Security Policy
Last updated: June 11, 2026
1. Overview
DevOps Metrics for Jira ("the App") is built on the Atlassian Forge platform and operates entirely within Atlassian's infrastructure under the Runs on Atlassian trust boundary. The App is read-only, makes no outbound network calls to any external server, and stores no credentials of any kind. This document describes the App's security architecture and our practices.
2. Architecture & Runtime Environment
- No developer-operated servers: There is no external backend, database, or infrastructure operated by us. All compute and storage is provided by Atlassian.
- Sandboxed execution: Forge functions run in isolated, sandboxed containers with restricted system access managed by Atlassian.
- No external network egress: The App declares no egress domains and makes no outbound requests to any server outside the Atlassian platform. No external API keys or third-party services are involved.
- No AI services: The App does not call any AI service. All analysis — including the plain-language verdicts on the AI Impact tab — is deterministic arithmetic and rule-based text generation on Jira work data.
3. Access Control
| Control | Details |
|---|---|
| Read-only by design | The App requests no write scopes. It cannot create, edit, transition, or delete any Jira issue, version, project, or field. |
| Minimal API scopes | Only two scopes: read:jira-work (issue search, status-change history, project versions, project metadata) and storage:app (Forge storage for the computed aggregates). No admin or write permissions are requested. |
| Per-viewer permission enforcement | Aggregates are precomputed with app-level access, but every request from a viewer is checked against that user's own Jira project permissions (Browse Projects) via Atlassian's permissions API before any data is returned. Users never see metrics for projects they cannot browse. |
| Developer access | None. We cannot read, access, or export any data stored in your Jira instance or Forge storage. All data resides within Atlassian's infrastructure. |
4. Data Protection
Data in transit:
- All Forge-to-Jira API calls use Atlassian's internal secured transport (TLS 1.2+).
- The App makes no outbound HTTPS calls to external services.
Data at rest:
- The App stores weekly aggregate numbers per project (deployment counts, completed-issue counts, failure numerators/denominators, incident counts and compact duration statistics) in Atlassian Forge Storage, hosted by Atlassian with encryption at rest.
- Small operational records: background-job status, refresh watermarks (timestamps) and the last-used metric definitions.
- No credentials, tokens, or secrets are stored — there are none to store.
- Issue content (titles, descriptions, comments) and personal/user data are never stored.
Data minimization:
- The App reads no assignee or reporter fields. Metrics are computed at project/team level only — never per individual.
- For the optional AI-involvement signal, the App inspects the account type of status-change authors (app vs human) in memory only; author identities are never persisted. The result is a per-issue yes/no, stored only as weekly counts.
5. No External Credentials or Integrations
The App does not require or accept any API keys, tokens, passwords, or third-party credentials. There is no configuration that could expose user secrets, and there are no integrations beyond the Atlassian platform itself. The gadgets' user interfaces are Forge Custom UIs served from the App's own static resources; they contain only inline styles for their own charts and load no third-party scripts.
6. Dependency & Vulnerability Management
- Runtime dependencies are limited to Atlassian's official Forge packages (
@forge/api,@forge/resolver,@forge/kvs,@forge/events,@forge/bridge), maintained and patched by Atlassian. - Build/test tooling is not included in the production runtime bundle.
- We run
npm auditbefore every Marketplace release and resolve identified vulnerabilities, including dev-only dependencies. - Security patches are deployed promptly via Forge; the Node.js runtime is maintained by Atlassian.
7. Incident Response
If a security issue is discovered in the App:
- We investigate and begin remediation promptly upon notification or discovery.
- A fix is deployed as a priority update via the Forge deployment pipeline.
- Affected customers are notified via the Marketplace listing and, where possible, directly.
To report a security vulnerability, contact support@janekbehrens.de with the subject line "Security Report — DORA Metrics". We aim to acknowledge reports within 2 business days.
8. Organizational Security Controls
- Access to production: Deployments are performed exclusively by the maintainer (Janek Behrens) via the authenticated Forge CLI.
- Source code: Maintained in a version-controlled repository under the maintainer's control.
- No sub-processors: We engage no sub-processors. All processing occurs within the Atlassian platform.
9. Compliance
- GDPR: The App does not collect or store personal data and does not read user fields. Metrics are team-level aggregates only. See our Privacy Policy.
- Atlassian security requirements: Built to comply with Atlassian Forge security requirements and the Marketplace security review.
- Runs on Atlassian: Operates under Atlassian's trust boundary, so Atlassian's infrastructure, security controls, and compliance certifications (SOC 2, ISO 27001, etc.) apply to the underlying platform.
10. What We Cannot Access
For complete transparency, we have no technical means to access:
- Any data in your Jira instance (issues, comments, attachments, user data)
- The aggregates in Forge Storage within your instance
- Your Atlassian account credentials or session tokens
- Any personal data of your team members
11. Contact
For security questions or to report a vulnerability:
Email: support@janekbehrens.de
Subject: Security Report — DORA Metrics