CAIQ Lite v4

Are secure software development lifecycle (SSDLC) practices applied?

TypeScript strict mode with no-explicit-any ESLint rule. Zod schema validation (34 schema files, 50+ resolver validations). Vitest testing (64 test files across 3 workspaces). Code review via git. Mandatory lint checkpoint after every code change.

Is automated application security testing performed?

ESLint with TypeScript strict rules blocks unsafe patterns (any, as any). Vitest automated tests cover resolvers and services. No dedicated SAST/DAST tools. Working towards automated security scanning.

Are APIs designed and deployed with leading security practices?

Forge resolvers validate all input with Zod .safeParse(). All external API calls use HTTPS exclusively. API keys stored via storage.setSecret() (Forge encrypted storage). Bearer token authentication for AI providers. Edition-gating restricts sensitive operations to Advanced license.

Are application security risks formally assessed?

Security audit covering manifest scopes, dependency vulnerabilities, entity storage, and egress review. asApp() vs asUser() audit performed. Identified vulnerabilities tracked with action items. Customers report concerns to security@supertemplates.ai.

Are independent audit assessments conducted at least annually?

As an independent startup, SuperTemplates.ai does not currently undergo third-party security audits (e.g., SOC 2, ISO 27001). Internal security reviews are conducted regularly. Third-party audits will be pursued as the business scales. The app inherits Atlassian Forge’s SOC 2 Type II and ISO 27001 certifications for platform-level controls.

Are risk-based corrective actions tracked to closure?

Findings from internal security reviews are tracked with action items. Dependency vulnerabilities tracked with severity and remediation steps. Customer-reported issues addressed through support channels.

Is a business continuity plan established?

Source code in Git with multiple remotes. App runs on Atlassian Forge (Atlassian handles infrastructure BC/DR). No formal written BCP document. App is stateless — Forge KVS handles data persistence with Atlassian’s redundancy guarantees.

Are business continuity plans tested?

No formal BC testing performed. Reliance on Atlassian Forge infrastructure redundancy. Will formalize BC testing as the business scales.

Are redundant systems maintained for critical operations?

Source code in Git version control with remote backups. All persistent data in Forge KVS (Atlassian-managed redundancy, AWS infrastructure). No external databases — single storage layer reduces failure modes.

Are change management policies followed?

All changes tracked in Git version control. ESLint + Prettier enforce code standards. TypeScript strict compilation. Mandatory lint checkpoint after every code change. Changes documented in commit messages.

Is risk assessment performed before deployment?

Tripwire system requires evidence before editing shared files. Preflight evidence (target, entry, scope) required for non-trivial edits. Impact analysis for shared components. Blast radius assessment before deploying.

Are configuration management practices applied?

Build configurations version controlled. Manifest versioned in Git. Release builds follow repeatable process. Environment-specific configs managed separately.

Are cryptographic controls implemented to protect data?

All external API calls use HTTPS exclusively (TLS 1.2+). AES-256 encryption at rest via Atlassian Forge infrastructure. API keys encrypted via storage.setSecret(). SHA-256 hashing for analytics identifiers. U-code pseudonymization before AI provider calls.

Are encryption key management procedures established?

BYOK API keys managed by site administrators via admin panel. Keys stored in Forge encrypted secrets storage. Admins can add, revoke, and rotate keys. Platform-owned keys managed via Forge environment variables.

Are industry-standard cryptographic algorithms used?

TLS 1.2+ for all connections (Forge runtime enforces). AES-256 at rest (Atlassian Forge infrastructure). SHA-256 for analytics hashing. All AI provider connections over HTTPS. No deprecated protocols used.

Are physical security controls implemented?

SuperTemplates.ai does not operate datacenters or servers. The app runs entirely on Atlassian Forge (sandboxed cloud runtime). Atlassian maintains SOC 2 Type II and ISO 27001 certifications covering physical infrastructure security.

Are data classification and handling policies established?

AI Data Processing Policy classifies data into: sent to AI (prompts, pseudonymized names, field metadata), NOT sent (account IDs, emails, credentials, existing issue content), and analytics (anonymized). Clear data flow documented.

Are data privacy policies aligned with regulations?

Published Privacy Policy (GDPR, CCPA, EU AI Act compliant), DPA (GDPR Article 28), Terms of Service. PostHog EU instance for analytics. Admin toggle to disable all analytics egress.

Are procedures in place for secure data disposal?

Cerebras (Advanced tier): zero data retention. Vertex AI: no training on API data, up to 90-day abuse monitoring retention (opt-out available with BYOK). Prompt logs: 30-day configurable retention in Forge KVS. Forge KVS: data deleted on app uninstall. No external databases to dispose.

Are data retention policies defined?

Cerebras (Advanced tier): zero retention. Vertex AI: no training, up to 90-day abuse monitoring retention (opt-out with BYOK). BYOK providers (OpenAI, Anthropic, Gemini): per provider API terms, no training on API data. Prompt logs: 30-day retention (Forge KVS). Templates/preferences: persisted in Forge KVS until uninstall. Analytics: PostHog EU retention per their policy. All documented in Privacy Policy.

Is personal data processed in accordance with legal requirements?

GDPR compliance: DPA available, U-code pseudonymization, data minimization, admin controls. Processing limited to task generation prompts. No existing Jira issue content sent to AI. Admins control which models are available and can disable analytics.

Is an information security management programme established?

Security policy published at supertemplates.ai/security. Internal security reviews documented. No formal ISMS framework (ISO 27001). Security considerations integrated into development workflow via automated checks and mandatory lint checkpoints.

Are roles and responsibilities for security defined?

Founder/developer with direct accountability for all security decisions. Security contact: security@supertemplates.ai. 2-business-day acknowledgment commitment.

Is a risk management process implemented?

Risks identified through security audits, dependency vulnerability tracking, and incident documentation. Tripwire system prevents high-risk code changes without evidence.

Are legal/regulatory requirements identified?

GDPR, EU AI Act, CCPA, Atlassian Marketplace requirements tracked. Published Privacy Policy, DPA, Terms of Service.

Are background checks performed?

Solo founder/developer operation. No employees or contractors with system access. Will implement background checks when hiring.

Is security awareness training provided?

Developer maintains current knowledge of security threats, secure coding practices (TypeScript strict mode, Zod validation, OWASP awareness), and data protection requirements.

Are access rights revoked on termination?

Solo operation. No termination scenarios currently. Will implement offboarding procedures when team grows.

Is a formal user access management process implemented?

Forge handles user authentication via Atlassian OAuth. App access controlled by Jira site admin installation. BYOK key management gated to Advanced edition. Admin panel restricted to site administrators.

Is MFA enforced for critical systems?

MFA enabled for: GitHub (source code), Atlassian Developer Console (app management), Google Cloud (Vertex AI), and all cloud provider accounts. Forge runtime authentication handled by Atlassian (supports customer MFA policies).

Are access rights reviewed regularly?

Jira scope audit performed — all 11 scopes verified as least-privilege. No over-permissioning detected. Egress domains reviewed and documented.

Are unique user identifiers assigned?

Forge provides unique accountId per Atlassian user. No shared accounts. App uses U-code system for pseudonymized AI processing. PostHog uses SHA-256 hashed accountIds.

Are network security controls implemented?

SuperTemplates.ai does not operate cloud infrastructure. Forge runs in Atlassian’s sandboxed cloud environment with network isolation enforced by the platform.

Is network architecture designed with security zones?

Forge provides sandboxed execution environment. No customer-managed network infrastructure. Atlassian handles network segmentation and security zones.

Are logging and monitoring capabilities implemented?

Forge runtime logging for system events. PostHog EU for anonymized product analytics (admin-toggleable). Abuse detection system monitors suspicious bulk operations. Prompt logger stores metadata to Forge KVS (30-day retention). Console logs capture metadata (counts, timing) but NOT user prompt content.

Are logs reviewed and retained adequately?

Prompt logs: 30-day retention in Forge KVS. Analytics: PostHog EU retention. Forge platform logs: Atlassian-managed. Abuse detection logs in Forge KVS for admin review.

Is an incident response plan established?

Published at supertemplates.ai/security: 72-hour breach notification to affected administrators, 2-business-day acknowledgment for security reports, security@supertemplates.ai contact.

Are security incidents managed through a defined process?

Security reports via security@supertemplates.ai. Incidents triaged by severity. Critical security patches prioritized. DPA commits to 72-hour notification with disclosure details.

Are post-incident reviews conducted?

Incidents documented with root cause analysis and preventive measures integrated into development workflow.

Is supply chain risk management implemented?

pnpm for dependency management with lockfile. Dependency audit performed: vulnerabilities identified in transitive dependencies and tracked with severity and remediation steps.

Are third-party components assessed for vulnerabilities?

pnpm audit performed. Vulnerabilities categorized by severity. Risk assessment notes most are transitive/build-only, not shipped to production Forge runtime. Actionable fixes identified.

Are software dependencies documented and tracked?

package.json files for all workspaces. pnpm-lock.yaml ensures reproducible builds. pnpm workspace configuration for monorepo management.

Is a vulnerability management process established?

Vulnerabilities identified through pnpm audit, internal code review, and security audits. All known vulnerabilities categorized with remediation plan.

Are vulnerability scans/penetration tests performed?

pnpm audit for dependency scanning. ESLint security rules enforced. Internal code review for each change. No formal external penetration testing performed.

Are security patches applied timely?

Dependency updates tracked. Actionable fixes identified for known vulnerabilities. Atlassian toolkit updates dependent on Atlassian release cycle. Security patches prioritized in development workflow.

Are endpoint security controls implemented?

Development systems protected with OS security updates and secure configuration. MFA enabled on all critical services. Access to development environments restricted to authorized devices.