Security and technical FAQ - Cloud

Security FAQ

This article is about the Cloud version of the app. Interesting in a Data Center version?

What type of data will be stored/processed/accessed?

Actonic’s Timesheet Builder app can access the following Jira data:

  • From issue:

    • Issue ID

    • Time spent

    • Original estimation

    • Time remaining

  • From work log:

    • Work log author (User ID)

    • Work log description

    • Work log Start date, Create date, Updated date

  • From current user:

    • Project Roles and permissions

    • User ID

Actonic’s Timesheet Builder app can store the following Jira data:

  • Instance key

  • User ID

Actonic’s Timesheet Builder app can store the following app data:

  • Team name and team IDs

  • Team period list (capacity per period and start and end dates of each period, period status (opened, closed))

  • Team roles and team role IDs

  • Team member (role, join and leave dates, groups, user ID, global calendar ID, workload calendar ID)

  • Global calendars and global calendar IDs

  • Workload schemes and workload scheme IDs

  • Non-working days legends and non-working day IDs

  • User labels and user label IDs

How does the app get, add and modify data?

To get, add and modify data in Jira, our app is using public Jira REST APIs. For example, with the Jira cloud REST API, we are getting issues and fields to check if they match Team issues scope, Jira project permissions.

Our app is using all the required Authorization and Security technologies provided by Atlassian:


In the cloud version, the app is using all the required Authorization and Security technologies provided by Atlassian:

What platform and programming language was used to develop the application?

To develop our app, we use the Atlassian Connect framework for communications. We use NodeJS for back-end and JavaScript for front-end.

Which authentication protocols and technologies are supported?

Our Timesheet Builder app works with the Jira authentication system and supports all available authentication settings.

How do you achieve security of data at rest?

Timesheet Builder app is available over SSL only. We are using valid (not a self-signed) browser-trusted certificate, without any human intervention. All the communications between “Client ↔︎ Jira application ↔︎ Our app” are encrypted.

How is data from customers separated from other customers (if the solution is offered in a multi-tenant model)?

We have measures in place to ensure that all the customers are logically separated, so that the actions of one customer cannot compromise the data of other customers.

In Jira cloud app version, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Connect framework, and managed by the “Tenant Context Service” (TCS).

This concept ensures that:

  • Each customer’s data is kept logically segregated from other tenants when at-rest.

  • Any requests that are processed by Jira app versions have a “tenantspecific” view, so other tenants are not impacted.

How is the security monitoring for this app performed?

Our security monitoring includes the following:

  • Role based mechanism to access all the parts of infrastructure separately.

  • The app creates a massive collection of event logs for analysis and investigation.

  • Regularly reviewing of logs to improve alerting mechanisms or to manually identify security incidents.