Security Policy
We are committed to protecting user data, ensuring secure communication between Jira and Telegram, and complying with Atlassian’s security standards.
1. Data Flow & Storage
- The plugin acts as a bridge between Jira and Telegram, transmitting issue updates, comments, and notifications.
- No persistent storage of user messages, credentials, or issue data occurs outside Atlassian or Telegram APIs.
- All data exchanged is ephemeral and used solely for message delivery and context linking.
2. Authentication & Authorization
- Jira users authenticate via OAuth 2.0 or Atlassian Forge scopes.
- Telegram bot access is managed via Bot Token, stored securely using Forge Storage API.
- Role-based access control ensures only authorized users can trigger or receive notifications.
3. Encryption
- All data in transit is encrypted using TLS 1.2+.
- Telegram API calls are made over HTTPS; Jira API interactions follow Atlassian’s security protocols.
- No sensitive data (e.g., passwords, tokens) is exposed in logs or transmitted in plaintext.
4. Vulnerability Management
- Regular dependency audits are performed using tools like npm audit, Snyk, or OWASP Dependency-Check.
- Security patches are applied promptly upon discovery or notification.
- We follow Atlassian’s Security Bugfix Policy.
5. Logging & Monitoring
- Logs are anonymized and exclude PII.
- Monitoring is limited to operational metrics (e.g., delivery success, API latency).
- No user content or credentials are retained in logs.
6. Compliance & Data Protection
- Users may request data deletion or export via Jira admin panel or plugin settings.
- No third-party data sharing occurs without explicit consent.
- The plugin complies with Atlassian’s Data Security Policy.
7. Incident Response
- In case of a security incident, we follow a documented response plan.
- Immediate containment and impact assessment are performed.
- Notification is provided to affected users and Atlassian.
- Root cause analysis and remediation are completed after every incident.