Security FAQ

Where and what kind of data is stored?

Our app does not store any data. All data is collected in Forge storage, what ensure secured storing of your data.

In Forge storage following data is stored:

notification template, including:

• content of the notification, including:

  • creator

  • creation date

  • notification body

  • notification header

  • notification options (buttons)

• response of users, including:

  • response (which button was chosen)

  • user ID

What platform and programming language was used to develop the application?

To develop our app, we used the Atlassian Forge framework for communications. For back end, we used NodeJS for back-end and for frontend JavaScript.

Which authentication protocols and technologies are supported?

Our Notifications for Jira app works with the Jira authentication system and supports all available authentication settings.

How do you achieve security of data at rest?

Notifications for Jira app is available over SSL only. We are using valid (not a self-signed) browser-trusted certificate, without any human intervention. All the communications between “Client ↔︎ Jira application ↔︎ Our app” are encrypted.

How is data from customers separated from other customers (if the solution is offered in a multi-tenant model)?

We have measures in place to ensure that all the customers are logically separated, so that the actions of one customer cannot compromise the data of other customers.

In Notifications for Jira, we use a concept that Atlassian refers to as the “tenant context” to achieve logical isolation of all the customers. This is implemented in the Atlassian Forge framework, and Forge apps are isolated to the tenant (site) that they are installed into by design.

This concept ensures that:

• Each customer’s data is kept logically segregated from other tenants when at-rest.

• Any requests that are processed by Jira or Confluence app versions have a “tenantspecific” view, so other tenants are not impacted.

How is the security monitoring for this app performed?

Our security monitoring includes the following:

• Role based mechanism to access all the parts of infrastructure separately.

• The app creates a massive collection of event logs for analysis and investigation.

• Regularly reviewing of logs to improve alerting mechanisms or to manually identify security incidents.

How often do you perform security testing?

 As a part of our internal audit process, once per quarter.

What is your security incident management process?

Our “security incident management plan” is not publicly available at the moment. In case of any incidents, please contact support@actonic.atlassian.net

Usage FAQ

Does the solution provide role-based access permissions to users?

Notification for Jiraa is using built-in permission models and allows usage of its functions by Jira admins only.

Is it possible to customize the roles according to our business needs?

Sure, it is! The access to Notifications for Jira is managed by “Administer Jira” global permission. Learn more

What are the minimum requirements for supported browsers?

Desktop browsers:

• Microsoft Edge - Latest stable version supported

• Mozilla Firefox (all platforms) - Latest stable version supported

• Google Chrome (Windows and Mac) - Latest stable version supported

• Safari (Mac) - Latest stable version on latest OS release supported

Can we restrict access to the application from a specific customer public IP gateway?

Yes, as a part of Jira or Confluence security configuration.

“IP allow listing” is available with Premium plans for Jira Software, Jira Service Management, and Confluence. Learn more about Jira Cloud plans and Confluence Cloud plans.

Which license do I choose when purchasing an app?

For Jira, you must purchase the app license that matches the highest Jira application tier. For example, if you have a 500-User Jira Software license, and a 20-Agent Jira Service Management license, your Jira apps must be at the 500-User level.