Security Policy

1. Security Architecture & Controls

The App is built and runs entirely on Atlassian Forge, which means it inherits Atlassian's certified infrastructure and we never operate our own servers, databases or storage for customer data. Concretely:

• All processing occurs within Atlassian's ISO 27001 and SOC 2 certified infrastructure — we do not run any external servers or databases.
• App code is sandboxed inside the Forge runtime with no outbound network access to systems outside Atlassian's platform.
• Detected secret values are never persisted — only salted hashes (fingerprints) are stored, solely to avoid raising duplicate alerts on the same finding.
• Access to the admin panel and historical scan controls is restricted to Jira workspace administrators via Atlassian's native permission model — the App does not implement its own authentication or authorisation layer.
• All data at rest is stored exclusively in Forge Storage (encrypted by Atlassian) using namespaced keys to prevent cross-tenant or cross-app access.
• All data in transit between the App and Atlassian's APIs is encrypted via TLS, end to end, by the Forge platform.

2. Secure Development Practices

• Source code is kept in a private version-controlled repository with restricted, individually-attributed access.
• Changes go through review and testing before being deployed to the production Forge environment.
• We track the App's npm dependency tree and act on advisories surfaced by npm audit and Atlassian's Forge Dependency Scanner (EcoScanner).
• Where a flagged dependency is part of our own production bundle, we patch and redeploy it. Where it originates from Atlassian's own build tooling (e.g. @forge/cli and its sub-dependencies, which never ship inside the deployed app), we report it back to Atlassian's Ecosystem Security team, since it is outside what a partner can remediate via standard package.json overrides.

3. Vulnerability Management

We run regular dependency and security checks on the App's codebase, and we review every vulnerability notice raised through Atlassian's Marketplace security tooling (Ecoscanner / Partner Vulnerability Dashboard) as it arrives.

• Triage: every reported vulnerability is assessed to determine whether it affects the deployed app bundle (production-impacting) or only build/development tooling (non-production-impacting).
• Remediation: production-impacting vulnerabilities are patched and redeployed in line with Atlassian's Security Bug Fix Policy and the due dates communicated for each finding, prioritised by severity.
• Tooling-only findings: when the issue originates from Atlassian-maintained build tooling that is not bundled in the shipped app, we document our analysis and raise it with Atlassian's Ecosystem Security / Developer Support teams so the upstream package can be corrected.
• Verification: after each patch we re-run npm audit and redeploy to production, confirming the fix before closing the related ticket.

4. Security Issue & Incident Reporting

If you discover a security issue, vulnerability or suspected incident affecting the App, please report it to us directly — we ask that you do not disclose it publicly until we have had a reasonable opportunity to investigate and remediate it.

• Email: support@micro-saas.it (subject line: "Security report")
• Marketplace: via the "Get support" link on the App's Atlassian Marketplace listing

Please include, where possible:

• A description of the issue and its potential impact;
• Steps to reproduce it, or a proof of concept;
• Any relevant logs, screenshots or affected Jira workspace details (without including sensitive customer data).

5. Incident Response

When a security issue or incident is confirmed, we follow this process:

• Acknowledge: we confirm receipt and begin triage, in line with the response targets defined in our Service Level Agreement (Critical issues: initial response within 12 business hours).
• Contain & assess: we determine scope and impact — including whether any customer data may have been affected — and take immediate containment action where needed (e.g. disabling an affected feature).
• Remediate: we develop, test and deploy a fix to the production Forge environment as quickly as the severity warrants.
• Notify: if an incident affects customer data, we notify impacted customers and, where legally required, the relevant supervisory authority, without undue delay and in line with our obligations under GDPR and the commitments in our Data Processing Agreement.
• Review: after resolution we review what happened and adjust our controls, processes or dependencies to reduce the chance of recurrence.

6. Infrastructure & Sub-processors

We do not operate any servers, databases or cloud infrastructure of our own for the App. The only infrastructure provider involved in running the App is:

Provider	Role	Certifications
Atlassian Inc. (Forge platform)	Compute, Forge Storage, Jira REST API	ISO 27001, SOC 2

This landing website (secrets.micro-saas.it) is hosted separately and contains no customer data from your Jira workspace — it is purely informational and used to install the App.

7. Your Responsibilities

Security is a shared responsibility. As the customer, you are responsible for:

• Managing access to your Jira workspace and the App's admin panel through Atlassian's permission and user-management controls;
• Reviewing and acting on the findings the App surfaces (e.g. resolving or marking false positives on detected secrets/PII);
• Keeping your own integrations, custom regex rules and Jira configuration free of sensitive data wherever possible.

8. Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices, the Forge platform, or applicable regulations. Material changes will be announced via the Atlassian Marketplace listing. The "Last updated" date at the top of this page indicates when it was last revised.

9. Contact

For security reports or questions about this policy:

Micro SaaS — Filippo Piconese
Security & support: support@micro-saas.it
Website: www.micro-saas.it