Access Evidence — Data Security & Privacy Statement

1. Scope

This statement applies to the Access Evidence cloud app published by ImpactLoop Ltd. (trading as ArdSaor) on Atlassian Marketplace. It covers app behavior in Jira Cloud and Confluence Cloud environments where the app is installed.

2. Provider, roles, and hosting model

• Provider: ImpactLoop Ltd. (ArdSaor)
• Platform: Atlassian Forge
• Runtime location: Atlassian-managed cloud infrastructure
• Role: We act as a processor for customer content handled by the app and as a controller for direct support interactions (for example, support email conversations).

3. Data categories processed by Access Evidence

Access Evidence processes the minimum categories needed to run access reviews and produce audit evidence, including:

• Project/space scope metadata selected for a review campaign
• Permission and access-assignment metadata needed for review findings
• Reviewer decisions (keep/remove/exception), notes, and timestamps
• Remediation tracking status and verification notes
• Configuration settings for campaigns, retention, and optional notifications
• Operational metadata required for app reliability, diagnostics, and auditability

4. Purpose of processing

Data is processed only to deliver app functionality: creating review campaigns, presenting findings, recording review decisions, tracking remediation, and exporting evidence packs for compliance workflows. We do not sell customer data and do not use customer data for advertising.

5. Security controls

• Encryption in transit: TLS-protected transport for platform/API communication
• Encryption at rest: Data stored using Atlassian-managed encryption controls in Forge
• Least privilege: App scopes are limited to permissions required for supported features
• Access controls: Internal access is limited to authorized personnel on a need-to-know basis
• Logging and monitoring: Operational events are logged for troubleshooting and security response
• Secure development: Code review and dependency/security checks are part of release flow

6. Data residency and transfer

During normal app operation, Access Evidence runs on Atlassian Forge and processes customer data within Atlassian infrastructure. If support requires customer-provided artifacts (for example screenshots or logs sent by admins), those are handled through ArdSaor support channels under this statement and our broader privacy policy.

7. Retention and deletion

• Review data and decision history are retained while the app remains installed, subject to configured retention settings where applicable.
• On uninstall, app data is scheduled for deletion according to Forge/Atlassian platform behavior and ArdSaor operational procedures.
• Support artifacts are retained only as long as needed for support, security, and legal obligations.

8. Incident response

ArdSaor maintains an incident response process for investigation, containment, remediation, and communication. If we confirm unauthorized access affecting customer data, we will notify impacted parties and Atlassian in line with contractual and legal obligations.

9. Customer controls and requests

Site admins control app installation, permissions, and access within Atlassian products. Data/privacy requests can be sent to privacy@ardsaor.com, and security questions can be sent to security@ardsaor.com.

10. Related policies

• ArdSaor Privacy Policy
• ArdSaor Security Policy
• ArdSaor Support

11. Version and updates

Last updated: 2026-03-09 (America/Vancouver)

We may update this statement to reflect product changes, security improvements, or regulatory requirements.