks to strengthen our reviews and security posture.


Change Management 
These are our standard Change Control and Release Management steps and procedures:

  • All code changes focused on new developments, improvements, and bug fixes are organized, prioritized, and tracked in “Release Versions” in our internal tracking System (Atlassian Jira).
  • All development work and related code changes are derived from these planned Jira releases. We manage all code changes through a version control system (Github) to allow viewing of change history and content.
  • When an engineer completes a code change, a pull request (PR) is created that requires two additional approvers.
  • Once peer-approved, the branch is then merged and promoted to an internal staging environment for extensive testing.
  • Each story, improvement, or bug fix is tested individually as part of the definition of done. Once everything is approved in the staging environment, a Release Candidate (RC) version is generated and deployed into our internal Release Candidate (RC) testing environment.
  • This Release Candidate (RC) with the entire set of features is also tested separately, and again, each story, improvement, or bug fix is tested individually as part of the definition of done with additional exploratory testing.
  • The release of the tested Release Candidate (RC) to Production is done only after we ensure the version is stable and reliable for our customers.
  • Changes are finally promoted to Production, and immediately after the deployment in Production, new “post-install tests” are executed to guarantee that the roll-out was successfully executed and released.
  • Each deployed version includes Release Notes that indicate which changes are part of the release directly in the “Versions” tab on each app Marketplace Page.


Incident Management
We follow Atlassian’s lead as mentioned in their App Security Incident Management Guidelines on how to handle vulnerabilities discovered in our apps. Of course, we stick to Atlassian’s standard on timeframes on how quickly to solve these vulnerabilities depending on the severity level.

The steps below represent a high-level overview of our app’s security incident management procedures:

  • We are constantly monitoring our environment and infrastructure, and we always have at least one Engineer “on call” in case of need.
  • If an issue is identified and classified as a security breach, we’ll immediately set up an incident response team responsible for handling the situation.
  • We’ll assess the security breach and vulnerability level according to CVSS v3.
  • We’ll determine the root cause, for how long the issue might have been present, and which users were affected (if any).
  • If we need any support from Atlassian, we’ll notify and create a Security Incident Ticket with Atlassian Support (no later than 24 hours).
  • We’ll work with all team members required (from Engineering, Security, and Support) to resolve the issue following the remediation dates and SLAs defined in the Atlassian Security Bugfix Policy.
  • Depending on the context and the potential impact on affected customers, we will send them a notification email within 48 hours, informing them about the security breach, the action plan, and the respective SLAs to resolve the issue.
  • We’ll resolve, test, publish the security fix, and take corrective actions to prevent similar incidents from happening in the future.
  • We’ll notify Atlassian Support, close the ticket, and inform the affected customers (if applicable).

If you notice a vulnerability in one of our products, please notify us immediately so we can address the issue as quickly as possible. Any vulnerability, concern, or incident can be reported either on the support portal or by email to [email protected]

ATLASSIAN SECURITY PROGRAMS
In addition to our secure development, change management, and incident management practices, Mindpro adheres to all of the security requirements enforced by Atlassian for cloud apps, as outlined in the section below:

Atlassian – Standard Security Programs and Initiatives: 

  • App Security Requirements – Cloud App Security Requirements are a set of mandatory requirements Atlassian defined for all Marketplace Partners. Atlassian audits Marketplace Partners against these requirements yearly to ensure they adhere at all times. Mindpro fulfills these security requirements and passes the audit successfully every year.

  • Ecoscanner – Ecoscanner is Atlassian’s platform to perform security checks against all Atlassian Marketplace cloud apps on an ongoing basis. Mindpro cloud apps are continuously monitored by Ecoscanner. This process brings possible vulnerabilities to light very early so we can address them before they cause any damage.
  • Vulnerability Disclosure – The Vulnerability Disclosure Program is a reporting platform run by Atlassian, providing a safe and effective way for Atlassian, customers and security researchers to report vulnerabilities. Mindpro cloud apps are participating in this program.
  • Security Bug Fix Policy – The Security Bug Fix Policy defines specific Security Bug Fix SLAs that all Marketplace Partners are expected to meet. This is to ensure cloud app vulnerabilities are addressed promptly and eventually fixed. Mindpro adheres to these SLAs.

Atlassian – New Security Programs and Initiatives: 

As part of Atlassian’s ongoing efforts to provide an even higher level of trust and security in the Atlassian Marketplace, Mindpro and all other Marketplace Vendors have adopted new mandatory security questionnaires and processes, effective 2025:

  • Security Badge “Runs on Atlassian” – A new Marketplace security badge awarded by Atlassian for Forge apps that only use Atlassian-hosted compute and storage, provide data residency in the same regions as Atlassian apps, and allow customers to control data egress. All of our Forge apps (Insights, Lineup, Graphy, and Dashio) have earned this badge, and they are continually monitored via automation to verify that all qualifications are continuously met.
  • Forge and SOC 2 Compliance – Atlassian’s Forge platform is now SOC 2 certified, which means that cloud apps built on the Forge platform can inherit advanced security controls that help satisfy up to 30% of SOC 2 requirements. Important: SOC 2 control inheritance only applies to cloud apps with data that resides within the Forge boundary. In this case, all of our Forge apps (Insights, Lineup, Graphy, and Dashio) are in compliance with this requirement.

  • Security Questionnaire for Marketplace Partners – Atlassian has partnered with a third-party vendor to conduct Know Your Customer (KYC) and Know Your Business (KYB) verifications. All partners are required to complete this process when onboarding new apps to the Marketplace.
  • Security Questionnaires for Marketplace Apps – As part of our app review process, Partners will need to complete an app-specific security questionnaire to confirm compliance. These measures represent industry best practices and can significantly reduce security risks.
  • Privacy & Security Tab for Cloud Apps – A new set of mandatory questions has been introduced for the Privacy & Security Tab in every cloud Marketplace app. To increase visibility on security indicators for our customers, Mindpro constantly keeps all of this information up-to-date.
  • Security Workflow for App Approval – To uplift the security baseline for all Marketplace apps, Atlassian has introduced new security checks for onboarding apps and publishing new app versions. Automated vulnerability scanning will be implemented during app onboarding and review processes. Any detected critical severity vulnerabilities must be resolved prior to completing the app review. All new apps launched by Mindpro will participate in this new workflow.

DATA MANAGEMENT
Each product requires access to and storage of a specific set of data. The methods for storing, managing, and recovering this data vary depending on the Atlassian development platform used to build the app, either 1) Atlassian Connect or 2) Atlassian Forge.

See below for more details about how each product’s data is handled according to each of these platforms:

1.0) – Data Storage in Connect Apps 
We build certain Atlassian Marketplace apps using Atlassian Connect, a robust development framework for extending cloud products in the Atlassian Marketplace. Currently, we have two apps running on this platform: Sync and Deliver:

  • Our apps running on the Atlassian’s Connect platform have their data stored and managed using Mindpro’s own cloud infrastructure that runs on top of AWS data centers.
  • Our Amazon AWS’s RDS database is located at US-West Virginia and the legal region is Brazil.
  • All data is encrypted at rest using military-grade AES-256 encryption. High risk data have multiple levels of encryption applied.
  • Amazon AWS’s data center are SOC-2 compliant and providing a wide range of industry-specific compliance certifications. These certifications address a range of security controls including physical and environmental security and protection. See here for more details: Amazon Aws Cloud Compliance
  • The Mindpro team accesses application data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request for support purposes.
  • Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA).
  • All employee access to systems is logged and audited for security purposes and as part of their contract of employment all Mindpro employees have to sign Confidentiality Agreements and Non-Disclosure Agreements.

1.1) – Data Management in Connect Apps
To give you a better understanding of what data we access and store when using our Connect apps, use the following product links below:


1.2) – Data Recovery in Connect Apps
Our Connect apps are hosted and managed by Mindpro on AWS. This means backup and recovery processes are fully under our control, aligned with our own security policies and AWS best practices. We have structured a series of measures to guarantee your data’s backup and recovery in extreme events. See how Mindpro backs up Connect app data:

  • We are fully hosted on AWS, which is 100% fault-tolerant. Thus, we automatically benefit from the expertise and high availability it provides. Additionally, we have redundancies built in to keep the application running in the event of an outage in the region.
  • Our Recovery Time Objective (RTO) is 1 hour, and our Recovery Point Objective (RPO) is 24 hours. Recovery scripts are in place, and they can be replicated in another AWS region if our primary region experiences a severe outage.
  • We make snapshots of the AWS RDS databases every 24 hours to provide backup and redundancy in case of failure, and we can restore up to 7 days of customer data from these stored backups.
  • Data remains recoverable for up to 90–180 days after it is deleted or the app is uninstalled. This means that after you uninstall the app from your instance, the data stored by the app will be automatically deleted between 90 and 180 days after the uninstall.
  • Restores are not self-service. If you need to recover Connect app data, contact Mindpro Support immediately after noticing data loss. The Mindpro team will coordinate directly with you to ensure the fastest possible restoration.

2.0) Data Storage in Forge Apps
We build certain Atlassian Marketplace apps using Atlassian Forge, a secure, serverless cloud development platform hosted by Atlassian. Currently, we have four apps running on this platform: Insights, Lineup, Graphy and Dashio:

  • These Forge apps run on Atlassian’s cloud infrastructure (hosted by Atlassian itself). Forge apps’ data and execution are managed within Atlassian’s environment, meaning Atlassian handles much of the underlying availability and security.
  • The application code is deployed to Atlassian’s servers (in an isolated container or function), the customer data that the Forge app stores (if any) is stored in Atlassian’s Forge storage (which is managed by Atlassian).
  • The region of hosting for Forge apps is determined by Atlassian based on the customer’s Jira Cloud location. Atlassian has multiple regions (US, EU, etc.) and data residency options. Mindpro Forge apps automatically comply with those (e.g., if a customer’s Jira site is in EU, Atlassian will host that Forge app’s data in the EU region).

2.1) Data Management in Forge Apps
To give you a better understanding of what data we access and store when using our Forge apps, use the following product links below:

2.2) Data Recovery in Forge Apps
Our Forge apps benefit from Atlassian’s disaster recovery and backup processes, which ensure your app data is protected against accidental loss or infrastructure failures. See how Atlassian backs up Forge app data:

  • All data stored using Forge’s hosted storage (e.g., Storage API, entity properties) is included in Atlassian’s backup and disaster recovery framework.If the app stores data in product-level storage (e.g., Jira entity properties), that data follows the backup and restore policy of the Atlassian product itself.
  • Data remains recoverable for up to 28–30 days after it is deleted or the app is uninstalled. Forge backup restores are only available for the period covered by Atlassian’s retention policy.
  • Atlassian does not guarantee recovery for all data loss scenarios (e.g., if data was never stored in Forge hosted storage).
  • Restores are not self-service. Atlassian must be contacted to recover lost data. If you need to recover Forge app data, contact Mindpro Support immediately after noticing data loss and the Mindpro team will coordinate directly with Atlassian to ensure the fastest possible restoration.


TECHNOLOGICAL & ORGANIZATIONAL MEASURES (TOM)
Learn about the additional security measures we take to improve our technological and organizational company security. All measures listed below have been implemented and are followed by all our employees:

  • All mobile IT assets must have encrypted hard drives.
  • All employees have an exclusive username and password with at least 12 characters.
  • All IT assets must be network isolated by VLAN segregated by team or business line.
  • All computers are screen saver locked after 5 minutes idle.
  • All computers and servers must have antivirus/endpoint protection active, weekly scanned, and daily updated.
  • All computer/access data will be wiped out after a user termination.
  • All accesses to IT assets, computers, applications, and software are based on the least privilege required for the business.
  • All devices accessing corporate resources or critical systems must have a Mobile Management agent installed.
  • All networks, firewalls, gateways, routers, and assets are monitored by the network and host intrusion detection system.
  • All assets must have up-to-date operational systems.
  • All systems, applications, firewalls, entrance, web surfing, and behavior may be monitored and investigated without prior notice.
  • All employees should attend annual and recurrent Information Security, Cyber Security, and ethical awareness training, understanding and accepting our terms and remaining vigilant to threats and attacks.
  • All assets (servers, workstations, network devices, web applications, etc) are subject to vulnerability assessments.
  • All employees’ assets are subject to recurrent internal audits conducted by the Information Security team.
  • Multi-Factor authentication is enabled to access corporate critical, confidential, and collaborative systems.
  • All operational systems patches and updates are applied automatically using our Mobile Device Management resource.


PRIVACY POLICY
Mindpro understands the importance of ensuring the privacy of your personally identifiable information and being legally compliant to privacy laws and regulations. For more information, please see our Privacy Policy.


HOW TO CONTACT US
If you have any questions regarding this document and policy, please do not hesitate to contact us via our support portal or at [email protected]. For any other inquiries, please get in touch at [email protected].

Smarter Teams. Stronger Outcomes. Start now.

Discover why leading companies, from Fortune Global 500s to next-gen startups, are making the switch to Mindpro apps and solutions for Jira.

START A FREE TRIAL
TALK TO AN EXPERT