Atlassian Partner Requirements · Agilva Secure Development · Last updated: June 2026
Agilva Solutions is a certified Atlassian Marketplace vendor. This Security Policy describes two things: the security requirements we meet as an Atlassian partner, and the internal practices we follow when building, shipping, and maintaining QR Hub for Jira.
QR Hub for Jira is built entirely on Atlassian Forge — Atlassian's serverless, sandboxed app platform. Infrastructure-level security (compute isolation, network security, physical security, DDoS protection) is inherited directly from Atlassian's enterprise-grade platform.
🔒 Because QR Hub for Jira runs entirely on Forge with no external servers, APIs, or data egress, its attack surface is substantially smaller than traditional cloud apps. There is no Agilva-controlled backend to breach.
All Atlassian Marketplace vendors must comply with Atlassian's Marketplace Partner Agreement. Key requirements and how QR Hub meets each:
| Requirement | Standard | Status |
|---|---|---|
| No external data egress | Atlassian Partner Agreement | ✓ Compliant |
| Minimal OAuth scopes | Atlassian Partner Agreement | ✓ Compliant |
| Published Privacy Policy | Atlassian Partner Agreement | ✓ Compliant |
| Vulnerability disclosure | Atlassian Partner Agreement | ✓ Compliant |
| SOC 2 Type II | Atlassian infrastructure | ✓ Inherited |
| ISO 27001 | Atlassian infrastructure | ✓ Inherited |
| Data residency | Atlassian Data Residency Program | ✓ Inherited |
| Independent pen test | Atlassian Bug Bounty / Partner | Planned — pre-launch |
Agilva follows a security-first approach throughout the SDLC for all Marketplace apps.
All code changes require peer review before merging. Reviews explicitly check for injection risks, unsafe data handling, unnecessary permission use, and insecure defaults.
npm audit prior to every releaseProduction Forge environments are managed exclusively through the Atlassian Developer Console, protected by Atlassian's own SSO and MFA requirements.
There are no Agilva-managed servers, databases, or cloud infrastructure associated with QR Hub for Jira. No customer data reaches Agilva systems.
QR Hub respects all existing Jira permission schemes. Users who lack access to an issue in Jira will not have that access granted by the app.
The only data persisted by QR Hub is the URL entered into the Dashboard Gadget, stored via storage:app in Atlassian Forge Storage. This persists until the gadget is removed or the URL is updated.
Stored gadget URLs are automatically deleted when the app is uninstalled. Atlassian Forge Storage provides no mechanism for Agilva to access individual tenants' data outside the app's own runtime context.
npm audit is run as part of the pre-release checklist. Releases are blocked if any high or critical severity vulnerabilities are detected.In the event of a confirmed security incident, Agilva will:
🚨 Given that QR Hub stores no personally identifiable information, the practical risk and scope of any incident is inherently limited.
By building on Forge, QR Hub inherits platform-level security controls maintained by Atlassian:
To report a security vulnerability or raise a security concern, contact us via the form and note "Security Disclosure" in your message. We treat all security reports as high priority and aim to respond within one business day.
We follow responsible disclosure practices and will credit your report in our release notes if you wish.