Security Policy
Last updated: July 6, 2026
1. Overview
Team Capacity for Jira ("the App") is built on the Atlassian Forge platform and operates entirely within Atlassian's infrastructure under the Runs on Atlassian trust boundary. The App is read-only, makes no outbound network calls to any external server, and stores no credentials of any kind. This document describes the App's security architecture and our practices.
2. Architecture & Runtime Environment
- No developer-operated servers: There is no external backend, database, or infrastructure operated by us. All compute and storage is provided by Atlassian.
- Sandboxed execution: Forge functions run in isolated, sandboxed containers with restricted system access managed by Atlassian.
- No external network egress: The App declares no egress domains and makes no outbound requests to any server outside the Atlassian platform. No external API keys or third-party services are involved.
- No AI services: The App does not call any AI service. Workload aggregation is deterministic arithmetic on Jira sprint data.
3. Access Control
| Control | Details |
|---|---|
| Read-only by design | The App requests no write scopes. It cannot create, edit, transition, or delete any Jira issue, sprint, board, or field. |
| Minimal API scopes | read:jira-work (sprint issues via JQL), read:project:jira (permission gate), read:board-scope:jira-software and read:board-scope.admin:jira-software (boards and their estimation configuration — read-only), read:sprint:jira-software (sprints), storage:app (non-personal caches). No admin or write permissions are requested. |
| Per-viewer permission enforcement | Data reads run with app-level access, but every request from a viewer is checked against that user's own Jira project permissions (Browse Projects) via Atlassian's Authorize API before any data is returned — fail-closed: if the check cannot complete, no data is served. Board pickers are filtered the same way. |
| Input validation | Board and sprint IDs from the browser are accepted only as positive integers, and sprint IDs are resolved against the board's own sprint list before any query is built — no client value ever reaches a query string. |
| License enforcement | Paid ("Pro") features are enforced server-side; if the license state is missing or unknown the App fails closed to the free tier. |
| Developer access | None. We cannot read, access, or export any data stored in your Jira instance or Forge storage. All data resides within Atlassian's infrastructure. |
4. Data Protection
Data in transit:
- All Forge-to-Jira API calls use Atlassian's internal secured transport (TLS 1.2+).
- The App makes no outbound HTTPS calls to external services.
Data at rest:
- The App stores only non-personal caches in Atlassian Forge Storage: a board-to-project ID map (10-minute lifetime) and the instance's Story Points field ID (24-hour lifetime), hosted by Atlassian with encryption at rest.
- Gadget configuration (board, sprint, capacity numbers, thresholds, per-person capacity keyed by account ID) is stored by Jira itself as standard dashboard-gadget configuration.
- No credentials, tokens, or secrets are stored — there are none to store.
- Issue content (titles, descriptions, comments) and names/emails are never stored.
Data minimization:
- The App reads only the fields it needs per sprint: assignee, status category, the estimate value and (Pro) aggregated time spent. Display names are rendered live and never persisted.
5. No External Credentials or Integrations
The App does not require or accept any API keys, tokens, passwords, or third-party credentials. There is no configuration that could expose user secrets, and there are no integrations beyond the Atlassian platform itself. The gadget's user interface is a Forge Custom UI served from the App's own static resources; it declares inline styles only for its own chart and loads no third-party scripts, fonts, frames or images.
6. Dependency & Vulnerability Management
- Runtime dependencies are limited to Atlassian's official Forge packages (
@forge/api,@forge/resolver,@forge/kvs,@forge/bridge), maintained and patched by Atlassian. - Build/test tooling is not included in the production runtime bundle.
- We run
npm auditbefore every deploy via an automated pre-deploy gate that blocks the release on unresolved high-severity findings, plus a weekly automated audit. Current status: 0 known vulnerabilities across production and development dependencies. - Security patches are deployed promptly via Forge; the Node.js runtime is maintained by Atlassian.
7. Incident Response
If a security issue is discovered in the App:
- We investigate and begin remediation promptly upon notification or discovery.
- A fix is deployed as a priority update via the Forge deployment pipeline.
- Affected customers are notified via the Marketplace listing and, where possible, directly.
To report a security vulnerability, contact support@janekbehrens.de with the subject line "Security Report — Team Capacity". We aim to acknowledge reports within 2 business days.
8. Organizational Security Controls
- Access to production: Deployments are performed exclusively by the maintainer (Janek Behrens) via the authenticated Forge CLI, behind an automated security gate.
- Source code: Maintained in a version-controlled repository under the maintainer's control.
- No sub-processors: We engage no sub-processors. All processing occurs within the Atlassian platform.
9. Compliance
- GDPR: The App stores no personal data; see our Privacy Policy.
- Atlassian security requirements: Built to comply with Atlassian Forge security requirements and the Marketplace security review.
- Runs on Atlassian: Operates under Atlassian's trust boundary, so Atlassian's infrastructure, security controls, and compliance certifications (SOC 2, ISO 27001, etc.) apply to the underlying platform.
10. What We Cannot Access
For complete transparency, we have no technical means to access:
- Any data in your Jira instance (issues, comments, attachments, user data)
- The caches in Forge Storage within your instance
- Your Atlassian account credentials or session tokens
- Any personal data of your team members
11. Contact
For security questions or to report a vulnerability:
Email: support@janekbehrens.de
Subject: Security Report — Team Capacity