Security and technical FAQ

 

Security FAQ

What type of data will be stored/processed/accessed?

Report Builder app can access only issues visible for “current user,” which means a person currently using Report Builder. Depending on the report type, the app can access:

  • Issues

  • Issue fields

  • Work log

  • Comments

The app doesn’t store any PD in our application or outside Jira.

100% Safe & Secure

All data needed from Jira Cloud is processed directly in your browser and does not pass out.

How does the app get and modify data?

To get and modify data in Jira and Confluence, Report Builder uses public Jira and Confluence REST APIs. For example, we are getting issues and work logs to calculate the Jira Cloud REST API reports data.

Our app uses all the required Authorization and Security technologies provided by Atlassian:

What platform and programming language was used to develop the application?

To develop our app, we used the Atlassian Connect framework for communications between our app and Jira. For the back end, we used NodeJS and frontend JavaScript.

Which authentication protocols and technologies are supported?

Report Builder app works on the top of the Jira authentication system and supports all the available authentication settings.

How do you achieve the security of data at rest?

Report Builder for Jira Cloud is available over SSL only. We are using a valid (not a self-signed) browser-trusted certificate, without any human intervention, and all the communications between “Client ↔︎ Jira Cloud application ↔︎ Our app” are encrypted.

How is customer data separated from other customers (if the solution is offered in a multi-tenant model)?

We have measures in place to ensure that all the customers are logically separated so that the actions of one customer cannot compromise the data of other customers.

In the version for Jira Cloud, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Connect framework and managed by the “Tenant Context Service” (TCS). This concept ensures that:

  • Each customer’s data is kept logically segregated from other tenants when at rest.

  • Any requests processed by our app have a “tenant-specific” view, so other tenants are not impacted.

How is the security monitoring for this app performed?

Our security monitoring includes the following:

  • Role-based mechanism to access all the parts of infrastructure separately.

  • The app creates a massive collection of event logs for analysis and investigation.

  • Regularly reviewing of records to improve alerting mechanisms or to manually identify security incidents.

How often do you perform security testing?

 As a part of our internal audit process, once per quarter.

What is your security incident management process?

Our “security incident management plan” is not publicly available at the moment. However, in case of any incidents, please get in touch with support@actonic.atlassian.net.

Usage FAQ

Does the app provide role-based access permissions to users? 

Yes, there are a few roles that could be assigned to define the restrictions and assignee roles. Read more about permissions in Report Builder https://actonic.atlassian.net/wiki/spaces/ARB/pages/6167920733

What are the minimum requirements for supported browsers? 

Desktop browsers:

  • Microsoft Edge - Latest stable version supported

  • Mozilla Firefox (all platforms) - Latest stable version supported

  • Google Chrome (Windows and Mac) - Latest stable version supported

  • Safari (Mac) - Latest stable version on latest OS release supported

Can we restrict access to the application from a specific customer public IP gateway?

Yes, as a part of Jira security configuration.

“IP allow listing” is available with Premium plans for Jira Software, Jira Service Management, and Confluence. Learn more about Jira Cloud plans.