Overview

LinkMap is a Jira and Service Desk add-on that prioritizes security and privacy. This document outlines our security architecture, data handling practices, and measures to protect customer data.

Architecture and Technology Stack

Hybrid Architecture

LinkMap operates using a hybrid architecture combining Atlassian Forge (frontend) and Atlassian Connect (backend remote):

• Forge Frontend: User interface components run on Atlassian's secure, sandboxed infrastructure. Benefits from Atlassian's zero-trust security model, automatic isolation, and built-in security controls.
• Connect Remote Backend: Application logic and database operations run on our infrastructure hosted by Heroku (Salesforce) in the European region.
• Communication: Secure communication between components via Forge Remote invocations with JWT authentication.

Infrastructure Provider

• Hosting: Heroku (Salesforce), exclusively in European data centers
• Database: Managed PostgreSQL database provided by Heroku with automatic backups
• Compliance: Heroku/Salesforce is ISO 27001, ISO 27017, SOC 2 Type II certified and GDPR compliant
• Data Processing Agreement: Available at Salesforce DPA

Data Collection and Storage

What Data We Collect

LinkMap follows the principle of data minimization, collecting only what is necessary for functionality:

Data Type	Purpose	Storage Location	Personal Data?
Atlassian Account ID	Associate saved layouts and settings with users	Heroku PostgreSQL (EU)	Yes (online identifier)
Instance authentication data (base URL, client key, public key)	JWT authentication and secure communication	Heroku PostgreSQL (EU)	No
User-created configurations (saved layouts, JQL queries, display settings)	Provide personalized functionality	Heroku PostgreSQL (EU)	No (associated with Account ID)
Application logs	Security monitoring, error diagnosis, support	Heroku (EU)	No (anonymized)

What We Don't Collect

• No Jira issue content: We do not store issue titles, descriptions, comments, or attachments
• No user tracking: We do not use Google Analytics or any other tracking/analytics services
• No personal information: We do not collect names, email addresses, or other identifying information beyond Account ID
• No behavioral data: We do not monitor which features you use or how often

Data Storage Details

• Storage Region: All data is stored exclusively in the European region via Heroku's (AWS) EU data centers
• Encryption at Rest: Database encryption provided by Heroku PostgreSQL
• Encryption in Transit: TLS 1.3 for all data transmission
• Backup: Daily automated backups with 7-day retention, stored in the European region
• Log Retention: Application logs retained for 7 days maximum, with no personal data logged

Data Deletion

We implement multiple mechanisms to ensure timely data deletion:

• App Uninstallation: All data (Account IDs, configurations, instance data) is automatically deleted when the app is uninstalled
• Account Closure Detection: Approximately once per day, we query the Atlassian Personal Data Reporting API to identify closed or deactivated accounts and automatically delete associated data within 24-48 hours
• User Request: Users may request deletion of their data at any time by contacting LinkMap@buering.net
• Backup Deletion: Deleted data is purged from backups within 7 days (backup retention period)

Authentication and Access Control

User Authentication

• JWT Authentication: Utilizes JWT (JSON Web Token) authentication as provided by the Atlassian Connect Express (ACE) framework
• User Context: All operations execute in the authenticated user's context, respecting Jira/Confluence permissions
• No Stored Credentials: We do not store user passwords or authentication credentials
• Session Security: Secure session management handled by Atlassian Connect framework

Administrative Access

• Role-Based Access Control (RBAC): Administrative access limited to authorized personnel only
• Multi-Factor Authentication (MFA): Required for all administrative access to infrastructure
• Principle of Least Privilege: Personnel have access only to systems necessary for their role
• Access Logging: All administrative access is logged for security auditing

Permission Scopes and Justification

LinkMap requests the minimum permissions necessary for functionality, following the principle of least privilege:

Scope	Justification	Risk Level
read:jira-work	Essential: Read issue and link data for visualization (core functionality)	Low - Read Only
read:connect-jira	Required: Validate JQL queries	Low - Read Only
read:jql:jira	Essential: Execute JQL searches to define issue scope for layouts	Low - Read Only
delete:issue-link:jira	Required: Allow users to delete links (user-initiated action only, respects permissions)	Medium - Write
read:sprint:jira-software	Feature: Apply LinkMap to sprint issues in Jira Software	Low - Read Only
read:app-user-token	Architecture: Enable remote backend to invoke Atlassian APIs with user permissions (Forge remote requirement)	Low - Token Only
report:personal-data	GDPR Compliance: Use Personal Data Reporting API to identify closed accounts for data deletion	Low - Compliance

Scope Usage Details

• No Create Scope: LinkMap cannot create new issues, epics, or other Jira entities
• No Update Scope: LinkMap cannot modify existing issues (titles, descriptions, fields, etc.)
• Limited Write: The only write operation is link deletion, which requires explicit user action and respects user permissions
• User Context Only: All data access is performed in the authenticated user's context - users can only see data they're already authorized to access

Data Flow and Browser Communication

• Direct Browser-to-Atlassian: The majority of traffic occurs directly between the user's browser and Atlassian Cloud REST APIs, minimizing data passing through our backend
• User Permission Context: Browser requests are evaluated on the Jira instance within the context of the executing user, meaning each user can only access/edit data permitted by their Jira permission configuration
• No Server-Side Caching: We do not cache Jira issue data on our servers

Security Measures (Technical and Organizational)

Technical Security Measures

• Encryption in Transit: TLS 1.3 for all network communication
• Encryption at Rest: Full database encryption provided by Heroku PostgreSQL
• Secure Authentication: JWT-based authentication via Atlassian Connect Framework
• Access Control: Role-based access control (RBAC) with least privilege principle
• Multi-Factor Authentication: Required for all administrative access
• Dependency Scanning: Regular automated scanning for vulnerable dependencies (OWASP)
• Security Headers: Content Security Policy (CSP), HSTS, X-Frame-Options, and other security headers configured
• Input Validation: All user inputs validated and sanitized to prevent injection attacks
• Secure Logging: No personal data in logs; logs anonymized and retained for 7 days only

Organizational Security Measures

• Security by Design: Security considerations integrated into development lifecycle
• Incident Response Plan: Documented procedures for security incident handling and notification
• Regular Updates: Timely application of security patches and updates
• Vendor Management: Review of sub-processor security and compliance (Heroku/Salesforce, Atlassian)
• Data Protection Officer: Designated contact for privacy and security matters

Vulnerability Management

• Bug Bounty Program: Participation in the Atlassian Marketplace Security Bug Bounty program for continuous security threat assessment
• Responsible Disclosure: If a security threat is detected, we will follow Atlassian's protocol and recommendations, and take appropriate actions deemed necessary
• Patch Timeline: Critical vulnerabilities addressed within 7 days, high severity within 30 days, medium/low severity within 90 days
• Dependency Monitoring: Automated monitoring of third-party dependencies for known vulnerabilities

GDPR and Privacy Compliance

Data Subject Rights

We support all GDPR data subject rights:

• Right of Access (Art. 15): Users can request information about data we store about them
• Right to Rectification (Art. 16): Users can request correction of inaccurate data
• Right to Erasure (Art. 17): Users can request deletion of their data at any time
• Right to Data Portability (Art. 20): Users can request export of their data in JSON format
• Right to Object (Art. 21): Users can object to data processing

Contact: To exercise any of these rights, contact LinkMap@buering.net

Personal Data Reporting API

• Transparency: We report all Account IDs we store to Atlassian via the Personal Data Reporting API
• User Visibility: Users can see which apps store their data on their Atlassian Account profile
• Automated Deletion: Daily checks identify closed accounts, triggering automatic data deletion within 24-48 hours
• Scope Justification: The report:personal-data scope is used exclusively for GDPR compliance

Data Processing Agreement

• Heroku/Salesforce: Acts as sub-processor; DPA available at Salesforce DPA
• Atlassian: Acts as sub-processor for Forge components; DPA available at Forge DPA
• Standard Contractual Clauses: EU-approved SCCs in place for international data transfers

Data Residency

Current Implementation

• Storage Location: All Connect Remote backend data stored exclusively in Heroku's (AWS) European data centers
• No Multi-Region Support: LinkMap does not currently support Atlassian's Data Residency feature for automatic migration when customers move their Atlassian instance to different regions
• Forge Components: Data processed by Forge components follows Atlassian's data residency policies automatically based on the customer's Atlassian instance location

Forge Remote and Data Residency

For apps using Forge Remote (like LinkMap), Atlassian provides realm pinning capabilities. However, since LinkMap stores data in a fixed European location via Heroku, automatic migration is not currently supported. Customers requiring specific data residency guarantees should contact us to discuss options.

Compliance and Certifications

Our Commitments

• GDPR Compliance: Full compliance with EU General Data Protection Regulation
• Atlassian Security Requirements: Compliance with Atlassian Cloud App Security Requirements
• Marketplace Standards: Adherence to Atlassian Marketplace security and privacy guidelines

Infrastructure Provider Certifications

Heroku/Salesforce maintains the following certifications:

• ISO 27001 (Information Security Management)
• ISO 27017 (Cloud Security)
• ISO 27018 (Cloud Privacy)
• SOC 2 Type II
• GDPR Compliance
• EU-U.S. Data Privacy Framework participation

Incident Response

Security Incident Procedures

• Detection: 24/7 monitoring and alerting for security events
• Assessment: Immediate evaluation of incident severity and impact
• Containment: Rapid response to contain and mitigate threats
• Investigation: Root cause analysis and documentation
• Notification: Affected parties notified within 72 hours as required by GDPR Art. 33
• Remediation: Implementation of corrective measures to prevent recurrence
• Post-Incident Review: Documentation and process improvement

Breach Notification

In the event of a personal data breach, we will:

• Notify the competent supervisory authority (LDI NRW) within 72 hours where feasible
• Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
• Provide clear information about the nature of the breach, likely consequences, and measures taken
• Document all breaches, including facts, effects, and remedial actions taken

Support Data Handling

Customer Support

• Support Channels: Email support (LinkMap@buering.net), online documentation, and the LinkMap support portal
• Customer Responsibility: Customers are responsible for sanitizing all information (URLs, sensitive data in logs, screenshots, etc.) before sharing with us for support purposes
• Support Data Storage: All support information is saved in a Jira Cloud instance provided by Atlassian, accessible only to authorized personnel
• Third-Party Sharing: Support information may be shared with Atlassian at our discretion to provide better support. It will not be shared with any other third party without explicit written authorization from the customer
• Retention: Support data retained for the duration of the support case plus 90 days, then deleted unless legally required to retain longer

Customer Responsibilities

• Access Management: It is the customer's sole responsibility to provide all required mechanisms to maintain the privacy and security of the data and access to the app
• Atlassian Data Security Policies: Customers may use Atlassian's Data Security Policies feature to control which apps can access data based on security classifications
• Permission Reviews: Regularly review app permissions and remove apps that are no longer needed
• User Training: Ensure users understand data handling practices and security responsibilities
• Data Sanitization: Sanitize sensitive information before sharing for support purposes

No Third-Party Data Sharing

• No Analytics or Tracking: We do not use Google Analytics or any other third-party analytics/tracking services
• No Marketing: Collected data is never used for marketing purposes or shared with marketing platforms
• No Data Sales: We do not sell, rent, or trade customer data to any third parties
• Limited Sub-Processors: Only Heroku (hosting) and Atlassian (platform) have access to infrastructure; no other third parties receive data

Updates to This Security Policy

We reserve the right to update this Security Policy as our practices evolve or as required by law. Material changes will be announced through:

• Notification in the app
• Update to the "Last Updated" date at the top of this document

Customers are encouraged to review this policy periodically to stay informed about how we protect data.

Contact and Responsible Disclosure

For security concerns, questions, or to report a vulnerability, please contact:

Security Contact:
Thorsten Büring
LinkMap@buering.net
Bommershöfer Weg 46
40670 Meerbusch
Germany

Responsible Disclosure: If you discover a security vulnerability, please report it to us at LinkMap@buering.net. We request that you do not publicly disclose the issue until we have had an opportunity to address it. We will acknowledge receipt within 48 hours and provide a timeline for resolution.

Acceptance

• By installing the app, the customer agrees to all the terms described in this policy.

Related Documentation

• LinkMap Privacy Policy
• LinkMap Terms of Use
• Atlassian Cloud Security Statement
• Atlassian Marketplace Security Requirements
• Heroku Security, Privacy, and Compliance