ScrumNav

Security Policy

How ScrumNav protects Jira Cloud customer data.

Last updated: 31 May 2026 · ScrumNav, Finland · Report issues via support or email

At a glance

ScrumNav is a Forge app for Jira Cloud. The app runs on Atlassian Forge, stores app data in Forge storage, and does not send customer Jira data to ScrumNav-operated application servers. The Forge app stores only Atlassian account IDs needed for team roster and Scrum Poker—not display names or avatars in app storage. See our Privacy Policy for details. Our website and support email are separate from the app runtime.

Scope

This policy describes how ScrumNav secures its Jira Cloud app, development process, and customer support systems.

For how we process personal data, see our Privacy Policy.

Architecture & data location

  • Forge runtime. ScrumNav runs on the Atlassian Forge platform. App logic executes in Forge functions; the Custom UI is served from Forge static resources. We do not operate application servers that store or process customer Jira data.
  • Storage. App configuration and collaborative state are stored in Forge storage:app on Atlassian infrastructure for each customer site installation. What is stored is described in our Privacy Policy.
  • Caching. For performance, short-lived caches of Jira API metadata (for example board lists, typically about 10 minutes) may be held in the same Forge storage. They are not copied to ScrumNav-operated servers.
  • Jira API. The app reads and updates Jira data only through Atlassian APIs using only the signed-in user’s Jira permissions. We do not request Atlassian Personal Access Tokens (PATs), Jira passwords, or other shared secrets from end users.
  • Forge app data flows. The Forge app does not send customer Jira data to ScrumNav-operated external backends.
  • Website & support. scrumnav.com hosts marketing, legal, and support pages. Support requests may be sent to contact@scrumnav.com and are handled separately from Forge app storage.

Security controls

We apply the following controls in line with our size as a focused Forge app vendor:

  • Access control. ScrumNav does not grant third-party access to source code, deployment credentials, or production configuration. Only authorised maintainers may access these; production deploys use the Atlassian Forge CLI with authenticated developer accounts.
  • Least privilege. The app manifest declares only the OAuth scopes required for sprint planning, capacity, Scrum Poker, and reports. Permissions are documented in our Marketplace listing.
  • Secure development. Dependencies are managed via npm with lockfiles; we review dependency updates before release. We do not embed secrets in client-side UI bundles or commit credentials to the repository.
  • Environment separation. We use separate Forge environments (for example development and production) for testing versus customer-facing deployments.
  • Logging. We do not intentionally log end-user personal data in application code. Platform logs may be available to Atlassian as part of Forge operations.
  • Website. Public pages are served over HTTPS. Support form submissions are validated server-side (size limits, attachment limits) before email delivery.

Vulnerability management

  • We monitor security advisories for dependencies (npm) and for the Forge platform via Atlassian developer communications.
  • Security issues reported through our support form (topic Security) or by email are triaged on receipt. We aim to acknowledge reports within about 2 business days (Mon–Fri, Finland), consistent with our general support response time.
  • Confirmed vulnerabilities are prioritised by severity and exploitability. For critical issues affecting confidentiality or integrity of customer data in the app, we aim to remediate and deploy a fix as soon as practicable — often within about 30 days, depending on complexity, testing, and Atlassian Marketplace review cycles. We do not guarantee a fixed timeline for every issue.
  • Fixes are delivered through updated Forge app versions deployed to the production environment and made available via the normal Marketplace upgrade path.

Security incidents

If we become aware of a security incident affecting ScrumNav or vendor systems that hold customer-related data:

  • We will investigate promptly, contain where possible, and remediate root causes.
  • We will notify affected customers and Atlassian where required by law, contract, or Marketplace obligations, including when personal data may have been compromised.
  • Customers can report suspected incidents or vulnerabilities via the support form (choose topic Security vulnerability or incident) or by email to contact@scrumnav.com with subject Security. Include steps to reproduce and impact if known.

For incidents primarily within Atlassian Cloud (Jira or Forge platform), customers should also follow Atlassian Trust reporting channels.

Customer responsibilities

  • Review requested OAuth scopes before approving installation.
  • Manage who can install and administer apps on your Jira site through Atlassian administration.

Subprocessors & third parties

  • Atlassian — Forge runtime, Jira Cloud APIs, Forge storage, Marketplace billing and licensing.
  • Website hosting provider — serves scrumnav.com and processes support form email delivery to our mailbox.
  • Email provider — stores messages sent to or from contact@scrumnav.com for support purposes.

Changes to this policy

We may update this policy when our practices or the app change. The “Last updated” date at the top will change accordingly. Material changes will be reflected on this page before or when they take effect.

Report a security issue

Use our support form so we receive a ticket reference and confirmation email. Choose topic Security vulnerability or incident and describe steps to reproduce and impact if known.

Prefer email? contact@scrumnav.com (subject Security) · General support: scrumnav.com/support · Privacy: scrumnav.com/privacy