ArdSaor

Security Policy

ImpactLoop Ltd., trading as ArdSaor, is committed to protecting your data. This Security Policy outlines our security practices, the protections provided by Atlassian Forge, and how we respond to security incidents.

1. Security Architecture

All ArdSaor apps are built exclusively on Atlassian Forge, a serverless platform that runs within Atlassian’s own infrastructure. This architecture means:

  • Customer data never leaves Atlassian’s cloud during normal app operation
  • No external servers or third-party hosting providers process your Jira data
  • Apps execute in isolated, sandboxed environments with no direct network egress
  • All API calls are authenticated and scoped to the permissions granted during installation

2. Data Encryption

Atlassian Forge provides comprehensive encryption for all data:

  • In transit: All communications use TLS 1.2 or higher
  • At rest: Forge Storage data is encrypted using AES-256
  • Key management: Encryption keys are managed by Atlassian using industry-standard practices

We do not store encryption keys or have the ability to decrypt data outside of Atlassian’s managed infrastructure.

3. Access Controls

We enforce strict access controls across all aspects of our operations:

  • Least privilege: Apps request only the OAuth scopes necessary for their features
  • Admin-only installation: Only Jira Cloud administrators can install our apps
  • Staff access: Team members access production environments only through Atlassian-administered interfaces
  • Multi-factor authentication: MFA is required for all developer and administrative accounts
  • Audit logging: All access to customer data is logged and monitored

4. Secure Development Practices

Our development process incorporates security at every stage:

  • Code review: All changes require peer review before deployment
  • Dependency scanning: Automated tools identify vulnerable dependencies
  • Static analysis: Code is analysed for security issues before release
  • Security testing: Regular security assessments of our apps and processes
  • Secure coding standards: Developers follow OWASP guidelines and Atlassian security best practices

5. Vulnerability Management

We maintain a proactive approach to identifying and addressing vulnerabilities:

  • Regular updates to address security patches in dependencies
  • Monitoring of security advisories for frameworks and libraries we use
  • Prompt remediation of identified vulnerabilities based on severity
  • Critical vulnerabilities are addressed within 24 hours of discovery

6. Incident Response

We maintain a documented incident response process:

  • Detection: 24/7 monitoring and alerting for anomalous behaviour
  • Response: On-call escalation procedures with defined roles and responsibilities
  • Notification: Affected customers and Atlassian notified within 72 hours of confirmed breach
  • Remediation: Root cause analysis and corrective actions documented
  • Communication: Regular updates provided until incident closure

7. Business Continuity

Our apps inherit Atlassian Forge’s high-availability infrastructure:

  • Apps are deployed across Atlassian’s distributed infrastructure
  • Forge Storage provides automatic data replication
  • No single point of failure for app execution

We maintain documented procedures for responding to service disruptions and restoring normal operations.

8. Third-Party Services

We minimise the use of third-party services for processing customer data:

  • Runtime: All app logic executes within Atlassian Forge; no external services process Jira data
  • Development: GitHub is used for source code management with appropriate security controls

Each third-party provider is bound by appropriate data processing agreements.

9. Compliance

Our security practices align with industry standards and regulatory requirements:

  • Compliance with Atlassian Marketplace Partner Agreement security requirements
  • Adherence to GDPR data protection principles
  • Alignment with OWASP security guidelines

We undergo Atlassian’s app review process which includes security assessments for Marketplace listing.

10. Security Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue:

  • Email
  • Include a detailed description of the vulnerability and steps to reproduce
  • Allow reasonable time for us to investigate and address the issue before public disclosure

We commit to acknowledging reports within 48 hours and providing status updates throughout the resolution process.

11. Data Retention and Deletion

We follow strict data retention practices:

  • App data is retained in Forge Storage only while the installation is active
  • Upon uninstallation, all app data is purged within 30 days
  • Support logs containing customer data are retained for no longer than 30 days
  • Administrators can request immediate data deletion by contacting support

12. Changes to This Policy

We review and update this Security Policy regularly to reflect improvements in our practices and changes in the threat landscape. Material changes will be communicated through our website. The effective date below reflects the most recent revision.

Effective Date: January 2025

13. Contact

For security-related inquiries, contact us at . For general privacy questions, see our Privacy Policy or contact .