Security FAQ

Most of the Q&A's are related to the SaaS deployment type of (e.g. default one for Jira Cloud customers).

We do our best to meet Security standards expectations of our customers. Although, if for some reasons what you find here would not meet your requirements, you can always use a On-Premise (Self-Hosted) version of This should let you to to run platform fully behind firewall, within your company infrastructure.

What type of data is transmitted, processed, generated and/or stored by application/service?

We are transmitting, processing and storing only the essential data that is required to perform integration and synchronization according to customers setup configurations. We also collect logs of each synchronization which are used by customers and support to identify and resolve encountered problems.

Type of data depends on what exactly was configured by customer for each integration, but it may include

  • items (issues, tasks, bugs, incidents) data, like fields values

  • comments data

  • users identifiers (like accountId, full name)

  • encrypted connection details stored in a database

  • url to apps instances that are under integration, eg. Jira url

Does this include sensitive (personal, health, financial, etc.) data?

Should not. Unless that data is stored in the items that are synchronized between apps and it was explicitly picked up by customer for a sync.

E.g. for each employee, customer creates a Task in Jira Project, and in that task custom fields there are stored employee gender, monthly salary etc. And customer wants those tasks including those custom fields to be synced to the other Jira instance. Then would keep those custom fields values in logs as a trace after performed synchronization

Is data encrypted in transit?

In SaaS deployment each customer data is stored on a one machine. And on that machine integration / synchronization logic is performed. Therefore there is no transmission of the data to any external services.

Is data encrypted at rest?

We use SSL for a HTTP protocol. Also REST communication is authenticated with JWT.

How are keys/secrets managed?

That's a tough question but thankfully, our team is on it. Please bear with us while we're investigating.

Who has access to Personally Identifiable Information (PII)?

Not applicable. If yes, only company owners.

Who has access to Protected Health Information (PHI)?

Not applicable. If yes, only company owners.

Is code stored in source control? Are cleartext passwords present in source control?

Yes, source code is under a GIT source control, provided by Azure DevOps platform.

There is no cleartext password stored in a code. All password, needed for running application are provided at runtime.

What is the data backup strategy?

Daily backups, kept for 30 days.

What are the sanitization processes for things such as back-up tapes, failed hard drives, and other storage media?

Under SaaS deployment, our infrastructure is deployed on Linode - comapny that has 1 milion of customers world wide. All backups and hard drives, VMs utilization is handled by Linode and done according to their SLA terms.

How is patching of the software/application implemented?

For each patch we are running threw the process of unit testing, automatic testing, uat testing and deployment to production.

Each patch is encapsulated as a new version, stored within internal artifactory.

We use a blue / green deployment technique to make sure patch deployment to production is backward compatible.

How does data get to application/service? Do external users have a way to load it? Is there some data synchronization process with other systems?

Data is provided by the customer who obtains an account within the application. Each customer has a separate database schema in which his data is stored. All the configurations, setups, connection details are provided by the customer and saved within his 'database' part. External users outside of his organization will not have access to load / read the data. Also, except backups, his data is not synchronized, transmited or shared to any other external services, machines.

Only support stuff has access to integration / synchronization logs in order to help customers solving the issues.

How does the software/application ensure the integrity of data, input validation, and other related techniques?

We use standard techniques provided by Spring framework.

Are you participating in a BugBounty program?

Not yet. We are planning to be on this program by the end of 2021.