Orbiscend CAIQ (Lite)

Our security posture, answered against the CSA Consensus Assessment Initiative Questionnaire (CAIQ) — covering Aevon Timesheets, Argon, AgentGate, and Spectra.

CSA CAIQ v4 · Cloud Controls Matrix v4.0 (Lite self-assessment) · Last reviewed: 2026-06-02

How to read this assessment

All four apps are Forge-native Jira apps: they run on Atlassian’s managed infrastructure, store data only in Atlassian Forge storage and native Jira, and make no calls to third-party services from within the apps. Under the cloud shared-responsibility model, many infrastructure and platform controls are inherited from Atlassian; the rest are owned by Orbiscend.

The first section below covers company-wide answers (governance, incident response, supplier management, etc. — the same for every Orbiscend app). The second section shows per-product details (scopes, data, audit trails, CI scanning specifics) — pick a product to view its specifics.

Response

YesPartialPlannedN/A

“Planned” means a control we are actively standing up, not yet operational.

Accountable party

Inherited · AtlassianOrbiscendShared

Inherited controls are attested by Atlassian’s own certifications.

Orbiscend (company-wide)

Answers that apply to all Orbiscend Forge apps — governance, HR, incident response, inherited Atlassian platform controls, suppliers, workstations, and so on.

60 questions across 15 domains:
A&A-01

Are independent audit or assessment reports (e.g., SOC 2, ISO 27001) available for the infrastructure the service runs on?

YesInherited · Atlassian

All apps run on Atlassian Forge. Atlassian maintains SOC 2 Type II, ISO 27001/27017/27018/27701, PCI DSS, and CSA STAR Level 2. Reports via the Atlassian Trust Center.

A&A-02

Does the vendor hold its own independent third-party security certification for the application?

NoOrbiscend

Orbiscend does not hold a separate certification. As a Forge-native vendor with no infrastructure of its own, it relies on Atlassian’s platform attestations; app-level controls are documented in this self-assessment.

A&A-03

Is a self-assessment against a recognized security framework performed?

YesOrbiscend

This CAIQ (CSA CCM v4) is our self-assessment. Orbiscend has also completed Atlassian’s Marketplace Security Self-Assessment Program.

A&A-04

Are assessment scope and results reviewed at planned intervals?

PartialOrbiscend

Atlassian renews its platform attestations annually. Orbiscend reviews this self-assessment at least annually and on material change.

BCR-01

Is there a business continuity / disaster recovery program for the service?

YesInherited · Atlassian

Availability, redundancy, and disaster recovery are provided by Atlassian’s Forge platform on AWS (multi-AZ). See the Atlassian Trust Center.

BCR-02

Are backups performed and tested?

YesInherited · Atlassian

Persistent data lives in Atlassian-managed Forge storage and native Jira; backup and restore are operated by Atlassian. Orbiscend stores no separate copy.

BCR-03

Does the vendor maintain resilience for its own operations (e.g., source code)?

YesOrbiscend

All application source is version-controlled in GitHub. The apps are stateless beyond Forge storage and can be re-deployed from source at any time.

BCR-04

Are recovery objectives (RTO/RPO) defined?

YesShared

Defined and published. RTO: 1 business day — the apps are stateless and re-deployable from source via Forge, with near-immediate rollback to a prior version. RPO ≈ 0 for app-managed data — Orbiscend keeps no separate copy; data persists in Atlassian Forge storage and native Jira, whose durability and backup are Atlassian’s responsibility.

CCC-01

Are changes managed through a defined change-control process?

YesOrbiscend

Changes flow through Git with pull requests and review before merge to main.

CCC-02

Are changes tested before production deployment?

YesOrbiscend

Automated tests (unit, integration, and e2e where applicable) and a Forge development/staging environment are used before any production deploy.

CCC-03

Is there separation between development and production environments?

YesShared

Forge provides distinct development, staging, and production app environments; production deployments are explicit and versioned.

CCC-04

Can changes be rolled back if needed?

YesShared

Forge supports versioned deployments and rollback; Git history enables reverting any change to source.

CCC-05

Are configuration baselines and least-privilege scopes maintained?

YesOrbiscend

Each app requests only the minimum Atlassian scopes required (documented per-product below). The Forge manifest is the versioned configuration baseline.

CEK-01

Is data encrypted at rest?

YesInherited · Atlassian

Forge storage encrypts data at rest (AES-256) under Atlassian-managed keys.

CEK-02

Is data encrypted in transit?

YesShared

All API traffic uses TLS 1.2+ and Forge enforces HTTPS. The apps make no outbound third-party calls from within the Forge runtime.

CEK-03

Are encryption keys managed securely (generation, storage, rotation)?

YesInherited · Atlassian

Key management is performed by Atlassian’s platform. The apps neither store nor manage cryptographic keys.

CEK-04

Do the applications store any secrets or credentials?

NoOrbiscend

The apps store no passwords, API tokens, or session secrets. User identity is provided by the Forge runtime per request; where AgentGate issues its own tokens, they are stored hashed in Forge SQL with a short TTL.

CEK-05

Are strong, industry-accepted cryptographic algorithms used?

YesInherited · Atlassian

AES-256 at rest and TLS 1.2+ in transit, as provided by the Atlassian Forge platform.

DCS-01

Are datacenters physically secured with access controls and monitoring?

YesInherited · Atlassian

Hosted on AWS via Atlassian Forge. Physical security is managed by Atlassian/AWS (SOC 2, ISO 27001). Orbiscend operates no datacenters.

DCS-02

Is physical access logged and reviewed?

YesInherited · Atlassian

Managed by Atlassian/AWS; see the Atlassian Trust Center and AWS compliance reports.

DCS-03

Are environmental controls (power, fire suppression, cooling) in place?

YesInherited · Atlassian

Provided by AWS datacenters under Atlassian’s platform.

DCS-04

Is hardware securely decommissioned and media sanitized?

YesInherited · Atlassian

Managed by Atlassian/AWS media-handling and decommissioning processes.

DSP-01

Is customer data segregated between tenants?

YesInherited · Atlassian

Forge provides per-installation data isolation; app storage is scoped to each Jira site/installation.

DSP-02

Are any third-party data subprocessors used to process app customer data?

NoOrbiscend

None of the covered Forge apps send customer data to third-party subprocessors. Customer data remains within Atlassian (Forge storage / native Jira). Orbiscend uses company-level providers (Cloudflare for website hosting, Proton for business email, Anthropic/Claude for development AI with no customer data) — none of which receive Forge-app customer data.

DSP-03

Is data retention and deletion defined?

YesShared

Atlassian governs the data lifecycle; app data in Forge storage is removed per Atlassian’s processes when the app is uninstalled. Orbiscend retains no separate copy.

DSP-05

Can data-subject requests (access, deletion) be honored (e.g., GDPR)?

YesOrbiscend

Orbiscend OÜ is EU-based. Worklog, approval, and audit data live in the customer’s own Jira / Forge storage and can be exported or deleted there. Requests are supported via privacy@orbiscend.com.

DSP-06

Is data residency controlled?

YesInherited · Atlassian

Forge storage follows the data residency of the customer’s Jira Cloud instance/region, as configured in Atlassian.

GRC-01

Is there a documented information security policy?

YesOrbiscend

Orbiscend maintains a documented Information Security Policy, approved by the founding team, covering governance, access control, data protection, risk management, incident response, and supplier management. Available to customers and prospects on request.

GRC-02

Is security ownership and accountability assigned?

YesOrbiscend

Security accountability rests with the founding team — Orbiscend is operated by its 3 co-founders, with no other employees or contractors.

GRC-03

Are security risks assessed and managed?

YesOrbiscend

Risk management is documented in our Information Security Policy. The risk surface is intentionally small (no egress from the apps, no subprocessors in the app data path, no own infrastructure); the founding team reviews it on a defined cadence and on material change.

GRC-04

Is compliance with applicable legal/regulatory requirements (e.g., GDPR) maintained?

YesOrbiscend

GDPR-aligned as an EU company: a DPA is available, no subprocessors are used for app customer data, and data minimization is applied by design.

GRC-05

Are security policies and this assessment reviewed periodically?

YesOrbiscend

Per the policy’s review section, the Information Security Policy and this assessment are reviewed at least annually and on material change.

HRS-01

Are background checks performed on personnel with access to data?

N/AOrbiscend

Orbiscend is operated by its 3 co-founders, with no employees or contractors. Formal background screening is not performed on the founders themselves, who are the company’s principals.

HRS-02

Are confidentiality / non-disclosure agreements in place?

PartialOrbiscend

Access is limited to the 3 co-founders, who operate under confidentiality understood and practiced within the founding team and applicable legal duties. A formal signed confidentiality agreement is being put in place.

HRS-03

Is security awareness training provided to staff?

N/AOrbiscend

No employees or contractors to train; the 3 co-founders maintain current security practices directly.

HRS-04

Is access revoked promptly on role change or termination?

N/AOrbiscend

No employee lifecycle exists. Access is limited to the 3 co-founders, and all admin accounts are protected by MFA.

IAM-02

Is user identity authenticated by the platform, with no separate app credentials?

YesShared

User identity is established by Atlassian/Forge and provided to the app via a trusted runtime context the client cannot spoof. The apps store no end-user credentials.

IAM-03

Is multi-factor authentication available and used?

YesShared

End-user MFA is enforced by the customer’s Atlassian instance. All of Orbiscend’s own admin accounts (Atlassian, GitHub, email) use MFA.

IAM-05

Is access reviewed periodically?

YesShared

Role grants and admin permissions are managed by the customer’s Jira admins and visible in Jira’s native screens for review.

IAM-06

Are strong credential practices enforced for the vendor’s own accounts?

YesOrbiscend

All three co-founders’ accounts use unique strong credentials via a password manager, MFA everywhere, full-disk encryption, and auto screen-lock.

IVS-01

Is network security (segmentation, firewalls) in place?

YesInherited · Atlassian

Network controls are managed by Atlassian’s Forge platform on AWS. The apps have no network infrastructure of their own and make no outbound calls from the Forge runtime.

IVS-02

Is workload and tenant isolation enforced?

YesInherited · Atlassian

Forge runs app code in isolated, managed serverless functions with per-installation isolation.

IVS-03

Are systems hardened and patched?

YesInherited · Atlassian

The Forge runtime (Node.js) and underlying infrastructure are maintained and patched by Atlassian.

IVS-04

Is there protection against common network attacks (e.g., DDoS)?

YesInherited · Atlassian

Provided by Atlassian / AWS at the platform edge.

LOG-02

Are logs protected from tampering?

YesInherited · Atlassian

Platform logs are managed and protected by Atlassian’s Forge infrastructure.

LOG-03

Is the service monitored for availability and issues?

YesOrbiscend

Orbiscend actively monitors logs and has historically responded to bugs and customer requests within 8 hours.

SEF-01

Is there an incident response process?

YesOrbiscend

A documented incident-response runbook (in our Information Security Policy) covers detection, triage, containment, customer notification within 72 hours, and post-incident review. Track record: bugs and customer requests addressed within 8 hours.

SEF-02

Is there a channel to report security issues?

YesOrbiscend

Vulnerabilities can be reported to security@orbiscend.com and are triaged promptly.

SEF-03

Are customers notified of breaches in a timely manner?

YesOrbiscend

Orbiscend commits to notifying affected customers of a confirmed personal-data breach within 72 hours, consistent with the DPA and GDPR expectations.

SEF-04

Is platform-level incident detection and response in place?

YesInherited · Atlassian

Infrastructure incident detection and 24/7 response are provided by Atlassian’s Forge platform.

STA-01

Are third-party service providers and subprocessors disclosed and managed?

YesOrbiscend

For all Forge apps, the only provider in the data path is Atlassian (the Forge platform); no subprocessor receives app customer data. Orbiscend’s company-level providers (Cloudflare website hosting, Proton business email, Anthropic/Claude development AI with no customer data) are tracked and managed in our Information Security Policy.

STA-03

Are the platform provider’s security commitments verifiable?

YesOrbiscend

Atlassian’s certifications (SOC 2, ISO, CSA STAR) are publicly verifiable via the Atlassian Trust Center and the CSA STAR registry.

STA-04

Is there transparency about data handling for customers?

YesOrbiscend

Data handling and permissions are documented on the Security page, in the privacy policy, and in this CAIQ.

STA-05

Has the vendor completed the Atlassian Marketplace security review?

YesOrbiscend

Orbiscend has completed Atlassian’s Marketplace Security Self-Assessment Program.

TVM-03

Is penetration testing performed?

PlannedShared

Atlassian penetration-tests the Forge platform. Orbiscend plans to participate in Atlassian’s bug-bounty program (the Cloud Fortified path) for independent app testing.

TVM-04

Is anti-malware / abuse protection in place?

YesInherited · Atlassian

Platform-level protections are provided by Atlassian / AWS. The apps execute no untrusted code from within the Forge runtime.

UEM-01

Are the endpoints used to access systems and data secured?

YesOrbiscend

The 3 co-founders’ workstations — the only access paths — use full-disk encryption, auto screen-lock, MFA, and a password manager.

UEM-02

Is full-disk encryption enforced on endpoints?

YesOrbiscend

Full-disk encryption is enabled on every co-founder’s device used for development and administration.

UEM-03

Are endpoints kept patched and up to date?

YesOrbiscend

The co-founders’ workstation OS and tooling are kept current, and admin access requires MFA.

UEM-04

Is access to production limited to managed, secured endpoints?

YesOrbiscend

Production systems (Atlassian/Forge, GitHub) are accessed only from the co-founders’ secured, MFA-protected workstations.

Per-product details

Answers that genuinely differ between apps — scopes, data handled, in-app audit trails, and CI scanning specifics. Pick a product:

Viewing Aevon TimesheetsTime tracking, approvals, and billing prep. Open product page →

16 questions across 7 domains:
AIS-01

Are applications designed and developed following secure-coding and industry-accepted standards (e.g., OWASP)?

YesOrbiscend

Built on Atlassian Forge (UI Kit / Custom UI) following OWASP-aligned practices. The app makes no outbound network calls, removing an entire class of egress and SSRF risks.

AIS-02

Is input from users and APIs validated to prevent injection and abuse?

YesOrbiscend

Worklog inputs validated against configurable rules. User identity comes from the trusted Forge runtime context and cannot be supplied or spoofed by the client.

AIS-03

Is automated application security testing (SAST/DAST/SCA) performed?

PartialOrbiscend

Dependency scanning (Dependabot + npm audit) is configured in CI; activation is pending GitHub Actions enablement on the org. SAST (Semgrep) and secret scanning (Gitleaks) are configured on a ready PR. TypeScript-strict and ESLint enforced.

AIS-04

Are known vulnerabilities remediated prior to deployment?

YesOrbiscend

Minimal dependency surface (@forge/api, @forge/resolver). Changes pass review and automated tests before deploy; Forge runtime components are patched by Atlassian.

AIS-05

Are application data flows and trust boundaries documented?

YesOrbiscend

All data stays within Atlassian (Forge storage + native Jira worklogs); no third-party egress. Data flows and the permission model are documented internally and summarized here.

DSP-04

What categories of personal data are processed, and are they minimized?

YesOrbiscend

Minimal PII: Atlassian accountId, display name, and (transiently, for notifications) email address. No special-category data. PII is never exported off Atlassian’s platform.

IAM-01

Is access based on least privilege and need-to-know?

YesOrbiscend

Scopes requested: read:jira-work, write:jira-work, read:jira-user, storage:app — the minimum required for timesheet logging, approvals, and per-account routing. Write actions require a valid Marketplace license.

IAM-04

Are privileged and administrative roles controlled?

YesOrbiscend

Three Jira global-permission roles: aevon-admin, aevon-account-admin, aevon-reviewer. Grants are made by Jira site admins via Jira’s global-permissions screen.

IPY-01

Can customers export their data in a standard format?

YesOrbiscend

Time data is stored as native Jira worklogs (accessible via Jira’s standard APIs and UI), and reports can be exported to CSV.

IPY-02

Is data portability preserved if the app is removed (no lock-in)?

YesOrbiscend

Worklogs remain in Jira after Aevon is uninstalled — there is no proprietary data store to migrate out of.

IPY-03

Are standard, documented APIs and protocols used?

YesShared

Uses Atlassian’s documented REST APIs and the Forge platform; no proprietary protocols.

LOG-01

Are security-relevant events logged?

PartialShared

Forge captures platform and function logs; Orbiscend actively monitors application logs. A customer-visible in-app audit trail (who/what/when for approvals) is planned.

LOG-04

Are application-level audit trails available to customers?

PlannedOrbiscend

A customer-visible audit log of approval actions is on the roadmap and is not yet shipped.

STA-02

Is the software supply chain (dependencies) controlled?

PartialOrbiscend

Dependencies are minimal (@forge/api, @forge/resolver) and pinned via lockfile. Dependabot + npm audit gate configured in CI; activation pending GitHub Actions enablement on the org.

TVM-01

Are vulnerabilities identified and remediated on a defined cadence?

PartialShared

Platform vulnerabilities are managed by Atlassian. For the app, dependency (SCA) scanning is configured in CI with Dependabot alerts driving remediation (pending GitHub Actions enablement). SAST and an independent bug bounty are planned.

TVM-02

Is dependency / software composition (SCA) scanning performed?

PartialOrbiscend

Dependabot + `npm audit --omit=dev --audit-level=high` configured in CI; pending GitHub Actions enablement. Dependencies minimal and pinned.

Inherited platform controls

Infrastructure, physical, datacenter, and platform-encryption controls are provided and independently certified by Atlassian. You can verify these directly:

About this assessment

This is a self-assessment by Orbiscend OÜ against the CSA Cloud Controls Matrix v4, not an independent third-party audit. The covered apps (Aevon Timesheets, Argon, AgentGate, and Spectra) are Forge-native Jira apps: they run on Atlassian’s managed infrastructure, store data only in Atlassian Forge storage and native Jira, and do not call third-party services from within the apps themselves. Infrastructure, physical, platform-encryption, and continuity controls are therefore inherited from Atlassian and attested by Atlassian’s own certifications (SOC 2 Type II, ISO 27001/27017/27018/27701, CSA STAR). Answers marked “Partial” or “Planned” describe controls that are configured or in progress but not yet fully operational.

Questions or a full questionnaire?

For a completed CAIQ spreadsheet, a DPA, or any security questions, reach our team at security@orbiscend.com. See also our Security Statement.