How we protect your data, secure our products, and maintain the transparency you deserve.
Security
How we protect your data
Security is foundational to everything we build. We follow industry best practices and leverage the security infrastructure of trusted cloud platforms to keep your data safe.
Atlassian Forge Platform
Our Jira products are built on Atlassian Forge, meaning your data is processed and stored entirely within Atlassian's cloud infrastructure. No data leaves the Atlassian environment. No external servers are involved.
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted through the hosting platform's native encryption mechanisms.
Access Control
Our products implement role-based access control (RBAC) at every level. Admin, engineer, and viewer roles are derived from existing Jira permissions. Role creation and configuration is controlled by admins or users explicitly delegated by an admin — the app never creates or modifies roles without authorized action.
Minimal Permissions
We request only the permissions necessary for our products to function. Each scope is documented and justified. No unnecessary data access.
Role Management
Our products may create Jira project roles as configured by your admin (e.g., approval chain roles). Roles are created only when explicitly configured and saved. The app does not delete any Jira roles — role deletion remains fully under your Jira admin's control.
Data Handling
Your data, your control
We believe you should always know where your data is, what we do with it, and how to remove it.
No External Data Storage
For Forge-based products, all application data is stored in Atlassian's Forge Storage (KVS). We do not maintain external databases, analytics servers, or data warehouses that hold your information.
No Third-Party Data Sharing
We do not sell, share, or transfer your data to third parties for advertising, analytics, or any other purpose. Your data is used exclusively to provide the service you subscribed to.
Data Portability
Our products provide built-in export capabilities (e.g., CSV export for audit logs) so you can extract your data at any time. Your data is never locked in.
Data Deletion
Uninstalling our app removes all application data from Forge Storage. We also provide in-app reset tools for granular data deletion without full uninstallation.
Development Practices
How we build secure software
Secure Development Lifecycle
Security is considered at every stage of development, from design through deployment. We review code for security implications before release.
Dependency Management
We regularly audit and update third-party dependencies to address known vulnerabilities. Our CI/CD pipeline includes automated checks for outdated or vulnerable packages.
Input Validation & Sanitization
All user inputs are validated and sanitized server-side to prevent injection attacks, XSS, and other common vulnerabilities.
Compliance & Transparency
Our commitments
We maintain clear, accessible policies and are committed to transparency in how we operate.
Privacy Policy Terms of Service Service Level Agreement RBAC in All Products Audit Trail Data Export
Documented Permissions
Every API scope and permission our products request is documented with a clear justification for why it's needed. We never request more access than necessary.
Incident Response
In the event of a security incident, we commit to timely communication, transparent investigation, and corrective action. Critical incidents are acknowledged within 4 business hours.
If you have questions about our security practices, need a security review, or want to report a vulnerability, please contact us at support@inventles.com.