QR Hub for Jira

Security
Policy

Atlassian Partner Requirements · Agilva Secure Development · Last updated: June 2026

Overview

Agilva Solutions is a certified Atlassian Marketplace vendor. This Security Policy describes two things: the security requirements we meet as an Atlassian partner, and the internal practices we follow when building, shipping, and maintaining QR Hub for Jira.

QR Hub for Jira is built entirely on Atlassian Forge — Atlassian's serverless, sandboxed app platform. Infrastructure-level security (compute isolation, network security, physical security, DDoS protection) is inherited directly from Atlassian's enterprise-grade platform.

🔒 Because QR Hub for Jira runs entirely on Forge with no external servers, APIs, or data egress, its attack surface is substantially smaller than traditional cloud apps. There is no Agilva-controlled backend to breach.

Atlassian Partner Requirements

All Atlassian Marketplace vendors must comply with Atlassian's Marketplace Partner Agreement. Key requirements and how QR Hub meets each:

  • Forge-Only Architecture — No external server, no webhook, no third-party API call of any kind.
  • Minimal Permission Scopes — Only the permissions necessary for app function are requested.
  • Privacy Policy Publication — Published at privacy.html and linked from the Marketplace listing.
  • Vulnerability Disclosure — Security contact monitored daily, documented below.
  • Dependency Hygiene — Regular dependency audits before every release.
  • Data Residency Compliance — Forge Storage data resides within the same region as the customer's Atlassian site.

Compliance Summary

Requirement Standard Status
No external data egressAtlassian Partner Agreement✓ Compliant
Minimal OAuth scopesAtlassian Partner Agreement✓ Compliant
Published Privacy PolicyAtlassian Partner Agreement✓ Compliant
Vulnerability disclosureAtlassian Partner Agreement✓ Compliant
SOC 2 Type IIAtlassian infrastructure✓ Inherited
ISO 27001Atlassian infrastructure✓ Inherited
Data residencyAtlassian Data Residency Program✓ Inherited
Independent pen testAtlassian Bug Bounty / PartnerPlanned — pre-launch

Secure Development

Agilva follows a security-first approach throughout the SDLC for all Marketplace apps.

Code review

All code changes require peer review before merging. Reviews explicitly check for injection risks, unsafe data handling, unnecessary permission use, and insecure defaults.

Security testing

  • Static analysis via ESLint with security-focused rule sets
  • Dependency vulnerability scanning via npm audit prior to every release
  • Manual review against the OWASP Top 10 for any feature touching user input or stored data

Forge security model

  • Each app execution runs in an isolated runtime — no shared state between tenants
  • Outbound network calls are restricted by Forge's egress controls; QR Hub makes none
  • All Forge Storage reads and writes are scoped to the installing tenant only

Access Control

Internal access

Production Forge environments are managed exclusively through the Atlassian Developer Console, protected by Atlassian's own SSO and MFA requirements.

No Agilva-controlled servers

There are no Agilva-managed servers, databases, or cloud infrastructure associated with QR Hub for Jira. No customer data reaches Agilva systems.

App permissions within Jira

QR Hub respects all existing Jira permission schemes. Users who lack access to an issue in Jira will not have that access granted by the app.

Data Handling & Retention

What is stored

The only data persisted by QR Hub is the URL entered into the Dashboard Gadget, stored via storage:app in Atlassian Forge Storage. This persists until the gadget is removed or the URL is updated.

What is not stored

  • Issue content, summaries, or field values
  • User identities or account IDs
  • QR code images (generated in-browser, never sent to any server)
  • Usage analytics or telemetry of any kind

Retention & deletion

Stored gadget URLs are automatically deleted when the app is uninstalled. Atlassian Forge Storage provides no mechanism for Agilva to access individual tenants' data outside the app's own runtime context.

Dependency Management

  • Audit before every releasenpm audit is run as part of the pre-release checklist. Releases are blocked if any high or critical severity vulnerabilities are detected.
  • Regular updates — Dependencies are reviewed and updated at minimum once per month, and immediately upon disclosure of a relevant CVE.
  • Minimal footprint — We avoid large general-purpose libraries where a native Forge API achieves the same result.

Incident Response

In the event of a confirmed security incident, Agilva will:

  1. Assess within 24 hours — determine scope, affected tenants, and severity.
  2. Contain — coordinate with Atlassian's security team if Forge-side; deploy a patch if code-side.
  3. Notify affected customers within 72 hours of confirming a breach affecting their data.
  4. Post-incident review — document root cause, timeline, and remediation. Update internal controls.

🚨 Given that QR Hub stores no personally identifiable information, the practical risk and scope of any incident is inherently limited.

Atlassian Forge Platform Security

By building on Forge, QR Hub inherits platform-level security controls maintained by Atlassian:

  • Compute isolation — Each app invocation runs in a fully isolated sandbox. No cross-tenant code execution is possible.
  • Encrypted storage — All data in Forge Storage is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • SOC 2 Type II & ISO 27001 — Atlassian's infrastructure is independently audited. See atlassian.com/trust.
  • Bug Bounty Programme — Atlassian operates an active bug bounty programme covering the Forge platform itself.

Security Contact

To report a security vulnerability or raise a security concern, contact us via the form and note "Security Disclosure" in your message. We treat all security reports as high priority and aim to respond within one business day.

We follow responsible disclosure practices and will credit your report in our release notes if you wish.