Security Policy
Last updated: May 31, 2026
1. Overview
Velocity Chart for Jira ("the App") is built on the Atlassian Forge platform and operates entirely within Atlassian's infrastructure under the Runs on Atlassian trust boundary. The App is read-only, makes no outbound network calls to any external server, and stores no credentials of any kind. This document describes the App's security architecture and our practices.
2. Architecture & Runtime Environment
- No developer-operated servers: There is no external backend, database, or infrastructure operated by us. All compute and storage is provided by Atlassian.
- Sandboxed execution: Forge functions run in isolated, sandboxed containers with restricted system access managed by Atlassian.
- No external network egress: The App declares no egress domains and makes no outbound requests to any server outside the Atlassian platform. No external API keys or third-party services are involved.
- No AI: The App does not use any AI service. It performs deterministic arithmetic on sprint data only.
3. Access Control
| Control | Details |
|---|---|
| Read-only by design | The App requests no write scopes. It cannot create, edit, transition, or delete any Jira issue, sprint, board, or field. |
| App-context reads | All Jira API calls use api.asApp() with the app-level scopes declared in the manifest. |
| Minimal API scopes | Only the read scopes required to draw the chart: read:jira-work, read:project:jira, read:board-scope:jira-software, read:board-scope.admin:jira-software, read:sprint:jira-software, and storage:app. No admin or write permissions are requested. |
| Developer access | None. We cannot read, access, or export any data stored in your Jira instance or Forge storage. All data resides within Atlassian's infrastructure. |
4. Data Protection
Data in transit:
- All Forge-to-Jira API calls use Atlassian's internal secured transport (TLS 1.2+).
- The App makes no outbound HTTPS calls to external services.
Data at rest:
- Only a short-lived cache of computed velocity numbers and discovery metadata is stored in Atlassian Forge Storage (KVS), hosted by Atlassian with encryption at rest.
- No credentials, tokens, or secrets are stored — there are none to store.
- Issue content (titles, descriptions, comments) and any personal/user data are never stored.
Data minimization:
- The App reads no assignee, reporter, or user fields. Velocity is computed at team/board level only — never per individual.
- Stored data is limited to numeric aggregates, issue keys, status names, and sprint/board identifiers.
5. No External Credentials or Integrations
The App does not require or accept any API keys, tokens, passwords, or third-party credentials. There is no configuration that could expose user secrets, and there are no integrations beyond the Atlassian platform itself. The gadget's user interface is a Forge Custom UI served from the App's own static resources; it contains only inline styles for its own chart and loads no third-party scripts.
6. Dependency & Vulnerability Management
- Runtime dependencies are limited to Atlassian's official Forge packages (
@forge/api,@forge/resolver,@forge/kvs,@forge/bridge), maintained and patched by Atlassian. - Build/test tooling is not included in the production runtime bundle.
- We run
npm auditbefore every Marketplace release and resolve identified vulnerabilities, including dev-only dependencies. - Security patches are deployed promptly via Forge; the Node.js runtime is maintained by Atlassian.
7. Incident Response
If a security issue is discovered in the App:
- We investigate and begin remediation promptly upon notification or discovery.
- A fix is deployed as a priority update via the Forge deployment pipeline.
- Affected customers are notified via the Marketplace listing and, where possible, directly.
To report a security vulnerability, contact support@janekbehrens.de with the subject line "Security Report — Velocity Chart". We aim to acknowledge reports within 2 business days.
8. Organizational Security Controls
- Access to production: Deployments are performed exclusively by the maintainer (Janek Behrens) via the authenticated Forge CLI.
- Source code: Maintained in a version-controlled repository under the maintainer's control.
- No sub-processors: We engage no sub-processors. All processing occurs within the Atlassian platform.
9. Compliance
- GDPR: The App does not collect or store personal data and does not read user fields. See our Privacy Policy.
- Atlassian security requirements: Built to comply with Atlassian Forge security requirements and the Marketplace security review.
- Runs on Atlassian: Operates under Atlassian's trust boundary, so Atlassian's infrastructure, security controls, and compliance certifications (SOC 2, ISO 27001, etc.) apply to the underlying platform.
10. What We Cannot Access
For complete transparency, we have no technical means to access:
- Any data in your Jira instance (issues, comments, attachments, user data)
- The cached data in Forge Storage within your instance
- Your Atlassian account credentials or session tokens
- Any personal data of your team members
11. Contact
For security questions or to report a vulnerability:
Email: support@janekbehrens.de
Subject: Security Report — Velocity Chart