ONETEEM Security Policy

Last updated: 29 September 2025

Applies to: All ONETEEM products and services, including Atlassian Cloud apps and integrations

At ONETEEM, protecting customer data is a core obligation. This policy describes our security program and the technical and organizational measures we use to keep data safe across every product we design, build, and operate.

1) Our security commitments

Protect customer data with industry standard controls and continuous improvement
Collect and process only what is necessary to deliver requested features
Provide clear controls to connect or disconnect integrations and to request deletion
Never sell customer data and never use it for advertising

2) Atlassian partner security assessment

ONETEEM participates in Atlassian partner security assessment activities for Marketplace and Forge based apps
We align with Atlassian’s security expectations, including self assessment, timely vulnerability remediation, and operational controls for cloud apps

3) Governance and people security

Security policies owned by leadership and reviewed at least annually
Defined roles for security, privacy, and incident response
Background checks where permitted by law, confidentiality agreements for all staff with access to customer data
Mandatory security training at hire and annually thereafter

4) Data classification and handling

Data classified as Public, Internal, Confidential, or Restricted
Handling rules and access controls applied per class
Customer data treated as Confidential or Restricted

5) Identity and access management

Role based access control and least privilege by default
Multi factor authentication for all privileged accounts
SSO enforced where supported
Just in time elevation for sensitive operations with logging and regular reviews
Secrets stored in secure vaults. No credentials in source control

6) Product and SDLC security

Secure development lifecycle that includes threat modeling, secure coding standards, and mandatory peer review
Static analysis, dependency scanning, and secrets scanning on every change
Regular dynamic testing of critical paths
Separate dev, staging, and production environments with change approval and rollback plans

7) Platform and infrastructure safeguards

Cloud native architecture with provider controls for isolation, encryption, and monitoring
Network egress allow listing where supported, default deny for sensitive components
Hardened configurations, least privilege service accounts, periodic key rotation
Content Security Policy and secure headers for web surfaces

8) Encryption

TLS for data in transit
Encryption at rest for databases, backups, and object storage

9) Logging, monitoring, and audit

Centralized logs for authentication, authorization, admin actions, and sensitive operations
Time synchronized logging with retention tuned for security investigations
Alerting on anomalies and abuse indicators
Regular access reviews and audit trails for privileged operations

10) Vulnerability and patch management (aligned with Atlassian requirements)

Continuous scanning for code, dependencies, and images
Patch SLAs
- Critical: 72 hours
- High: 7 days
- Medium: 30 days
- Low: next maintenance cycle
Emergency change process for urgent fixes

11) Third party risk and subprocessors

Due diligence and security reviews before engagement
Contracts require confidentiality, minimum security standards, and processing under our instructions
Data shared with subprocessors is limited to what is needed to provide the service
A current list of core subprocessors is available on request

12) Business continuity and disaster recovery

Services deployed on resilient cloud infrastructure with multi AZ capabilities where available
Regular backups of stored application data and configuration
Tested restoration procedures with documented RTO and RPO targets appropriate to each service tier

13) Incident response

Documented plan with clear roles, triage, containment, eradication, and recovery
24x7 on call coverage for critical incidents
Customer notification without undue delay if personal data is affected, and regulatory notifications when required
Post incident reviews with corrective actions tracked to closure

14) Privacy by design and GDPR alignment

Data minimization and purpose limitation applied during design and implementation
Optional features that require broader access are off by default and require explicit opt in
Data Protection Impact Assessments performed where required

15) Data retention and deletion

Integration tokens and metadata retained while connections are active
Operational logs retained for a limited period to support security and support needs
Upon uninstall, disconnection, or a verified deletion request, stored connection data and related app records are removed within our standard deletion window unless law requires longer retention

16) Penetration testing and assessments

Periodic internal testing and independent third party assessments for critical components
Participation in Atlassian partner security assessment activities
Findings tracked to remediation under the patch SLAs above

17) Customer responsibilities

Security is shared. Customers should:

Control who can install and administer apps in their Atlassian sites
Review and approve requested permissions for any integration
Manage user access within their identity provider and Atlassian organization
Keep endpoints patched and protected and use supported browsers
Report suspected security issues immediately

18) Versioning and transparency

Semantic versioning for app releases where feasible
Release notes for material security relevant changes
Material policy changes communicated through official channels

19) Reporting a security issue

If you believe you have found a vulnerability or weakness, contact Data Privacy, Security, and Compliance Request with details and reproduction steps. We will acknowledge receipt, investigate promptly, and keep you informed of progress. Please avoid public disclosure until remediation is available.