/
Data Security and Privacy Statement for Our apps

Data Security and Privacy Statement for Our apps

1. Introduction

This document describes how Our apps, Forge-based apps built for Atlassian Cloud, ensure the security and privacy of customer data. As "Run on Atlassian" apps, they operate entirely on Atlassian’s infrastructure and comply with all relevant security and privacy requirements.

2. Data Storage and Processing Location

  • Forge Runtime: All apps run entirely on Atlassian's infrastructure using the Forge platform.

  • Data Residency: Data is processed and stored in the same region where the customer's Atlassian Cloud data resides, in accordance with Atlassian's data residency policies.

  • No External Storage: Unless explicitly required for app functionality, data is not transferred or stored outside of Atlassian’s infrastructure.

3. Data Collected by the Apps

The apps may access the following data through Atlassian APIs:

  • Page Metadata: Page titles, IDs, and property values for display or processing purposes.

  • User Account Details: Usernames or account IDs for display or permission checks only.

  • App Configuration Data: Settings or preferences configured by administrators.

The apps do not:

  • Collect or store sensitive personal information (e.g., passwords, financial data).

  • Perform analytics tracking beyond Atlassian Marketplace analytics provided by Atlassian.

4. Data Retention

  • Ephemeral Data: Temporary data used during request processing is deleted once the request completes.

  • Persistent Data (if used): Configuration data stored via the Forge Storage API is retained until administrators delete the app or the data manually.

Administrators may request full deletion of all app-related data at any time.

5. Data Transmission

  • All communication between the apps and Atlassian APIs occurs over HTTPS using TLS 1.2+ encryption.

  • No data is ever transmitted over insecure channels.

6. Access Control and Authentication

  • The apps rely on Atlassian OAuth 2.0 and Forge permission scopes to control access.

  • No hardcoded credentials or external authentication mechanisms are used.

  • Access is restricted to the minimum required API scopes defined in the app's manifest.yml.

7. Third-Party Services

  • The apps do not use any external third-party services for data processing or storage.

  • All operations occur entirely within Atlassian’s secure infrastructure.

8. Data Privacy Compliance

  • Only the minimum required data obtained through Atlassian APIs is processed, applying strict data minimization principles.

9. Security Practices

  • Regular security reviews and vulnerability checks are performed.

  • The apps benefit from Atlassian's Forge platform security controls, including:

    • Isolation of app runtime environments.

    • Automatic security patches applied by Atlassian.

    • No direct database or file system access.

10. Incident Response

In the event of a security incident affecting the apps, we will:

  1. Immediately investigate the root cause.

  2. Mitigate the issue using Forge platform capabilities.

  3. Notify affected customers following Atlassian's security incident policies.

11. Change Log for This Document

Date

Version

Changes

Date

Version

Changes

2025-09-29

1.0

Initial release of the privacy statement.