Orbiscend CAIQ (Lite)
Our security posture, answered against the CSA Consensus Assessment Initiative Questionnaire (CAIQ) — covering Aevon Timesheets, Argon, AgentGate, and Spectra.
CSA CAIQ v4 · Cloud Controls Matrix v4.0 (Lite self-assessment) · Last reviewed: 2026-06-02
How to read this assessment
All four apps are Forge-native Jira apps: they run on Atlassian’s managed infrastructure, store data only in Atlassian Forge storage and native Jira, and make no calls to third-party services from within the apps. Under the cloud shared-responsibility model, many infrastructure and platform controls are inherited from Atlassian; the rest are owned by Orbiscend.
The first section below covers company-wide answers (governance, incident response, supplier management, etc. — the same for every Orbiscend app). The second section shows per-product details (scopes, data, audit trails, CI scanning specifics) — pick a product to view its specifics.
Response
“Planned” means a control we are actively standing up, not yet operational.
Accountable party
Inherited controls are attested by Atlassian’s own certifications.
Orbiscend (company-wide)
Answers that apply to all Orbiscend Forge apps — governance, HR, incident response, inherited Atlassian platform controls, suppliers, workstations, and so on.
Are independent audit or assessment reports (e.g., SOC 2, ISO 27001) available for the infrastructure the service runs on?
All apps run on Atlassian Forge. Atlassian maintains SOC 2 Type II, ISO 27001/27017/27018/27701, PCI DSS, and CSA STAR Level 2. Reports via the Atlassian Trust Center.
Does the vendor hold its own independent third-party security certification for the application?
Orbiscend does not hold a separate certification. As a Forge-native vendor with no infrastructure of its own, it relies on Atlassian’s platform attestations; app-level controls are documented in this self-assessment.
Is a self-assessment against a recognized security framework performed?
This CAIQ (CSA CCM v4) is our self-assessment. Orbiscend has also completed Atlassian’s Marketplace Security Self-Assessment Program.
Are assessment scope and results reviewed at planned intervals?
Atlassian renews its platform attestations annually. Orbiscend reviews this self-assessment at least annually and on material change.
Is there a business continuity / disaster recovery program for the service?
Availability, redundancy, and disaster recovery are provided by Atlassian’s Forge platform on AWS (multi-AZ). See the Atlassian Trust Center.
Are backups performed and tested?
Persistent data lives in Atlassian-managed Forge storage and native Jira; backup and restore are operated by Atlassian. Orbiscend stores no separate copy.
Does the vendor maintain resilience for its own operations (e.g., source code)?
All application source is version-controlled in GitHub. The apps are stateless beyond Forge storage and can be re-deployed from source at any time.
Are recovery objectives (RTO/RPO) defined?
Defined and published. RTO: 1 business day — the apps are stateless and re-deployable from source via Forge, with near-immediate rollback to a prior version. RPO ≈ 0 for app-managed data — Orbiscend keeps no separate copy; data persists in Atlassian Forge storage and native Jira, whose durability and backup are Atlassian’s responsibility.
Are changes managed through a defined change-control process?
Changes flow through Git with pull requests and review before merge to main.
Are changes tested before production deployment?
Automated tests (unit, integration, and e2e where applicable) and a Forge development/staging environment are used before any production deploy.
Is there separation between development and production environments?
Forge provides distinct development, staging, and production app environments; production deployments are explicit and versioned.
Can changes be rolled back if needed?
Forge supports versioned deployments and rollback; Git history enables reverting any change to source.
Are configuration baselines and least-privilege scopes maintained?
Each app requests only the minimum Atlassian scopes required (documented per-product below). The Forge manifest is the versioned configuration baseline.
Is data encrypted at rest?
Forge storage encrypts data at rest (AES-256) under Atlassian-managed keys.
Is data encrypted in transit?
All API traffic uses TLS 1.2+ and Forge enforces HTTPS. The apps make no outbound third-party calls from within the Forge runtime.
Are encryption keys managed securely (generation, storage, rotation)?
Key management is performed by Atlassian’s platform. The apps neither store nor manage cryptographic keys.
Do the applications store any secrets or credentials?
The apps store no passwords, API tokens, or session secrets. User identity is provided by the Forge runtime per request; where AgentGate issues its own tokens, they are stored hashed in Forge SQL with a short TTL.
Are strong, industry-accepted cryptographic algorithms used?
AES-256 at rest and TLS 1.2+ in transit, as provided by the Atlassian Forge platform.
Are datacenters physically secured with access controls and monitoring?
Hosted on AWS via Atlassian Forge. Physical security is managed by Atlassian/AWS (SOC 2, ISO 27001). Orbiscend operates no datacenters.
Is physical access logged and reviewed?
Managed by Atlassian/AWS; see the Atlassian Trust Center and AWS compliance reports.
Are environmental controls (power, fire suppression, cooling) in place?
Provided by AWS datacenters under Atlassian’s platform.
Is hardware securely decommissioned and media sanitized?
Managed by Atlassian/AWS media-handling and decommissioning processes.
Is customer data segregated between tenants?
Forge provides per-installation data isolation; app storage is scoped to each Jira site/installation.
Are any third-party data subprocessors used to process app customer data?
None of the covered Forge apps send customer data to third-party subprocessors. Customer data remains within Atlassian (Forge storage / native Jira). Orbiscend uses company-level providers (Cloudflare for website hosting, Proton for business email, Anthropic/Claude for development AI with no customer data) — none of which receive Forge-app customer data.
Is data retention and deletion defined?
Atlassian governs the data lifecycle; app data in Forge storage is removed per Atlassian’s processes when the app is uninstalled. Orbiscend retains no separate copy.
Can data-subject requests (access, deletion) be honored (e.g., GDPR)?
Orbiscend OÜ is EU-based. Worklog, approval, and audit data live in the customer’s own Jira / Forge storage and can be exported or deleted there. Requests are supported via privacy@orbiscend.com.
Is data residency controlled?
Forge storage follows the data residency of the customer’s Jira Cloud instance/region, as configured in Atlassian.
Is there a documented information security policy?
Orbiscend maintains a documented Information Security Policy, approved by the founding team, covering governance, access control, data protection, risk management, incident response, and supplier management. Available to customers and prospects on request.
Is security ownership and accountability assigned?
Security accountability rests with the founding team — Orbiscend is operated by its 3 co-founders, with no other employees or contractors.
Are security risks assessed and managed?
Risk management is documented in our Information Security Policy. The risk surface is intentionally small (no egress from the apps, no subprocessors in the app data path, no own infrastructure); the founding team reviews it on a defined cadence and on material change.
Is compliance with applicable legal/regulatory requirements (e.g., GDPR) maintained?
GDPR-aligned as an EU company: a DPA is available, no subprocessors are used for app customer data, and data minimization is applied by design.
Are security policies and this assessment reviewed periodically?
Per the policy’s review section, the Information Security Policy and this assessment are reviewed at least annually and on material change.
Are background checks performed on personnel with access to data?
Orbiscend is operated by its 3 co-founders, with no employees or contractors. Formal background screening is not performed on the founders themselves, who are the company’s principals.
Are confidentiality / non-disclosure agreements in place?
Access is limited to the 3 co-founders, who operate under confidentiality understood and practiced within the founding team and applicable legal duties. A formal signed confidentiality agreement is being put in place.
Is security awareness training provided to staff?
No employees or contractors to train; the 3 co-founders maintain current security practices directly.
Is access revoked promptly on role change or termination?
No employee lifecycle exists. Access is limited to the 3 co-founders, and all admin accounts are protected by MFA.
Is user identity authenticated by the platform, with no separate app credentials?
User identity is established by Atlassian/Forge and provided to the app via a trusted runtime context the client cannot spoof. The apps store no end-user credentials.
Is multi-factor authentication available and used?
End-user MFA is enforced by the customer’s Atlassian instance. All of Orbiscend’s own admin accounts (Atlassian, GitHub, email) use MFA.
Is access reviewed periodically?
Role grants and admin permissions are managed by the customer’s Jira admins and visible in Jira’s native screens for review.
Are strong credential practices enforced for the vendor’s own accounts?
All three co-founders’ accounts use unique strong credentials via a password manager, MFA everywhere, full-disk encryption, and auto screen-lock.
Is network security (segmentation, firewalls) in place?
Network controls are managed by Atlassian’s Forge platform on AWS. The apps have no network infrastructure of their own and make no outbound calls from the Forge runtime.
Is workload and tenant isolation enforced?
Forge runs app code in isolated, managed serverless functions with per-installation isolation.
Are systems hardened and patched?
The Forge runtime (Node.js) and underlying infrastructure are maintained and patched by Atlassian.
Is there protection against common network attacks (e.g., DDoS)?
Provided by Atlassian / AWS at the platform edge.
Are logs protected from tampering?
Platform logs are managed and protected by Atlassian’s Forge infrastructure.
Is the service monitored for availability and issues?
Orbiscend actively monitors logs and has historically responded to bugs and customer requests within 8 hours.
Is there an incident response process?
A documented incident-response runbook (in our Information Security Policy) covers detection, triage, containment, customer notification within 72 hours, and post-incident review. Track record: bugs and customer requests addressed within 8 hours.
Is there a channel to report security issues?
Vulnerabilities can be reported to security@orbiscend.com and are triaged promptly.
Are customers notified of breaches in a timely manner?
Orbiscend commits to notifying affected customers of a confirmed personal-data breach within 72 hours, consistent with the DPA and GDPR expectations.
Is platform-level incident detection and response in place?
Infrastructure incident detection and 24/7 response are provided by Atlassian’s Forge platform.
Are third-party service providers and subprocessors disclosed and managed?
For all Forge apps, the only provider in the data path is Atlassian (the Forge platform); no subprocessor receives app customer data. Orbiscend’s company-level providers (Cloudflare website hosting, Proton business email, Anthropic/Claude development AI with no customer data) are tracked and managed in our Information Security Policy.
Are the platform provider’s security commitments verifiable?
Atlassian’s certifications (SOC 2, ISO, CSA STAR) are publicly verifiable via the Atlassian Trust Center and the CSA STAR registry.
Is there transparency about data handling for customers?
Data handling and permissions are documented on the Security page, in the privacy policy, and in this CAIQ.
Has the vendor completed the Atlassian Marketplace security review?
Orbiscend has completed Atlassian’s Marketplace Security Self-Assessment Program.
Is penetration testing performed?
Atlassian penetration-tests the Forge platform. Orbiscend plans to participate in Atlassian’s bug-bounty program (the Cloud Fortified path) for independent app testing.
Is anti-malware / abuse protection in place?
Platform-level protections are provided by Atlassian / AWS. The apps execute no untrusted code from within the Forge runtime.
Are the endpoints used to access systems and data secured?
The 3 co-founders’ workstations — the only access paths — use full-disk encryption, auto screen-lock, MFA, and a password manager.
Is full-disk encryption enforced on endpoints?
Full-disk encryption is enabled on every co-founder’s device used for development and administration.
Are endpoints kept patched and up to date?
The co-founders’ workstation OS and tooling are kept current, and admin access requires MFA.
Is access to production limited to managed, secured endpoints?
Production systems (Atlassian/Forge, GitHub) are accessed only from the co-founders’ secured, MFA-protected workstations.
Per-product details
Answers that genuinely differ between apps — scopes, data handled, in-app audit trails, and CI scanning specifics. Pick a product:
Viewing Aevon Timesheets — Time tracking, approvals, and billing prep. Open product page →
Are applications designed and developed following secure-coding and industry-accepted standards (e.g., OWASP)?
Built on Atlassian Forge (UI Kit / Custom UI) following OWASP-aligned practices. The app makes no outbound network calls, removing an entire class of egress and SSRF risks.
Is input from users and APIs validated to prevent injection and abuse?
Worklog inputs validated against configurable rules. User identity comes from the trusted Forge runtime context and cannot be supplied or spoofed by the client.
Is automated application security testing (SAST/DAST/SCA) performed?
Dependency scanning (Dependabot + npm audit) is configured in CI; activation is pending GitHub Actions enablement on the org. SAST (Semgrep) and secret scanning (Gitleaks) are configured on a ready PR. TypeScript-strict and ESLint enforced.
Are known vulnerabilities remediated prior to deployment?
Minimal dependency surface (@forge/api, @forge/resolver). Changes pass review and automated tests before deploy; Forge runtime components are patched by Atlassian.
Are application data flows and trust boundaries documented?
All data stays within Atlassian (Forge storage + native Jira worklogs); no third-party egress. Data flows and the permission model are documented internally and summarized here.
What categories of personal data are processed, and are they minimized?
Minimal PII: Atlassian accountId, display name, and (transiently, for notifications) email address. No special-category data. PII is never exported off Atlassian’s platform.
Is access based on least privilege and need-to-know?
Scopes requested: read:jira-work, write:jira-work, read:jira-user, storage:app — the minimum required for timesheet logging, approvals, and per-account routing. Write actions require a valid Marketplace license.
Are privileged and administrative roles controlled?
Three Jira global-permission roles: aevon-admin, aevon-account-admin, aevon-reviewer. Grants are made by Jira site admins via Jira’s global-permissions screen.
Can customers export their data in a standard format?
Time data is stored as native Jira worklogs (accessible via Jira’s standard APIs and UI), and reports can be exported to CSV.
Is data portability preserved if the app is removed (no lock-in)?
Worklogs remain in Jira after Aevon is uninstalled — there is no proprietary data store to migrate out of.
Are standard, documented APIs and protocols used?
Uses Atlassian’s documented REST APIs and the Forge platform; no proprietary protocols.
Are security-relevant events logged?
Forge captures platform and function logs; Orbiscend actively monitors application logs. A customer-visible in-app audit trail (who/what/when for approvals) is planned.
Are application-level audit trails available to customers?
A customer-visible audit log of approval actions is on the roadmap and is not yet shipped.
Is the software supply chain (dependencies) controlled?
Dependencies are minimal (@forge/api, @forge/resolver) and pinned via lockfile. Dependabot + npm audit gate configured in CI; activation pending GitHub Actions enablement on the org.
Are vulnerabilities identified and remediated on a defined cadence?
Platform vulnerabilities are managed by Atlassian. For the app, dependency (SCA) scanning is configured in CI with Dependabot alerts driving remediation (pending GitHub Actions enablement). SAST and an independent bug bounty are planned.
Is dependency / software composition (SCA) scanning performed?
Dependabot + `npm audit --omit=dev --audit-level=high` configured in CI; pending GitHub Actions enablement. Dependencies minimal and pinned.
Inherited platform controls
Infrastructure, physical, datacenter, and platform-encryption controls are provided and independently certified by Atlassian. You can verify these directly:
About this assessment
This is a self-assessment by Orbiscend OÜ against the CSA Cloud Controls Matrix v4, not an independent third-party audit. The covered apps (Aevon Timesheets, Argon, AgentGate, and Spectra) are Forge-native Jira apps: they run on Atlassian’s managed infrastructure, store data only in Atlassian Forge storage and native Jira, and do not call third-party services from within the apps themselves. Infrastructure, physical, platform-encryption, and continuity controls are therefore inherited from Atlassian and attested by Atlassian’s own certifications (SOC 2 Type II, ISO 27001/27017/27018/27701, CSA STAR). Answers marked “Partial” or “Planned” describe controls that are configured or in progress but not yet fully operational.
Questions or a full questionnaire?
For a completed CAIQ spreadsheet, a DPA, or any security questions, reach our team at security@orbiscend.com. See also our Security Statement.