Privacy Policy

Secret Scanner & PII Detector for Jira

Last updated: 5 June 2026  ·  Version 1.0

1. Introduction

This Privacy Policy describes how Micro SaaS (operated by Filippo Piconese, hereinafter "we", "us" or "Micro SaaS") processes personal data when you install and use Secret Scanner & PII Detector for Jira (the "App") on your Atlassian Jira Cloud workspace.

The App runs entirely on Atlassian Forge, Atlassian's serverless cloud platform. All processing occurs within Atlassian's infrastructure. We do not operate any independent servers, databases or data stores outside of the Forge environment.

Key takeaway: The App scans Jira content to detect secrets and PII, but never stores the actual secret values or raw PII data. Only metadata (timestamps, issue keys, rule names, detection counts) is retained.

2. Data Controller and Data Processor

Under the General Data Protection Regulation (GDPR) and applicable data protection laws:

  • Data Controller: The organisation that owns the Jira Cloud workspace where the App is installed (your company or organisation). As the controller, you determine the purposes and means of processing data in your Jira environment.
  • Data Processor: Micro SaaS (Filippo Piconese) acts as a data processor on your behalf. We process data only to provide the App's functionality and in accordance with your instructions.
  • Sub-Processor: Atlassian Inc. provides the Forge infrastructure (compute, storage, networking). Atlassian is a sub-processor under our Data Processing Agreement. Atlassian's own privacy practices are governed by the Atlassian Privacy Policy.

3. What Data We Process

The App processes the following categories of data:

3.1 Data Processed In-Memory (not stored)

  • Issue titles and descriptions
  • Comment body text
  • Custom Jira text field values (if configured)

This content is read at scan time, passed through the detection engine, and immediately discarded. We do not persist, transmit or log the raw content of issues or comments.

3.2 Data Stored in Forge Storage (Atlassian's infrastructure)

Data categoryWhat is storedPurpose
Audit events Timestamp, Jira issue key, detection type (credential / PII), rule name, match count, label actions, source (real-time / historical) Admin audit log and Findings Summary dashboard
Issue status markers Issue key + status ("open", "resolved", "falsePositive") Tracking remediation state per issue
Idempotency markers Hashed fingerprint (SHA-like hash) of issue ID + detection content hash Preventing duplicate labels and comments on the same finding
App configuration Scan schedule settings, custom regex rules (pattern and name), custom field IDs, audit retention limit App functionality and admin preferences
Scan status Status of the current or last background scan (running / complete / error), batch counters Displaying scan progress in the admin UI

3.3 Data We Do NOT Process

  • Actual secret values, API keys, passwords or private keys — these are detected but never stored
  • Full issue descriptions or comment text — content is processed in-memory only
  • Jira user personal data (names, email addresses, profile pictures, account IDs)
  • Attachments, linked issues or external resources

4. Lawful Basis for Processing

Processing is carried out on one or more of the following lawful bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)): Processing is necessary to provide the App's contracted service — detecting secrets and PII in the workspace you have licensed the App for.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring of software collaboration tools to prevent accidental exposure of credentials is a legitimate interest of the data controller.

5. Data Retention

Stored data is retained as follows:

  • Audit events: Retained for up to the number configured by the workspace admin (default 100, maximum 1000 events). Older events are automatically purged as new ones arrive.
  • Idempotency markers: Automatically cleaned up after 90 days.
  • Issue status markers: Retained until the admin manually deletes them via the "Reset All Data" function, or the App is uninstalled.
  • App configuration: Retained until the App is uninstalled or the admin resets settings.

When the App is uninstalled from a Jira workspace, Atlassian Forge automatically purges all data stored in Forge Storage for that installation.

6. Data Transfers

All data is stored within Atlassian's Forge infrastructure. Atlassian operates data centres in multiple regions. The specific region used depends on your Jira Cloud instance's location as configured in Atlassian's platform. No data is transferred to Micro SaaS systems or any third-party systems outside of Atlassian's infrastructure.

For transfers from the European Economic Area (EEA), Atlassian's standard contractual clauses and data transfer mechanisms apply. See the Atlassian data storage documentation for details.

7. Data Subject Rights

As the data controller, your organisation is responsible for facilitating the rights of data subjects under GDPR. The App provides the following tools to assist you:

  • Right of access (Art. 15): Audit log data is visible in the Findings Summary and Audit Log sections of the admin panel.
  • Right to erasure (Art. 17): Use the "Reset All Data" button in the Historical Background Scan section. This progressively deletes all stored scan data, audit events, labels and scanner comments for all issues.
  • Right to rectification (Art. 16): Issue status markers can be updated by the workspace admin (e.g., marking an issue as a false positive or clearing its status).
  • Right to restriction (Art. 18): Contact us at the address below. We will assist you in restricting processing for specific issues or users as required.

8. Security Measures

We implement the following technical and organisational security measures:

  • All processing occurs within Atlassian's ISO 27001 and SOC 2 certified infrastructure.
  • App code is sandboxed within the Forge runtime environment with no outbound network access to external services.
  • Secret values are never persisted — only hashed fingerprints are stored for idempotency.
  • Access to the admin panel is restricted to Jira workspace administrators via Atlassian's native permission model.
  • Forge Storage keys use namespaced prefixes to prevent cross-app data access.

9. Cookies and Tracking

The App itself does not use cookies or any tracking technologies. The App operates entirely within the Jira admin panel (Atlassian Forge UI) and does not load external scripts, analytics or advertising trackers.

This landing website (secrets.micro-saas.it) does not use cookies or analytics beyond what is strictly necessary for the page to function.

10. Sub-Processors

Sub-processorRoleLocation
Atlassian Inc. Forge infrastructure (compute, Forge Storage, Jira API) United States / EU (region depends on your Jira instance)

We will notify you of any material changes to our sub-processors by updating this Privacy Policy.

11. Children's Privacy

The App is a professional B2B security tool intended for use by organisations and their employees. It is not directed at individuals under 16 years of age. We do not knowingly collect data from children.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be communicated through the Atlassian Marketplace listing. Continued use of the App after changes become effective constitutes acceptance of the revised policy.

13. Contact

For any questions, data subject requests or to exercise your rights under this Privacy Policy, please contact:

Filippo Piconese — Micro SaaS
Email: privacy@micro-saas.it
Website: www.micro-saas.it