What data do we have access to?
When you install a JIRA Cloud add-on the add-on can request certain 'scopes' of access. For the Out-Of-Office Assistant case, we require READ, WRITE, ACT_AS_USER and ADMIN scopes. This means the add-on is granted access to all JIRA REST APIs marked with these permissions on this page: jira rest scopes. The wide use of rights is necessary because the addon has to assign issues and comment on the users behalf. And it should not just act as user, as then the assignments and comments would look like they come from the user himself, which proofed to be disturbing.
When a cloud add-on is installed, we store a public and secret key in our database. We store this so that our add-on can make authenticated requests to your JIRA instance as well as receive authenticated requests from your JIRA instance. This is pretty standard for any Atlassian connect add-on for JIRA Cloud.
Full disclosure here - we can use the public key and secret to make authenticated REST calls to any of the REST APIs mentioned on the page linked above manually. However we not done so yet. If we ever need to, to debug a extra tricky problem, we will also ask for your permission first before performing these requests. You can revoke these rights at any time simply by disabling/uninstalling our add-on in your JIRA instance. This is the case with all Connect Add-On's, so not special to us.
What data do we store in our database?
We try to store as little identifying information about your data (issues, projects etc) as possible in our database. Things we do store:
- The clientKey of your JIRA Instance,
- A JWT keypair
- Audit log entries
- We store what you see in the audit log UI basically. Issue keys & ids, assignee account ids as well as any changes made to the issue shown on the left hand side in the audit log.
- We don't store full issue details. (This may change in the future to enable us to make our rule execution queue more fault tolerant, but this data would only exist for the lifetime of the rule execution).
All out of office rules information is not stored on our servers but in the user data space of your JIRA user.
We also collect Google analytics to better help us understand how our users use the front-end, so that we can build better features. We do not include identifying information however in these analytics (such as issue data, config data etc).
We treat customer privacy and security seriously. We believe in full transparency around these issues. As far as we are concerned, your data is yours and we do not share your data with any third parties (unless we are legally obligated to do so - however this case has not arisen yet).
More general information about how we treat your personal data can be found in the general Data Protection Statement.