PlanApply for Jira Cloud

πŸ”“Security statement

We are committed to improving our security posture. That’s why we created this page to answer basic questions about security in the PlanApply for Jira app.

Architecture

PlanApply for Jira Cloud is a Forge App. It stores all data including:

  • data related to application

  • data related to users that are using it

inside of Forge App storage. Data that is sensitive is using Secret Storage provided by Atlassian. In secret store, we save:

  • Remote repository connection details

  • Public provider settings

  • Submission settings

  • JWT Token used in communication with 3rd party app

  • Client secret Token, created during registration with 3rd party app

  • PlanApply AI assistant tokens exchanged during 3rd party client registration.

App is communicating with 3rd party application using JWT Token, based on Atlassian forge recommendation described here: https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/

What data does the app process?

App process fetch configuration data of given instance that is available using REST API: https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#about

It transform JSON data and helps to transform it into Terraform code. All data, before submission to external processor or remote git repository is stored in Atlassian Forge App storage.

During submission to external process, following data is sent:

  • All files related to current workspace

  • Origin instance URL

  • Client Secret (exchanged during registration)

  • JWT Token

  • Callback URLs

Inside 3rd party process, data is decoded and origin host and client secret is validated against client registry. If all data matches, temporary environment (python AWS lambda, image type) is created and data is fetched into it. Environment is cleaned from any other data before processing to ensure security. During processing, workspaces files are downloaded into separate temporary directories, that are also removed just after the processing. Processed data is sent via callback URLs back to origin instance.

The same actions are happening during Git operations, but this time data is also sent or pulled from remote Git repository.

3rd party process DO NOT store any files or account specific information. It is build entirely in serverless architecture.

Logs are not containing any sensitive informations, only data related to invocations. Logs can only collect information about errors that can happen during processing for debug purpose. Logs are retained for 90 days.

Client registry is storing data in DynamoDB. Data stored there contains:

  • client_id

  • client_secret

  • installation_id

  • instance_url

3rd party processor is currently located in AWS, eu-central-1 region. It is planned to support multiple locations in the future

AI Assistant - this feature is using different processor. It is Azure Open AI Assistants. Service is located in us-east region. Assistant operates on threads which are closed after timeout. No data is permanently stored in Azure. Logs are retained for up to 90 days.]

What permission does the app require? What permission does the app require?

App requires following scope permissions in instance:

- 'storage:app'
- 'read:jira-work'
- 'write:jira-work'
- 'read:jira-user'
- 'manage:jira-configuration'
- 'manage:jira-project'
- 'read:app-user-token'
- 'read:app-system-token'
- 'read:workflow:jira'
- 'read:workflow-scheme:jira'
- 'read:status:jira'
- 'read:workflow.property:jira'
- 'report:personal-data'

Those scopes allows app to properly fetch data from instance.

Which employees have access to what data?

App have two main features accessible by different audience. On admin page, there is a full set of pages containing configuration and Terraform code. All interactions with 3rd party processors and remote Git repositories are configured and performed from this place. Only site admins can access it.

2nd feature is a designer. It allows all users to interact and fetch configuration data based on following scopes:

  • all configuration data is fetched with "asApp" scope, except:

  • dashboards, projects, filters, issue security schemes, project components, workflows

After choosing a resources based on Atlassian scope, data is fetched and restricted based on permission related to account setup in Provider settings.

Does the app encode all data in transit and at rest?

Yes.

Does the app support data residency?

Partially.

Forge storage can be allocated to region.

3rd party Terraform and Git processor is now located only in EU. It is planned to match Atlassian locations.

Azure AI services are only located in us-east location. If you are interested in enabling your region during client registration, please contact us at support@silessian.com

Does the app have a data retention policy?

Yes. The data are deleted 90 days after the app is uninstalled or after the first site’s inactivity. Logs are retained for 90 days.

Does the app have a data backup policy?

Yes. Dynamo DB backup is managed by AWS: https://aws.amazon.com/dynamodb/backup-restore/

Atlassian Forge storage is managed by Atlassian.

Other systems are volatile and do not require any backup.

AWS and Azure infrastructure can be restored according to AWS SLA for disaster recovery timings. All cloud provider statuses are available here:

If you have any questions about the security, e-mail support@silessian.com

PreviousHow to report a bug?

Last updated