Pack v4.4.2Rev 4.4.2OwnerFirstTry SolutionsLast Updated2026-02-26ReviewAnnualDoc IDFT-PROC-002

Security Questionnaire Master

How to Use¶

This document contains pre-answered security questionnaire items for vendor diligence. Copy relevant Q&A into your vendor assessment tool or procurement system.

Each answer references supporting documentation. For details, follow the links.

General Information¶

Q: What is FirstTry?
A: FirstTry is an Atlassian Forge application providing Jira governance and compliance reporting. See SECURITY_OVERVIEW.md.

Q: Who develops FirstTry?
A: FirstTry Solutions.

Q: What is the current version?
A: 0.4.1 (specified in manifest.yml). See CHANGELOG.md for release history.

Q: Is FirstTry certified (SOC2, ISO27k, etc.)?
A: No. FirstTry is NOT certified. We provide documentation and evidence of security practices. See disclaimer in ENTERPRISE_SECURITY_PACK_INDEX.md.

Scope and Data¶

Q: What data does FirstTry access?
A: User names, emails, user IDs, project metadata, and permission assignments from Jira Cloud API (read-only). See DATA_FLOW.md.

Q: What scopes does FirstTry request?
A: read:jira-user, read:jira-work, and storage:app (read-only scopes). See RESOLVER_INVENTORY.md.

Q: Does FirstTry perform any WRITE operations?
A: No. All API calls are GET (read-only). Verified by mutation detection testing. See RESOLVER_INVENTORY.md and CI_CD_EVIDENCE.md.

Q: Does FirstTry make external network calls outside of Jira API?
A: No. Zero external egress. All data transits authenticated Jira requestJira() API only. See SECURITY_OVERVIEW.md.

Data Protection¶

Q: How is data encrypted?
A: Encryption in transit: TLS 1.3 (Forge platform). At rest: AES-256 by Forge Storage (Atlassian-managed). FirstTry does not manage keys. See FORGE_PLATFORM_DEPENDENCY.md.

Q: How long is data retained?
A: Default 90 days per snapshot policy. Configurable via uninstall or manual cleanup. See DATA_FLOW.md.

Q: What happens when FirstTry is uninstalled?
A: Forge Storage is cleared immediately. Atlassian deletes backups within 30 days. See UNINSTALL_DELETION.md.

Q: Does FirstTry use data for AI training or analytics?
A: No. User data is not trained on, analyzed, or sold. See DATA_CLASSIFICATION_AND_PII.md.

Compliance and Standards¶

Q: Which compliance frameworks does FirstTry address?
A: GDPR, SOC2, ISO27k, CAIQ v4 (mapping only; no certifications). See CONTROL_MAPPING_MATRIX.md.

Q: How does FirstTry handle GDPR rights?
A: Data subject access via export. Deletion via uninstall. See PRIVACY_POLICY.md and DATA_CLASSIFICATION_AND_PII.md.

Q: What is the data residency policy?
A: Follows Jira Cloud region selection (no override). Customer chooses region at Jira setup. See FORGE_PLATFORM_DEPENDENCY.md and CUSTOMER_RESPONSIBILITIES.md.

Supply Chain and Dependencies¶

Q: What are FirstTry's dependencies?
A: Node.js (runtime), npm (package manager), and Atlassian Forge (platform). See CI_CD_EVIDENCE.md for dependency tree.

Q: Does FirstTry have high-severity dependencies?
A: No. npm audit enforces zero high-severity findings. See CI_CD_EVIDENCE.md.

Q: Who are FirstTry's subprocessors?
A: Atlassian Forge and Jira Cloud only. See SUBPROCESSORS.md.

Q: Which Atlassian subprocessors does FirstTry depend on?
A: See Atlassian's public subprocessor list: https://www.atlassian.com/legal/subprocessors

Security Practices¶

Q: How does FirstTry handle vulnerabilities?
A: Responsible disclosure policy with 90-day embargo. See VULNERABILITY_DISCLOSURE_POLICY.md.

Q: What is the incident response process?
A: Severity classification, investigation, patch, and communication. See INCIDENT_RESPONSE_PLAN.md.

Q: Does FirstTry perform static code analysis?
A: Yes. Forge lint, ESLint, TypeScript strict mode, and dependency scanning (npm audit, trivy). See SECURE_SDLC_POLICY.md.

Q: How is access to FirstTry's code controlled?
A: MFA required for maintainers. Code review enforced on all PRs. See ACCESS_CONTROL_POLICY.md and RBAC_MATRIX.md.

Availability and Support¶

Q: What is FirstTry's uptime SLA?
A: NO uptime SLA. FirstTry depends on Atlassian Forge (typically 99.5%). See SLA.md.

Q: What support channels are available?
A: Email (support@firsttry.run, security.contact@firsttry.run). See SUPPORT_POLICY.md.

Q: What is the breach notification timeline?
A: 24 hours for critical incidents (best-effort). See INCIDENT_RESPONSE_PLAN.md.

Legal and Contractual¶

Q: What is the license?
A: See TERMS_OF_SERVICE.md (proprietary Forge app).

Q: Is there a liability limit?
A: Yes. Liability is disclaimed as-is. See TERMS_OF_SERVICE.md and SLA.md.

Q: What happens if FirstTry is discontinued?
A: 6 months notice (if possible) in CHANGELOG.md. 3-month sunset support. See SUPPORT_POLICY.md.

Threat and Risk¶

Q: What are the known threats?
A: See THREAT_MODEL.md (STRIDE analysis with mitigations).

Q: What are the residual risks?
A: Primary: Forge platform dependency. Secondary: Dependency vulnerabilities. See THREAT_MODEL.md.

Q: Can FirstTry access other customers' data?
A: No. Forge per-tenant isolation prevents cross-tenant access. See ARCHITECTURE.md.

End of Questionnaire¶

For more details, see ENTERPRISE_SECURITY_PACK_INDEX.md for full documentation navigation.

Contact¶

Questions? Email contact@firsttry.run or security.contact@firsttry.run.