/
Security Policy

Security Policy

1. Platform & Infrastructure Security

1.1 Built on Atlassian Forge

All Apps developed and published by Aptify Tech are built exclusively on the Atlassian Forge platform — Atlassian's serverless, native app hosting environment. This means:

  • No external servers operated by Aptify Tech: All app logic runs within Atlassian's infrastructure. We do not operate or maintain any backend servers, databases, or cloud services outside of Atlassian.

  • Atlassian-managed security: Infrastructure security (physical security, network security, server hardening, DDoS protection, etc.) is fully managed by Atlassian and covered by Atlassian's security program.

  • Data residency: All data storage uses Forge's built-in storage APIs, respecting your Atlassian instance's data residency settings.

  • Forge sandbox isolation: Each app runs in an isolated Forge sandbox environment, preventing cross-tenant data access.

1.2 No External Data Transmission

  • The app does not send any user data to external servers or third-party services.

  • All data processing occurs within the Atlassian Forge environment or the user's browser.

  • No analytics, telemetry, or tracking data is collected or transmitted.

2. Application Security

2.1 Secure Development Practices

We follow secure software development lifecycle (SDLC) principles:

  • Principle of Least Privilege: The app only requests Jira API permissions that are strictly necessary for its functionality. All requested scopes are declared in the app manifest and reviewed by Atlassian during the app review process.

  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks (XSS, CSRF, etc.).

  • Dependency Management: Third-party libraries and open-source dependencies are regularly reviewed and updated to address known vulnerabilities.

  • Code Review: All code changes undergo internal review before release.

  • No Hardcoded Secrets: No API keys, credentials, or sensitive configuration values are hardcoded in the source code.

2.2 Authentication & Authorization

  • The app relies entirely on Atlassian's authentication and authorization system. No custom authentication mechanisms are implemented.

  • Access to app features is governed by Jira's built-in permission model (project roles, global permissions).

  • Administrators can control who can create, edit, or use templates through standard Jira permission configurations.

2.3 Data Handling

  • App data (such as configurations and content created by users) is stored in Atlassian Forge Storage, which is scoped to the specific Atlassian site. No data is shared across tenants.

  • No personal data collection: The app does not collect, store, or process personally identifiable information (PII) beyond what Atlassian provides to the app during normal operation (e.g., the current user's Jira account ID for permission checks).

3. Vulnerability Management

3.1 Monitoring & Detection

  • We actively monitor Atlassian's security advisories and CVE databases for vulnerabilities affecting the Forge platform, Jira APIs, and our app's dependencies.

  • We subscribe to security alerts for all open-source libraries used in the app (via tools such as npm audit and GitHub Dependabot).

  • We review Atlassian's Security Bug Fix Policy and align our remediation timelines accordingly.

3.2 Severity Classification & Remediation Timeline

We follow a risk-based approach to prioritize vulnerability remediation:

Severity

Description

Target Remediation Time

Severity

Description

Target Remediation Time

Critical

Remote code execution, authentication bypass, full data exposure

Within 24 hours

High

Significant data exposure, privilege escalation

Within 7 days

Medium

Limited data exposure, requires user interaction

Within 30 days

Low

Minimal impact, no direct data risk

Within 90 days

3.3 Dependency Updates

  • Security-related dependency updates are applied as soon as patches are available.

  • Regular (non-security) dependency updates are reviewed and applied on a monthly basis.

  • Each app update goes through Atlassian's Marketplace review process before reaching users.

3.4 Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. If you discover a potential security issue in our app:

  1. Do not publicly disclose the vulnerability before we have had a chance to address it.

  2. Report the issue to us via email at support@aptify.com with:

    • A clear description of the vulnerability

    • Steps to reproduce the issue

    • Potential impact assessment

    • Any suggested remediation (optional)

  3. We will acknowledge receipt within 48 hours and provide a remediation timeline within 7 business days.

  4. We commit to keeping you informed of progress and will credit your discovery (with your permission) once the issue is resolved.

4. Security Incident Response

4.1 Incident Definition

A security incident includes any event that may compromise the confidentiality, integrity, or availability of the app or user data, including but not limited to:

  • Unauthorized access to app functionality or data

  • Exploitation of a vulnerability in the app

  • Supply chain compromise affecting app dependencies

  • Accidental exposure of sensitive configuration

4.2 Incident Response Process

Our incident response follows these phases:

Phase 1 — Detection & Triage (0–4 hours)

  • Identify and confirm the incident

  • Assess initial severity and scope

  • Escalate to the security response team

Phase 2 — Containment (4–24 hours)

  • Isolate affected components where possible

  • Implement temporary mitigations

  • Preserve evidence for investigation

Phase 3 — Investigation & Remediation (24 hours – 7 days, depending on severity)

  • Root cause analysis

  • Develop and test a permanent fix

  • Deploy the fix through Atlassian Marketplace update

Phase 4 — Communication

  • Notify affected users through the Atlassian Marketplace listing and/or direct communication if contact information is available

  • Publish a post-incident summary for significant incidents

Phase 5 — Post-Incident Review

  • Document lessons learned

  • Update security controls and processes to prevent recurrence

4.3 Breach Notification

Since the app does not store personal data outside of Atlassian's infrastructure:

  • In the event of a data breach, Atlassian's own breach notification policies apply to the underlying infrastructure.

  • If a vulnerability in our app could expose data stored in users' Jira instances, we will notify affected users promptly and provide guidance on remediation steps.

5. General Security Controls

5.1 Access Controls (Internal)

  • Access to the app's source code repository is restricted to authorized Aptify Tech developers only.

  • Multi-factor authentication (MFA) is enforced for all developer accounts that have access to the source code, Atlassian Marketplace Partner portal, and Atlassian developer accounts.

  • Principle of least privilege is applied to all internal access rights.

5.2 Secure Development Environment

  • Development is conducted on managed devices with up-to-date operating systems and security software.

  • Code is hosted in private repositories with branch protection rules and required code reviews.

  • No production credentials or sensitive tokens are stored in source code repositories.

5.3 Supply Chain Security

  • All third-party dependencies are sourced from reputable package registries (npm).

  • Package integrity is verified using lock files (package-lock.json / yarn.lock).

  • We avoid dependencies with known, unpatched critical/high vulnerabilities.

5.4 Release & Update Security

  • Every app release is reviewed by Atlassian's Marketplace security team before being published.

  • App updates are digitally signed and delivered through Atlassian's secure distribution channel.

  • Users always receive app updates through the trusted Atlassian Marketplace update mechanism.

6. User Responsibilities

While we take every measure to secure our app, users also play a role in maintaining security:

  • Keep your Atlassian instance and apps up to date

  • Follow your organization's access control policies for Jira project permissions

  • Report any suspicious behavior related to this app to us at support@aptify.com

  • Review and adhere to Atlassian's security best practices for administrators

7. Contact

For security-related inquiries, vulnerability reports, or incident notifications:
General Support: support@aptify.com
Response Time: Within 48 hours for security issues

8. Policy Updates

This Security Policy will be reviewed and updated:

  • At least annually

  • Following any significant security incident

  • When there are material changes to the app's architecture or data handling

Changes will be reflected in the "Last Updated" date above and communicated through the Atlassian Marketplace listing.