Security Statement

Time Reports for Jira Cloud is Atlassian Connect Add-On (Add-On) Software as a Service (SaaS).

Data Security

The Add-On is static, i.e. all data (specifically Time Tracking data) is requested from Jira Cloud and processed by add-on client side in End User Browser and is not passed anywhere else.

Here is the list of Jira REST API used client side:

• /rest/api/2/search - issues and time tracking data.
• /rest/api/2/issue/{issueIdOrKey} - to load complete issue for Sum Sub-Tasks.
• /rest/api/2/issue/{issueIdOrKey}/worklog - to load complete issue worklog.
• /rest/api/2/user - to get details (display name, groups, timezone) of logged in user or user selected in menu.
• /rest/api/2/filter/favourite - filters for Filter reports' option.
• /rest/api/2/field - fields for Field reports' option.
• /rest/api/2/mypermissions - to check whether current user has Administrator priveleges to configure add-on
• /rest/api/2/user/picker - users search for User reports' option.
• /rest/api/2/groups/picker - groups search for Timesheet Auditors Groups configuration
• /rest/api/2/issueLinkType - issue link types for Composition Issue Link configuraiton

Add-on persists add-on configuration (group names, link or field names selected in add-on configuration) in Jira Cloud itself using Hosted Data Storage service.

Add-On declares READ scope to access data as just described.

Add-On also declares WRITE and DELETE scopes to manage (create/update/delete) worklog records from add-on report or dashboard item in Jira Cloud.

Privacy Policy

There is no usage data collected by the add-on, beside diagnostics logging in case of error. Add-on uses Papertrail logging service via Heroku to log execution stack trace and cause details, including user information, as passed by Atlassian Connect Framework, e.g. https://timereports.github.io/timereports.html?project.key=DEMO&v=2&tz=Europe%2FPrague&loc=en-US&user_id=admin&user_key=admin&xdm_e=https%3A%2F%2Fjiratimesheet.atlassian.net&xdm_c=channel-timereports__timereports&cp=&lic=active&cv=1.1.91. Note, there is no support team maintaining the add-on, so no one else can access the logs.

Managing Security Vulnerabilities

Security vulnerability bugs, when found, get highest priority and are fixed in 2 days and rolled out immediately, without any notification.

Refernces

• Papertrail Software Services Agreement
• Atlassian OnDemand Security
• Heroku Privacy Statement