/
πŸ›‘οΈ Security Policy – Issue Delivery Report

πŸ›‘οΈ Security Policy – Issue Delivery Report

Built with security-first principles β€” powered by Atlassian Forge.

🧱 Forge Sandbox Architecture

Issue Delivery Report is built entirely on Atlassian Forge, which guarantees:

  • πŸ”’ Code isolation per app and per site

  • 🌍 Data residency within Atlassian’s secure cloud infrastructure

  • 🧾 Strict API scope enforcement declared via the Forge manifest

  • 🚫 No external servers, databases, or custom backends

All logic runs inside Atlassian’s serverless runtime. We never host or execute code outside of the Forge environment.

πŸ” Permission Scopes

We only request minimal scopes required for functionality β€” nothing more.

πŸ”‘ Scope

Why It’s Needed

πŸ”‘ Scope

Why It’s Needed

read:jira-work

To load issue metadata and full status history

read:jira-user

To display displayName of the user who made changes

storage:app

(optional) Reserved for future internal settings

πŸ›‘ No write:jira-work or issue mutation occurs in this app β€” we never modify issues or fields.

πŸ—‚οΈ Data Residency

All runtime operations and temporary data handling occur inside Atlassian’s platform.

  • No part of the app transmits or stores data outside Jira

  • No external analytics, telemetry, or storage are involved

Exports (CSV, JSON, MD, TXT) are generated in the user’s browser, not sent anywhere.

πŸ” No Secrets Stored

Issue Delivery Report does not use:

  • ❌ Environment variables

  • ❌ Secret tokens

  • ❌ User credentials

  • ❌ External endpoints

All logic is performed in a secure session scoped to the current issue.

πŸ‘₯ User Data Access

We only access:

  • displayName of the user who changed issue statuses (for audit clarity)

We do not access:

  • Email addresses

  • Full user profiles

  • Jira internal account IDs

πŸ§ͺ Secure Development Process

We follow strict practices during development:

  • βœ… Mandatory code reviews for all changes

  • βœ… Scope-based testing in sandbox environments

  • βœ… Static analysis using ESLint + Forge validators

  • βœ… Manual verification via forge tunnel before deployment

βœ… Atlassian-Backed Security

As a Forge app, Issue Delivery Report inherits Atlassian’s platform-level protections:

  • βœ… SSO authentication with your Jira Cloud instance

  • βœ… OAuth2-secured API calls via requestJira()

  • βœ… Per-tenant data isolation

  • βœ… Enforced runtime boundaries

  • βœ… Aligned with ISO/IEC 27001, SOC 2, GDPR, and CCPA

🧩 Questions about security or compliance?
Reach out to: support@typeswitch.net β€” we’re happy to provide clarification or assist with vendor risk assessments.