Security questionnaires

By providing you access to our all security and privacy practices on this pages and on our Trust Center, we think you have all the information necessary to choose, if yasoon apps are a good fit for your company.

To make it even easier for you, we have collected several Q&As on this page for you to browse.

If you still cannot find what you’re looking for, please contact our support team with the missing question and the purchase you want to make.

Customer Access Requirements/Questions for Login/Account management

 

Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?

Not applicable. We do not provide our own user accounts and do not target specific regulatory industries.

Does the system to purchase support MFA enforcement?

We do not have an own account management. We're using Microsoft and Atlassian accounts and inherit all security settings from Atlassian/ Microsoft.

Does the system to purchase support SSO e.g. OKTA ?

If configured in Atlassian or Microsoft. In general not really applicable: We do not have an own account management. We're using Microsoft and Atlassian accounts and inherit all security settings from Atlassian/ Microsoft.

Does the system to purchase support setting custom complex password policy ?

In general not really applicable: We do not have an own account management. We're using Microsoft and Atlassian accounts and inherit all security settings from Atlassian/ Microsoft.


Network


Do you operate a VPN that allows remote access to your network?

Yes

How is access to the VPN authenticated?

User name and password + second factor (e.g. token).

Is it possible for devices that are not owned and managed by your company to connect to your internal network remotely through VPN?

No, this is prohibited by policy.

Is the management of your network (or parts thereof) outsourced?

No.

Do you have a process for installing operating system and application updates and security patches on servers?

Yes, we are very diligent about applying security updates to operating systems and applications.

Do you also have an emergency process for installing patches outside of the regular patching schedule when high-risk vulnerabilities are identified?

Yes, we carefully consider the risk associated with each new vulnerability and decide whether the patch should be deployed outside of the regular schedule.

How do you determine whether your systems are affected by vulnerabilities that require patching?

We use automated security scans to find software that requires patching + We use the patching mechanisms that are built into the operating systems (e.g., Windows Update).

Do you test security patches before you deploy them to your production systems?

Yes, for important servers we have systems that we test patches on before deploying them to production.

Are your systems configured to log security-relevant events, such as authentication, data access, etc.?

Yes, we have comprehensive logging, including security events, for all relevant services.

Server/Infrastructure


Operating system that are currently in use on your Server:

UNIX (Including Linux, Solaris etc.).

Do your administrators have personal user accounts and use sudo when elevated privileges are necessary?

Yes, our administrators use sudo (or a similar tool).

Where is the root password kept? (follow-up question to above)

We keep the root password in a secure location (e.g., in an envelope in a safe). It is retrieved only when absolutely necessary. Processes are in place to ensure accountability, and the password is changed after every use.

Does the Third Party (or sub-processor) ensure the IT Facilities (Data Centre) that holds customer data, is protected against attacks, accidental damage, natural hazards and unauthorised physical access?

Yes. All customer facing infrastructure is hosted on AWS. Data is stored in Germany. However, our products and services may be provided using resources and servers located in various countries around the world, including the U.S. and other countries. Your information may be transferred and processed by third-parties outside the country where you use our services, including to countries outside the European Economic Area (EEA), where the level of data protection may not be deemed adequate by the European Commission (i.e., where you have fewer rights in relation to your information). We expect that our third-party service providers will comply with the terms of the European Union’s General Data Protection Regulation (GDPR), and that any international data transfers be made under a recognized basis such as the US-EU Privacy Shield, EU Standard Contractual Clauses, and/or Binding Corporate Rules.

Does the Third Party employ Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), Firewalls and other network security services to protect customer services? Please list all services with vendors.

We have signature- and/or anomaly-based IDS/IPS in place, and sensors are in place at strategic points throughout the network. We have firewalls for filtering all inbound and outbound traffic.

Does the Third Party use documented secure build configs for Operating System (OS) and Databases (DBs) supporting customer data?

Restrictions on Software Installation Rules governing the installation of software by users shall be established and implemented in accordance with the Yasoon GmbH Information Security Policy.

Backups


Do you sync data to a different site in near real time?

Yes. If a disaster occurs at one site, very little data will be lost because almost everything will already have been copied to our backup site.

Do you have procedures in place for working with customers to determine an appropriate backup frequency?

No, we have a fixed backup cycle. We confirm backup services is enabled.

Do you regularly test your backups?

Yes, we test the entire process of recovery, including restoring entire systems from backup.

Do you store backups on disks, tapes, or other kinds of removable media?

Not applicable.

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

We do have backups of our data and our backend services are spread across different regions, with a DNS loadbalancer in place.

Do you have a retention procedure?

We shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.

Client Workstations


Do you have operating system hardening and/or build standards for client systems?

Yes, all of our client systems are configured according to these standards, and/or they are built from standard images that comply with our hardening guidelines.

Do you have a process for installing operating system and application updates and security patches on client systems?

Yes, we diligently apply security updates to operating systems and applications.

Do you also have an emergency process for installing patches outside of the regular schedule when high-risk vulnerabilities are identified?

Yes, we carefully consider the risk associated with each vulnerability and decide whether the patch should be deployed outside of the regular schedule.

How do you know whether your systems are affected by vulnerabilities that require patching?

We run agents on our client systems to discover what software is installed and report that information back to a central repository + We use the patching mechanisms built into the operating systems (e.g. Windows Update). Relying on Auto-Update.

Do you have controls in place to protect client devices from malware?

Yes, we regularly scan our client devices for known malware, or limit them to whitelisted software identified by cryptographic hashes.

Which client devices do you currently support?

Windows and non-Windows workstations.

Do you currently have malware protection on client devices?

Yes. Both above mentioned devices.

What level of access do regular users have on their workstation/laptop?

Users are local administrators on their machines. Since we are a small IT company with only IT trained employees. We confirm that admin access is regularly reviewed.

Do all workstations/laptops use the same local administrator/root password?

Not applicable.

One major risk factor in many corporate environments is the use of unsupported Operating Systems. Does your company still have systems running unsupported versions?

No, all Operating System versions are supported.

Data Management (DPA - Data Processing Addendum (yasoon.com)


Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?

We use Amazon RDS and DynamoDB to store our data. Both are encrypted on the file-system level with AWS KMS keys. We are using an up-to-date ORM in our code to prevent SQL injection attacks. Additionally we validate input for consistency.

Do you utilize Data Loss Prevention (DLP) tools via any of the following data transfer methods: email, HTTP/S or portable media?

Yes, for email.

Do you utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site or at a remote service provider, and update the organization's sensitive information inventory?

Yes

Will you be segregating our data from other customer's data?

No. It's a SaaS application with a single database. All tables have a common column "client" that differentiates the data. Code ORM guards against developer errors.

Do separate environments exist for development, testing, and production?

Yes.

Is data sanitized for non-production environments?

Yes.

Do you protect test data from unauthorized access and how is the data protected?

Yes. Implementing production-like controls.

Do you encrypt data at rest?

Data transferred from and to our services are encrypted with TLS 1.2. The implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

All customer data that are stored in our environment are encrypted on data drive level.
Additionally there are data we consider sensitive (e.g. access tokens) not even our support staff should have access to. These data are additionally encrypted within the database with AES-256.

Which data are stored?

We only store content that has been explicitly created by our apps. The exact data varies by used features.

We utilize OAuth2 to get access to Microsoft Graph and Jira Cloud.
OAuth1.0a is used to connect with Jira Data Center.

These tokens are considered extremely sensitive and we use additional protection and encryption measures

We store Jira and Microsoft user ids, as well as their display name and email address.

We store data for each instance like URL, Jira and app version. These data also includes an instance-specific secret.

The app has a lot of settings that are stored in our database.

There are data that are business data, but not used immediately.
For example, templates that are defined in our app, are stored in our database.

Technical security testing (3rd party penetration tests)


Does an independent third party regularly perform penetration tests on all systems used to provide services to customers?

Yes. We run a Bug-Bounty-Programm on bugcrowd to encourage security researches looking for vulnerabilities and claim their bug bounties.

Are you willing to share a management summary of the most recent penetration testing reports?

Yes, if this helps to accelerate the partner audit process, we're willing to share them under NDA.

Are all of your production systems scanned for host-level vulnerabilities?

Yes.

What software or company do you use for vulnerability scans and how often do you run vulnerability scans?

AWS Inspector. Once per month or more often.

Do you regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner?

Yes.

Which systems are covered by the security scans?

Both internal systems and externally exposed systems are regularly scanned.

What kinds of security testing and security reviews are done?

  • Security code reviews of software developed internally

  • Security design reviews of software developed internally

  • Threat modelling during the design phase of development

What industry-recognised qualifications and experience are held by the people who undertake your security testing?

Software engineer.

Security at the Office


Are all facilities used exclusively by your company, or are some shared?

No, some or all of the facilities are shared with other companies.

How is your physical area separated from other areas of the office facility? Explain how you control access to your area (e.g., door with swipe card and a receptionist).

Electronic access control (like swipe card).

Does your company review the physical and environmental risks that your office facilities are exposed to, and do you have procedures in place to evaluate and, if necessary, address them?

Yes, we do risk assessments to proactively identify risks related to physical and environmental security.

Select the security controls that are in place at all of your offices:

  • Staffed reception desk

  • Guards (shared by entire building)

  • Electronic access control (e.g., swipe cards)

Do you have a written policy that lists the physical security requirements for office facilities?

Yes.

Do you have an auditable process in place for granting and revoking physical access to office facilities?

Yes.

Do you have a clear desk policy that also requires unattended equipment to be appropriately locked down e.g. Screen Lock, securing laptops with a cable etc.?

Yes.

Offices need a lot of networking equipment. If an attacker manages to gain access to such equipment, they could, for example, do a man-in-the-middle attack for all office traffic. It's important to protect access to network equipment like floor distributor switches, office routers, wireless APs, etc.

All of these are well protected and locked away. Only a few IT employees have physical access to networking equipment.

Asset Management


Are all IT assets recorded in an up-to-date inventory? Please describe how IT assets are recorded. (e.g. a central database, excel spreadsheets etc.)

Yes, central database on Vanta.

Do all assets maintained in the inventory have a designated business owner?

Yes.


Personell Security


Do you have written job descriptions for employees with access to confidential or sensitive information?

Yes

Do you have processes in place to ensure that access to data is granted solely on a "need-to-know" basis, in accordance with the job descriptions and responsibilities of users? Do these processes also revoke access when the need no longer exists?

Yes

Do you have a disciplinary process in place for handling policy violations?

Yes

Do you have processes in place to make sure access (both physical and logical) is revoked when an employee, intern, vendor, contractor, or other associate leaves the company or a contract ends? Note that in many cases it is not sufficient to just disable the main LDAP or Active Directory account. Many employees have access to information that is governed by additional credentials, such as data in software-as-a-service applications.

Yes

Do you require temps, interns, and contractors to undergo security and privacy training?

Yes

Do you perform background checks for personnel who are entrusted with sensitive information or granted access to sensitive systems?

Yes, CV/resume checks, criminal records/convictions checks. We operate under german law that restricts further background checks.

Is user access based on a defined set of roles?

Yes, Roles are defined on Azure Entra Id and tied to the job role. Exceptions are handled by tickets and monitored at least once a year.

Are the roles defined in a way that ensures segregation of duties? e.g. ensuring someone raising a change cannot also approve it.

Yes.

Security Controls

 

Select the controls you currently maintain as elements of your information security and privacy program:

  • An external policy or notice to the public, users, or customers, describing how you protect the security and privacy of data

  • Written internal policies, guidelines, and documented practices for the safe handling and protection of data

  • Internal audits of the security and privacy program

  • Third-party audits of the security and privacy program

  • A risk assessment and risk management process to regularly review the threats your company is exposed to

  • A program to ensure security in your human resources processes

  • A process to ensure that your service providers and subcontractors are capable of taking appropriate steps to protect sensitive data and systems

  • Processes and procedures to ensure that security incidents are discovered in a timely manner and dealt with effectively

  • A change management process to ensure that all changes to networks, systems, and processes are appropriately reviewed

Audits

How often are internal information security and privacy audits performed?

Quarterly or more often.

Does the scope of your internal assessment include the entire security and privacy program, as well as all operations, services, and systems that involve access to the customer data or systems that are used in this project?

Yes.

How often does an independent third party perform audits of your security and privacy program? (Note: this should not include penetration tests or other technical assessments; rather, it refers to security reviews of your organizational processes, procedures, and policies.)

Annually.

Does the scope of these third party audits include the entire security and privacy program, as well as all operations, services, and systems that involve access to sensitive information or systems?

Yes.

Does the independent audit include checking your company's compliance with any specific information security or privacy standard?

Yes.