Get Support Get Armada

Security Statement

Last updated: December 2025

Overview

Armada is built on Atlassian Forge, Atlassian's secure, cloud-native app development platform. This architecture ensures your data remains within Atlassian's trusted infrastructure at all times.

Forge-Native Architecture

As a Forge app, Armada benefits from:

  • Sandboxed Execution: All code runs in Atlassian's isolated runtime environment
  • No External Servers: No data is transmitted to or stored on third-party infrastructure
  • Automatic Updates: Security patches are applied automatically by Atlassian
  • Built-in Compliance: Inherits Atlassian's SOC 2, ISO 27001, and GDPR compliance

Data Security

Data at Rest

All configuration and campaign data is stored using Forge Storage, which provides AES-256 encryption at rest within Atlassian's cloud infrastructure.

Data in Transit

All communications between Armada and Jira APIs occur within Atlassian's internal network using TLS 1.2+ encryption.

Data Isolation

Each Jira site's data is logically isolated. Armada cannot access data from other Atlassian sites or tenants.

Authentication & Authorization

  • No Credentials Stored: Armada does not store user passwords or API tokens
  • Permission Inheritance: Users can only access issues they have permission to view in Jira
  • Scoped Access: Armada requests only the minimum permissions required:
    • read:jira-work - Read issue and project data
    • write:jira-work - Create issues and add comments
    • read:jira-user - User search and display name resolution
    • storage:app - Store configuration data

User Data Usage

Armada uses the Jira Cloud REST API (/rest/api/3/user/search and /rest/api/3/user) with the read:jira-user scope to:

  • Provide assignee autocomplete in the Armada UI
  • Resolve Jira accountIds to display names for better readability

This data is processed transiently inside the Atlassian Forge runtime. Armada does not persist user profile data (name, email, etc.) in any external storage and does not send it to any third-party service. Only Atlassian accountId references may be stored for technical purposes (e.g., tracking who launched a campaign).

Secure Development Practices

  • Input Validation: All user inputs are validated using Zod schemas
  • Rate Limiting: API calls are rate-limited to prevent abuse
  • Error Handling: Errors are sanitized to prevent information leakage
  • Dependency Scanning: Automated vulnerability scanning for all dependencies
  • Code Review: All changes undergo peer review before deployment

Audit Trail

Armada maintains audit logs for governance-related actions including:

  • Campaign launches and recalls
  • Approval requests and decisions
  • Configuration changes

Logs are stored in Forge Storage and accessible to Jira administrators.

Incident Response

In the event of a security incident:

  • We follow Atlassian's incident response procedures
  • Affected customers will be notified within 72 hours
  • Post-incident reports are available upon request

Compliance

As a Forge app, Armada operates within Atlassian's compliance framework:

  • SOC 2 Type II: Covered under Atlassian's SOC 2 certification
  • ISO 27001: Operates within Atlassian's certified ISMS
  • GDPR: Data processing compliant with GDPR requirements
  • Data Residency: Data stored in your Atlassian cloud region

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email: [email protected]
  • Include detailed reproduction steps
  • Allow reasonable time for remediation before public disclosure

Contact

For security-related questions or concerns, contact us at [email protected].