Information Security Policy

Smart Guess ehf. | Last Reviewed: February 2026

1. Purpose and Scope

This policy defines the information security practices of Smart Guess ehf., the company behind Smart Guess applications. It applies to all employees, contractors, and systems involved in the development, deployment, and operation of Smart Guess products.

Smart Guess is a software development company that builds exclusively on the Atlassian Forge platform. Smart Guess does not operate its own infrastructure, does not host customer data, and no employee has direct access to customer data. All customer data resides within Atlassian's certified infrastructure under the Atlassian Forge shared responsibility model.

2. Organizational Security

2.1 Infrastructure

Smart Guess runs entirely on cloud services. No local infrastructure (servers, data centers) is maintained.
The Atlassian Forge platform (hosted on AWS) provides all runtime, storage, and real-time communication infrastructure.
Development, staging, and production environments are accessed exclusively through the Forge CLI (command-line interface).
Only the development team has access to the Forge CLI.

2.2 Confidentiality

Non-Disclosure Agreements (NDAs) are in place for all employees and contractors.
Employees are bound by confidentiality obligations covering proprietary code and business information.

3. Access Control

3.1 Authentication

Two-factor authentication (2FA) is mandatory to access all services used for work, including but not limited to:
- Atlassian (Jira, Confluence, Bitbucket)
- Google Workspace (Drive, Sheets, Documents)
- Apple, Slack, and other collaboration tools

3.2 Password Management

The use of a password manager is mandatory for all employees.
All passwords used to access work-related services must be stored in an approved password manager.

3.3 Access Provisioning and Revocation

Access is granted based on job requirements (principle of least privilege).
No employee has direct access to customer data stored in Atlassian Forge Storage.
User login credentials are disabled on the same day of employee termination, before end of business.

4. Data Classification and Handling

4.1 Customer Data

Smart Guess does not store customer data from customers' Atlassian instances outside of Atlassian's platform.
The application retrieves user names and avatars on demand from the Atlassian Jira API, displays them to users during estimation sessions, and never stores them.
All persistent app data (estimation session state, card deck configurations) is stored in Atlassian Forge Storage, managed by Atlassian.
Smart Guess follows Atlassian's Logging Guidelines for App Developers. Logs contain only application state information needed for debugging production issues — no names, email addresses, usernames, user-generated content, or authorization data is logged. Customers may grant access to logs for troubleshooting purposes.

4.2 Sensitive Data

Smart Guess applications are not designed to store or access sensitive personal information such as credit card data, Social Security numbers, financial records, source code, or proprietary algorithms.

4.3 AI Data Handling

The Smart Guess Coach feature uses Anthropic's Claude API for process performance analysis and improvements.
Only aggregated workflow metrics (cycle time, throughput, WIP limits), issue keys, and workflow state transitions are sent to the AI provider.
No issue summaries, issue descriptions, personal information, or proprietary content is sent.
Anthropic's commercial API terms prohibit training on customer data.

5. Encryption

5.1 Data in Transit

All data transmitted between Smart Guess and Atlassian APIs uses HTTPS/TLS encryption.
Real-time collaboration uses Atlassian's Forge Realtime system over encrypted connections.
Transport-level encryption is mandatory when sending or receiving files.

5.2 Data at Rest

Customer data in Atlassian Forge Storage is encrypted at rest by Atlassian.
Full disk encryption is mandatory on all computers used for work by employees.
Mobile device encryption is mandatory on employee phones.

5.3 External Devices

External storage devices (USB flash drives, DVDs, etc.) are not used.

6. Vulnerability Management

6.1 Continuous Security Testing

Snyk Code: Static application security testing (SAST) runs automatically during development to detect security vulnerabilities in real time.
Snyk Open Source: Open-source library dependencies are automatically scanned to detect known vulnerabilities proactively.

6.2 Penetration Testing

Smart Guess participates in the Atlassian Marketplace Security Bug Bounty Program with a $5,000 USD Bugcrowd reward pool. All Smart Guess applications have been enrolled in the program since 2022. To date, five security issues have been identified by security researchers across all apps. All issues reported in the current year were resolved within hours to days — regardless of severity.
Seven independent security researchers installed and tested Smart Guess applications in the last two months alone.

6.3 Security Bug-Fix Policy

Smart Guess follows the Atlassian Security Bug Fix Policy. Reported vulnerabilities are classified using Atlassian Security Severity Levels and resolved according to the following timeframes:

Critical: 2 weeks
High: 4 weeks
Medium: 6 weeks
Low: 25 weeks Critical vulnerabilities trigger immediate fixed releases.

6.4 Patch Management

Operating systems are updated when updates are made available.
A patch process is in place to handle critical security advisory notices for application libraries and components.

7. Incident Response

7.1 Security Incident Management

In case of a security incident, as defined by Atlassian's App Security Incident Management Guidelines, the following process is followed:

Investigate the incident
Notify Atlassian per their incident reporting requirements
Contain the incident
Implement remedial measures
Notify affected customers
Conduct a post-incident review

While the incident is unresolved, the Smart Guess team will be available and active in resolving the issue. For detailed operational procedures including response hours, communication channels, and escalation workflows, see the Incident Management Policy.

7.2 Escalation

Data breaches are escalated to the Data Protection Officer.
Security contact: security@smartguess.is

7.3 Monitoring and Alerting

Atlassian Developer Console: Invocation success rate monitored for all backend function calls. Alert triggered when success rate drops below 99%.
Automated Synthetic Tests: Run once a day on a Jira development instance. Notifications sent automatically on test failure.
Out-of-hours: Critical issues trigger automated alerts via email and Slack push notifications.

8. Change Management

8.1 Release Management Process

Feature development:

Planning: Features prioritized in product backlog; epics broken into stories.
Development: Work done on feature branches. Product code and unit tests developed in parallel.
Code Review: Pull requests created in Bitbucket. Code review must be completed and integration tests must pass before merge.
Testing: Quality control runs agreed test cases. Regression tests run on release candidates.
Release: Release readiness review (go/no-go decision). General Availability artifact built from master branch.

Patch process:

Patch branch created on target release or master.
Integration tests run and must pass.
Release built from master or release branch.

8.2 Deployment

Critical incident deployment: approximately 10-15 minutes from fix merge to production.
Automated CI/CD pipeline enables one-click rollback to the previously stable version.

9. Business Continuity and Disaster Recovery

9.1 Application Continuity

Smart Guess runs entirely on the Atlassian Forge platform. Application availability is governed by Atlassian's platform SLAs.
Smart Guess does not operate independent infrastructure.
Public status page: https://smartguess.statuspage.io

9.2 Backups

Daily local backups of Smart Guess company relevant data, and configuration.
Daily backups of critical company data uploaded to a cloud backup service provided by a globally recognized provider.
The backup provider monitors backup results.
Restore methodology is fully documented and tested once every year.

9.3 Customer Data Recovery

Customer data stored in the application is not under Smart Guess's control. All customer data is stored using the Atlassian Forge Storage framework under the Atlassian Forge Shared Responsibility Model.
Atlassian's responsibilities include encrypting data at rest and segregating data storage to prevent cross-tenant access.

10. Third-Party Risk Management

10.1 Platform Provider

Atlassian Forge is the primary platform dependency. Atlassian holds SOC 2 Type II, ISO 27001, and other certifications.
Smart Guess's security practices are validated through Atlassian's Cloud Fortified program.

10.2 AI Provider

Anthropic (Claude API) is used under commercial API terms that prohibit training on customer data.
Only aggregated workflow metrics are sent — no personal data, no issue content.

11. Compliance and Accreditation

Smart Guess does not hold independent security certifications (SOC 2, ISO 27001). As a software development company that does not operate infrastructure or have access to customer data, these infrastructure-level certifications are held by platform providers (Atlassian and AWS).
Smart Guess holds the Atlassian Cloud Fortified badge (approved July 2024), which requires meeting security, support, and reliability criteria including cloud security participation, bug bounty program, privacy and security tab completion, and operational maturity standards.
Publicly available security information: Atlassian Marketplace — Privacy and Security

12. Policy Review

This policy is reviewed annually or when significant changes occur to the organization, technology, or threat landscape.

For security inquiries: security@smartguess.is