This Security Policy describes how User Account Manager protects data, controls access, and handles vulnerabilities. The app is built on Atlassian Forge and inherits Atlassian's cloud security practices.
Overview
User Account Manager is built on Atlassian Forge, a serverless platform hosted and managed by Atlassian on AWS infrastructure. The app does not operate any external servers, databases, or third-party services.
Infrastructure
- Runs entirely within Atlassian's secure cloud environment
- The only external communication is with the Atlassian Admin API (
api.atlassian.com) - No browser cookies, local storage, or session storage used
Encryption
- Data at rest: encrypted by Atlassian using industry-standard encryption
- Data in transit: all API communications use HTTPS/TLS
- Backups: managed by Atlassian with the same encryption standards
Access Control
- Restricted to Jira organisation administrators at the platform level
- Enforced before any app code executes
- Non-administrators cannot access any functionality
API Key Protection
- Stored securely on the backend only
- Never exposed to the frontend or logged
- Validated before storage, retrieved on-demand and never cached
Data Handling
- User data is fetched in real-time and not persistently stored
- All administrative actions are recorded in audit logs
- No data is shared with or transmitted to any third party
- CSV exports are generated client-side in the browser
Vulnerability Reporting
If you discover a security issue, please report it responsibly via our service desk:
Report a Security Issue