What type of data will be stored/processed/accessed?
Report Builder app can access only issues visible for “current user,” which means a person currently using Report Builder. Depending on the report type, the app can access:
The app doesn’t store any PD in our application or outside Jira.
100% Safe & Secure
All data needed from Jira Cloud is processed directly in your browser and does not pass out.
How does the app get and modify data?
To get and modify data in Jira and Confluence, Report Builder uses public Jira and Confluence REST APIs. For example, we are getting issues and work logs to calculate the Jira Cloud REST API reports data.
Our app uses all the required Authorization and Security technologies provided by Atlassian:
What platform and programming language was used to develop the application?
Which authentication protocols and technologies are supported?
Report Builder app works on the top of the Jira authentication system and supports all the available authentication settings.
How do you achieve the security of data at rest?
Report Builder for Jira Cloud is available over SSL only. We are using a valid (not a self-signed) browser-trusted certificate, without any human intervention, and all the communications between “Client ↔︎ Jira Cloud application ↔︎ Our app” are encrypted.
How is customer data separated from other customers (if the solution is offered in a multi-tenant model)?
We have measures in place to ensure that all the customers are logically separated so that the actions of one customer cannot compromise the data of other customers.
In the version for Jira Cloud, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Connect framework and managed by the “Tenant Context Service” (TCS). This concept ensures that:
Each customer’s data is kept logically segregated from other tenants when at rest.
Any requests processed by our app have a “tenant-specific” view, so other tenants are not impacted.
How is the security monitoring for this app performed?
Our security monitoring includes the following:
Role-based mechanism to access all the parts of infrastructure separately.
The app creates a massive collection of event logs for analysis and investigation.
Regularly reviewing of records to improve alerting mechanisms or to manually identify security incidents.
How often do you perform security testing?
As a part of our internal audit process, once per quarter.
What is your security incident management process?
Our “security incident management plan” is not publicly available at the moment. However, in case of any incidents, please get in touch with email@example.com.
Does the app provide role-based access permissions to users?