Question: Will JSM hold any of my customers PII (personally identifiable information)?

• Jira tickets are initiated by a message on Slack from a client.
• Slack messages of any kind (Jira or otherwise) must never contain sensitive data or PII.
• We trust all clients to ensure that they do not share any sensitive data via email or Slack. This is why we built a more-secure way of sharing data, the Shared Files area in the Ravelin dashboard. This is the only accepted method of sharing sensitive data with Ravelin.
• If PII data is sent in a Slack message by a client we immediately ask them to remove said data.

Question: Where is JSM data stored and what are the existing measures to protect it?

• No sensitive data is stored in JSM.
• JSM data is stored in the US (https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/)
• As JSM holds no sensitive data, only ticket data, the option to ‘pin’ its data residency does not exist (https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency/#In-scope-product-data).
• Ravelin Platform data remains stored in EU (Belgium).

Question: Is data in JSM encrypted?

• Data in the Ravelin Platform is deployed in a Google Cloud Platform environment. All data that is stored by Google is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256. The cryptographic library used includes Google’s FIPS 140-2 validated module (named BoringCrypto) to implement encryption consistently across Google Cloud. Further details can be found here: https://cloud.google.com/docs/security/encryption/default-encryption
• For JSM, data is deployed in an Amazon Web Services environment. This does not hold any sensitive information. Nevertheless, the data drives on servers that store customer data and attachments in various Atlassian Cloud products, such as JSM, use industry-standard AES-256 full-disk encryption at rest. Further details can be found here: https://www.atlassian.com/trust/security/security-practices#encryption-of-data

Question: What security measures are used to protect our data from Ravelins side?

• All data sent to the Ravelin Platform API must be over a secure connection using the most secure ciphersuites, see https://developer.ravelin.com/api/tls/
• All data within the Ravelin Platform is encrypted at rest by default. See https://cloud.google.com/docs/security/encryption/default-encryption
• All Ravelin Platform data is stored within the EU.
• All Ravelin Platform data is logically separated, with access granted only to API keys with he appropriate privileges.
• All access to the Ravelin infrastructure is protected by strong passwords, automated SIEM notifications, and physical MFA (Yubikey).
• Access into the Ravelin Platform UI is via SSO.