Security Statement

Timesheet Reports and Gadgets for Jira Cloud is Atlassian Connect Add-On (Add-On) Software as a Service (SaaS).

Data Security

The Add-On reads Jira data (specifically Time Tracking data) from Jira Cloud instance and processes it server side. Worklog is additionally stored in Cloudant DBaaS as for persistent cache.

Here is the list of Jira REST API used:

• /rest/api/2/search - issues and time tracking data.
• /rest/api/2/issue/{issueIdOrKey} - to load complete issue for Sum Sub-Tasks.
• /rest/api/2/issue/{issueIdOrKey}/worklog - to load complete issue worklog.
• /rest/api/2/user - to get details (display name, groups, timezone) of logged in user or user selected in menu.
• /rest/api/2/filter/favourite - filters for Filter reports' option.
• /rest/api/2/field - fields for Field reports' option.
• /rest/api/2/mypermissions - to check whether current user has Administrator priveleges to configure add-on
• /rest/api/2/user/picker - users search for User reports' option.
• /rest/api/2/groups/picker - groups search for Timesheet Auditors Groups configuration
• /rest/api/2/issueLinkType - issue link types for Composition Issue Link configuraiton

Add-on persists add-on configuration (group names, link or field names selected in add-on configuration) in Jira Cloud itself using Hosted Data Storage service.

Add-On declares READ and AC_AS_USER scopes to access data as just described by add-on backend.

Add-On also declares WRITE and DELETE scopes to manage (create/update/delete) worklog records from add-on report or dashboard item in Jira Cloud.

Privacy Policy

Add-on may log usage details for better diagnostics in case of error. Add-on uses Papertrail logging service via Heroku to log execution stack trace and cause details, including user information, as passed by Atlassian Connect Framework, e.g. https://timereports.github.io/timereports.html?project.key=DEMO&v=2&tz=Europe%2FPrague&loc=en-US&user_id=admin&user_key=admin&xdm_e=https%3A%2F%2Fjiratimesheet.atlassian.net&xdm_c=channel-timereports__timereports&cp=&lic=active&cv=1.1.91. Note, there is no support team maintaining the add-on, so no one else can access the logs.

Managing Security Vulnerabilities

Security vulnerability bugs, when found, get highest priority and are fixed in 2 days and rolled out immediately, without any notification.

Refernces

• Cloudant DBaaS Security
• Papertrail Software Services Agreement
• Atlassian OnDemand Security
• Heroku Privacy Statement