Question 1) Does vendor have a Internal Audit group or Compliance group? Please list name or names of people in that group.
A possible answer: Atlassian does not have a compliance group and will not list people in it. It is not their goal to come across as a secure company. They rather want to be a secure and serious company. The do more than 150M USD in turnover per year and have more than 5 million people using their software. They employ over 700 people and live their values. They have an Atlassian foundation to better the world. But they do not have a dedicated compliance group. I assume, that their answer would be: We don't need it. Every employee is an auditor. We all follow our value "Open company, no bullshit".
Question 2) Do you employ a QA process with the development of the code? Explain.
A possible answer: Atlassian is the leading role model for good software development in the industry. They publish a lot of info about their QA and development processes. Here is a good example of how they have all their software integrated to make every change visible and traceable, even on a management level:
English version (development cycle): http://youtu.be/OMLh-5O6Ub8
German version (management & requirements view): http://youtu.be/9TbbD0jB5LE
Atlassian openly communicates about their QA-processes. See here: http://blogs.atlassian.com/2013/12/introducing-atlassian-qa/ http://blogs.atlassian.com/2013/12/jira-qa-process/ http://blogs.atlassian.com/2008/01/setting_up_a_qa_team/
Question 3) Are periodic assessments performed to confirm that customer systems are deployed and maintained within the corporate security standards and policies? If so, how often? Please provide evidence of review if it exists.
A possible answer: Atlassian uses their hosting plattform Cloud and their internal systems do maintain a continous deployement development cycle and make sure, that all releases, that are deployed in behind-the-firewall-products are well tested and robust. They publicly collect bugs and issues and react very fast to security problems that may occur.
Question 4) How often do you do vulnerability scans both external and internal? What is your process for remediating the vulnerabilities identified?
A possible answer: These two links answer the questions in detail: https://confluence.atlassian.com/display/Support/Atlassian+Security+Policies https://confluence.atlassian.com/display/DOC/Confluence+Security+Overview+and+Advisories
If some of these infos do not cover all of your information needs, please feel free to contact us with more specific questions.