Security Policy

Purpose

This document outlines the security principles and practices followed by Vilisoft in the development, operation, and support of our Jira apps across both Cloud and Data Center (DC) deployments. Our objective is to safeguard customer trust by ensuring the confidentiality, integrity, and availability of data processed through our products.

Scope

This policy applies to:

  • All Jira apps developed by Vilisoft, available via the Atlassian Marketplace for Cloud and Data Center hosting models.
  • All internal infrastructure and operational processes related to the development, deployment, and support of those apps.
  • Team members, contractors, and third-party services involved in providing our software or support.

Security Principles

We follow established best practices in line with the Confidentiality, Integrity, and Availability (CIA) model:

  • Confidentiality: We restrict access to customer-related data only to authorized team members, on an as-needed basis.
  • Integrity: We maintain safeguards to prevent unauthorized modifications to plugin-related logic and configurations.
  • Availability: We aim to provide a stable and responsive experience through robust cloud hosting and monitoring practices.

Key Security Controls

Access Control

Access to systems and repositories is limited to authorized personnel using strong authentication mechanisms (e.g., 2FA).

Secure Hosting

Our infrastructure is hosted in secure, cloud-based environments with physical and network protections managed by the provider.

Data Handling

The plugin does not store any Jira data outside of Atlassian Cloud. All processing occurs within Atlassian’s secure APIs and frameworks.

Software Development Practices

We follow secure coding practices, perform regular code reviews, and use automated tools to detect known vulnerabilities.

Incident Handling

We have internal procedures in place to respond to security-related incidents, including timely investigation and customer communication if necessary.

Regular Reviews

We periodically assess our architecture and processes to identify and mitigate security risks as our application evolves.

Minimal Data Footprint

We collect only essential data for plugin operation, support, and analytics (if applicable), in compliance with privacy expectations such as GDPR.

Data Handling and Isolation

We strictly separate responsibilities and data flow based on deployment model.

Cloud Apps
  • All processing occurs within the Atlassian Cloud environment, using only the APIs and services provided by Atlassian.
  • No customer project data, issue content, or credentials leave the Atlassian Cloud platform.
  • We do not replicate or store this data outside the Atlassian-provided infrastructure.
Data Center Apps
  • The entire application runs within the customer’s self-managed infrastructure.
  • No customer data is transmitted to our servers or external services unless the customer explicitly initiates support interaction.
  • All data processing and storage remain entirely within the customer’s environment.
Data Minimization
  • Our apps are designed to function with minimal access to Jira data. We do not store sensitive customer data unless absolutely required and only with user consent (e.g., during a support case).
  • Temporary logs or debug data (if collected) are deleted once the support case is closed.

Responsibilities

  • Our development and operations teams are responsible for implementing and maintaining appropriate security measures.
  • Customers using Data Center apps are responsible for the security and configuration of their own hosting environments.
  • All personnel are trained to follow security best practices and report potential issues promptly.

Customer Commitments

  • We never access customer Jira instances unless explicitly requested for support purposes.
  • We do not store customer project data, issue content, or user credentials.
  • Support-related data (e.g., logs or metadata) is handled with care and deleted when no longer necessary.

Policy

This policy is reviewed periodically and updated as needed to reflect changes in our products, infrastructure, or the broader security landscape.

Contact

For questions, security concerns, or disclosures, please contact: jira.support@vilisoft.com