๐ก๏ธ Security Policy
Built with security-first principles โ powered by Atlassian Forge.
๐งฑ Forge Sandbox
Flow Time Report is developed and deployed on Atlassian Forge, which enforces:
Code isolation per app and site
Data residency within Atlassian infrastructure
Read/write scope restrictions enforced by Forge manifest
Zero external server or database exposure
๐ Permission Scopes
We only request whatโs absolutely necessary โ nothing more.
Flow Time Report requires the following minimal scopes to operate effectively:
๐ Scope | Why Itโs Needed |
|---|---|
| Load issue details and status data |
| Save badge selections using issue properties |
| Display user display names in the status change log |
| (Optional) Used for internal app settings or local persistence |
๐ All data is stored inside Jira or Atlassian Forgeโs secure storage. No external servers are used.
๐๏ธ Data Residency
All runtime activity and storage occurs within Atlassian's own cloud platform.
Flow Time Report does not transmit or store any data outside of Jira.
๐ No Secrets Stored
No environment variables
No secret tokens
No user credentials
No external endpoints
Everything is handled within the user's active session, and stored only in issue properties.
๐ฅ User Data
Flow Time Report only accesses displayName for the user who changed a status.
We never access email addresses, full profiles, or internal IDs.
๐งช Secure Dev Process
We follow secure development practices:
Code reviews on every change
Scope-based testing
Static analysis for React + Forge
Manual validation in Forge sandbox
โ Atlassian-Backed Protection
Forge apps benefit from Atlassianโs:
โ SSO authentication
โ OAuth2-secured APIs
โ Isolation from other tenants
โ Enforced permission boundaries
โ Compliance with ISO/IEC 27001, SOC 2, GDPR