Enterprise Security Pack Index
Overview¶
This is the canonical index for FirstTry's enterprise security documentation and evidence. Use this to navigate procurement, diligence, and compliance activities.
Trust Center (Governance & Security Policies)¶
| Document | Purpose | Audience |
|---|---|---|
| Security Overview | Shared responsibility model, platform dependencies, security posture | CISO, Procurement |
| Forge Platform Dependency | Platform guarantees, encryption, availability | Procurement, Compliance |
| Architecture | System design, components, trust boundaries, no external egress | Technical diligence |
| Data Flow | Data read, storage, export, lifecycle | Compliance, Privacy |
| Data Classification & PII | User data sensitivity, AI training, deletion | Privacy, Legal |
| Uninstall & Deletion | Deletion workflow, SLA, proof | Legal, Compliance |
| Ledger Crypto Spec | Audit trail immutability, hash chain, verification | Technical audit |
| Export Spec | Archive format, deterministic build, verification | Technical audit |
| Serialization Schema | Canonical JSON, encoding rules, reproducibility | Engineering |
| Subprocessors | Atlassian subprocessor list, policy | Procurement, Compliance |
| Privacy Policy | Data usage, user rights, AI policy | Legal, Privacy |
| Terms of Service | License, liability, acceptable use | Legal |
| Security Contact | Incident reporting, response SLA | CISO |
| Vulnerability Disclosure Policy | Responsible disclosure, embargo, credit | Security team |
| security.txt | RFC 9116 security contact pointers | System admins |
| Threat Model | STRIDE analysis, mitigations, residual risks | Risk assessment, CISO |
| Customer Responsibilities | What customers must do (region, permissions, exports) | All customers |
| Resolver Inventory | API endpoints, HTTP methods, mutation proof | Technical audit |
Operations (Processes & Controls)¶
| Document | Purpose | Audience |
|---|---|---|
| Incident Response Plan | Severity classification, response workflow, timelines | CISO, Ops |
| Change Management Policy | Release process, evidence regeneration, baseline drift | Engineering, Ops |
| Access Control Policy | Least privilege, MFA, onboarding, offboarding | InfoSec, CISO |
| RBAC Matrix | Current roles and access, quarterly review | InfoSec |
| Secure SDLC Policy | Code review, testing, threat modeling, dependency mgmt | Engineering, CISO |
| CI/CD Evidence | Tools (forge lint, npm audit, trivy), commands, SBOM | Engineering, Compliance |
| Secrets Management | Token storage, rotation, incident response | Engineering, InfoSec |
| Logging & Monitoring | Winston logger, audit trail, error handling | Ops, Engineering |
| BCP/DRP | Forge dependency, no independent DRP, customer obligations | Business continuity, CISO |
| Support Policy | Channels, scope, response times, severity levels | Customer success, CISO |
| SLA | NO uptime percentage, support response times only | Customers, Procurement |
Procurement (Diligence & Control Mapping)¶
| Document | Purpose | Audience |
|---|---|---|
| This index | Navigation for all compliance docs | Procurement, CISO |
| Security Questionnaire Master | Q&A responses with doc references | Compliance, Procurement |
| Control Mapping Matrix | Maps to SOC2 CC, ISO 27001, CAIQ; disclaimer: no certification claimed | Audit, Compliance |
Evidence Repository¶
Location: docs/evidence/baselines/ and docs/evidence/{DATE}_release/
| Artifact | Purpose | Audience |
|---|---|---|
| baseline/manifest.yml.sha256 | Scope immutability anchor | Drift detection |
| baseline/package-lock.json.sha256 | Dependency immutability anchor | Drift detection |
| {DATE}_release/forge_lint_strict.txt | Forge manifest validation | Technical audit |
| {DATE}_release/npm_audit_high.txt | Dependency CVE scan | Vulnerability audit |
| {DATE}_release/cyclonedx_sbom.json | Software bill of materials | Supply chain audit |
| {DATE}_release/trivy_scan.txt | Code/filesystem security scan | Technical audit |
| {DATE}_release/resolver_scan.txt | No mutation (POST/PUT/DELETE) proof | Technical audit |
| {DATE}_release/manifest_scopes_snapshot.txt | Scope snapshot | Scope audit |
| {DATE}_release/evidence_hashes.txt | Hash manifest | Integrity check |
Document Navigation¶
By Role¶
CISO:
- Threat Model
- Security Overview
- Incident Response Plan
- Control Mapping Matrix
Procurement/Compliance:
- This index (you are here)
- Security Questionnaire Master
- Control Mapping Matrix
- Data Classification & PII
Technical Auditor:
- Architecture
- Resolver Inventory
- CI/CD Evidence
- Export Spec & Ledger Crypto
Privacy Officer:
- Data Flow
- Data Classification & PII
- Privacy Policy
- Uninstall & Deletion
Customer Success:
- Customer Responsibilities
- Support Policy
- SLA
- Data Flow
By Compliance Framework¶
SOC2 Type II:
- See Control Mapping Matrix for CC (Common Criteria) alignment
- Evidence: CI/CD Evidence, Incident Response Plan, Access Control Policy
ISO 27001:
- See Control Mapping Matrix for Annex A control alignment
- Evidence: All docs (comprehensive coverage)
CAIQ v4 (Cloud Security Alliance):
- See Control Mapping Matrix for CAIQ section ID alignment
- Key: Data Classification & PII, Subprocessors, BCP/DRP
GDPR:
- Data Classification & PII
- Privacy Policy
- Uninstall & Deletion (right to deletion)
- Customer Responsibilities (data minimization)
Atlassian Marketplace:
- Security Overview (required)
- Resolver Inventory (no mutations)
- Threat Model (enterprise risks)
- Evidence bundle (drift anchors, scanner output)
Evidence Regeneration¶
To regenerate evidence bundle for current date:
bash tools/generate_enterprise_evidence.sh
Output: docs/evidence/{TODAY}_release/
For specific date:
bash tools/generate_enterprise_evidence.sh 2026-02-26
See CI_CD_EVIDENCE.md for detailed artifact descriptions.
How to Use This Index¶
For procurement questionnaire:
- Open SECURITY_QUESTIONNAIRE_MASTER.md
- Each Q/A is pre-populated with doc references
- Copy responses into vendor diligence system
For compliance mapping:
- Open CONTROL_MAPPING_MATRIX.md
- Find relevant framework (SOC2, ISO27k, CAIQ)
- Navigate to linked doc for details
- Note disclaimer: No certification claimed, mapping only
For technical deep-dive:
- Start with Architecture.md
- Follow references to lower-level docs (Ledger Crypto, Export Spec, etc.)
- Review evidence bundle (docs/evidence/) for proof
For risk assessment:
- Read Threat Model.md
- Identify residual risks you accept
- Review Customer Responsibilities.md for your obligations
- Review FORGE_PLATFORM_DEPENDENCY.md for vendor risk
Disclaimer¶
🔴 IMPORTANT: FirstTry makes NO claims of:
- "SOC2 Type II compliant" (not certified)
- "ISO 27001 certified" (not certified)
- "Cloud Fortified" (Atlassian trademark)
- "Guaranteed uptime" (see SLA.md)
This documentation and evidence demonstrates our security practices, governance, and threat mitigations. Control mapping is informational only; no third-party certification exists.
Contacts¶
- Security: security.contact@firsttry.run
- General Inquiries: contact@firsttry.run
- Support: support@firsttry.run
- Privacy: privacy@firsttry.run
Document Storage and Updates¶
- All docs committed to git (version controlled)
- Updated via change management (CHANGE_MANAGEMENT_POLICY.md)
- Evidence regenerated on baseline changes (tools/generate_enterprise_evidence.sh)
- Annual review cycle (Review Cycle in each doc header)
- Interim updates triggered by security events or platform changes