At Portfolio Manager, we take the security of your data seriously. Because our application integrates directly into your Jira environment, this policy outlines our commitment to security, our architectural footprint, and how data is handled.
Security Architecture Summary: Portfolio Manager is built exclusively on the Atlassian Forge serverless framework. This means your data never leaves the Atlassian cloud ecosystem to be processed or stored on independent, external infrastructure.
1. Data Storage & Isolation
No External Databases: We do not operate external servers, databases, or cloud storage systems. Any application state or configuration required by the app is stored within Atlassian's secure storage systems (Forge Storage API).
Zero Data Persistence: Your Jira issue data, portfolio structures, and user metrics are processed in real-time within the user's web browser or via Atlassian’s compute infrastructure. We do not persist your data on any infrastructure owned or controlled by us.
2. Data Transit & Encryption
Encryption in Transit: All communications between your browser, the app components, and the Jira REST APIs are encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher) provided natively by Atlassian.
No External Egress: The application does not send data to any third-party analytics, tracking, or external APIs. Your data remains strictly inside your Atlassian site.
3. Infrastructure & Platform Security
By leveraging the Atlassian Forge platform, Portfolio Manager inherits Atlassian’s robust, enterprise-grade security posture, including:
Compute Isolation: App code runs in isolated, secure multi-tenant environments managed directly by Atlassian.
Authentication & Authorization: The app relies entirely on Atlassian's Identity and Access Management (IAM). We never see, collect, or store user passwords or authentication tokens.
4. Application Permissions (Least Privilege)
The app requests only the minimum necessary permission scopes required to manage and display your portfolio data. These scopes are explicitly declared during installation, and the app cannot act outside of those boundaries or access data it is not authorized to see.
5. Vulnerability Management
Dependency Scanning: We routinely audit and scan the open-source software dependencies used in our code package for known security vulnerabilities.
Prompt Patching: Critical security patches or dependency updates are deployed immediately to ensure the app code remains secure.
6. Reporting a Vulnerability
If you discover a potential security vulnerability in Portfolio Manager, please do not disclose it publicly. Report it directly to us by opening an issue on our GitHub repository or contacting us at: felixtrihardjo@gmail.com. We review all security reports promptly.