Documentation Security Security & Compliance
Install App

Security & Compliance

Comprehensive security overview, compliance information, and data protection measures for ProjectClone built on Atlassian Forge platform.

10 min read Updated: January 2025 Enterprise Security

Security Topics

Forge Platform Security Foundation

ProjectClone is built on Atlassian's Forge platform, inheriting enterprise-grade security by design:

Zero External Data Transfer

All ProjectClone operations occur entirely within your Jira Cloud instance. No project data, configurations, or metadata ever leaves Atlassian's infrastructure.

Forge Security Architecture

Server-Side Processing

All cloning operations run on Atlassian's secure servers, not in user browsers or external systems.

Isolated Execution

Each app runs in isolated containers with restricted permissions and network access.

Native API Integration

Direct integration with Jira APIs using secure, authenticated connections without external endpoints.

Infrastructure Security

Atlassian Cloud Infrastructure

ProjectClone leverages Atlassian's world-class cloud infrastructure:

  • AWS Global Infrastructure: Multi-region deployment with automatic failover
  • Data Center Security: Physical security controls and 24/7 monitoring
  • Network Security: Encrypted data transmission and network isolation
  • Infrastructure Monitoring: Continuous security monitoring and threat detection

Data Protection & Privacy

ProjectClone implements comprehensive data protection measures aligned with global privacy standards:

Data Handling Principles

Data Minimization

Only processes data necessary for cloning operations - no user content, comments, or attachments.

Transient Processing

Data is processed in-memory during cloning operations and not permanently stored by ProjectClone.

No External Storage

All data remains within your Jira instance throughout the entire cloning process.

What Data is Accessed

Data Access Scope 
Project Configuration Data:
├── Project metadata (name, key, description)
├── Workflow schemes and configurations  
├── Permission schemes and role assignments
├── Issue type schemes and field configurations
├── Component definitions and component leads
├── Project versions and release information
└── User roles and group memberships

NOT Accessed:
✗ Issue content and descriptions
✗ Comments and work logs  
✗ File attachments
✗ Custom field values
✗ Historical issue data
✗ User personal information beyond roles
Permission Inheritance

ProjectClone can only access projects and data that the authenticated user already has permission to view. It cannot bypass or elevate existing Jira permissions.

Access Controls & Authentication

Multi-layered access controls ensure only authorized users can perform cloning operations:

Authentication Layers

1

Atlassian Account Authentication

Users must be authenticated with valid Atlassian accounts and have access to the Jira instance.

2

Jira Permission Validation

Users must have appropriate Jira project permissions (Project Administrator or Browse Project minimum).

3

ProjectClone Authorization

Additional ProjectClone-specific permissions configured by administrators control who can clone projects.

Permission Matrix

Access Control Matrix 
User Type                | View Projects | Clone Projects | Admin Config
------------------------|---------------|----------------|-------------
Jira Administrator      | All          | All           | Full
Project Administrator   | Assigned     | Assigned      | None  
ProjectClone User       | Granted      | Granted       | None
Standard Jira User      | Standard     | None          | None
Anonymous/External      | None         | None          | None

Session Security

  • Session Management: Secure session handling with automatic timeouts
  • Token-Based Auth: Short-lived tokens for API operations
  • CSRF Protection: Cross-site request forgery prevention
  • Rate Limiting: Protection against abuse and automated attacks

Compliance Standards & Certifications

ProjectClone inherits Atlassian's comprehensive compliance certifications and maintains additional security standards:

Inherited Atlassian Certifications

SOC 2 Type II

System and Organization Controls certification for security, availability, and confidentiality

ISO 27001

International standard for information security management systems

Privacy Shield & GDPR

EU-U.S. Privacy Shield framework and General Data Protection Regulation compliance

Regulatory Compliance

GDPR Compliance

General Data Protection Regulation adherence:

  • Data Minimization: Only necessary configuration data is processed
  • Purpose Limitation: Data used only for project cloning operations
  • Storage Limitation: No long-term data retention by ProjectClone
  • User Rights: Data subject rights handled through Atlassian's infrastructure

US Federal Requirements

Compliance with US government and enterprise standards:

  • FedRAMP: Federal Risk and Authorization Management Program readiness
  • FISMA: Federal Information Security Management Act alignment
  • NIST: National Institute of Standards and Technology framework

Industry Standards

HIPAA Ready

Health Insurance Portability and Accountability Act compliance through Atlassian infrastructure

SOX Compliance

Sarbanes-Oxley Act compliance for financial industry requirements

PCI DSS

Payment Card Industry Data Security Standard for financial data protection

Audit Logging & Monitoring

Comprehensive logging and monitoring capabilities for security oversight and compliance:

Audit Trail Components

Logged Events 
Security Events:
├── User authentication and authorization
├── Permission grants and revocations  
├── Failed access attempts
├── Configuration changes
└── Administrative actions

Operational Events:
├── Project cloning operations (start/completion)
├── Source and target project information
├── Schemes and configurations cloned  
├── User initiating the operation
├── Timestamp and duration information
└── Success/failure status with error details

Log Management Features

Advanced Search

Search and filter audit logs by user, project, date range, or operation type

Export Capabilities

Export audit logs for external SIEM systems and compliance reporting

Real-time Alerts

Automated notifications for security events and policy violations

Retention & Compliance

Log Retention Policy

Audit logs are retained according to your organization's data retention policies. Default retention is 90 days, with options for extended retention to meet compliance requirements.

Security Incident Response

Comprehensive incident response procedures and security support:

Response Procedures

1

Detection & Analysis

  • Automated Monitoring: Real-time security event detection
  • Anomaly Detection: Unusual usage pattern identification
  • Rapid Assessment: Quick impact and severity evaluation
2

Containment & Mitigation

  • Immediate Actions: Automatic containment of security threats
  • Access Controls: Dynamic permission adjustments when needed
  • Communication: Prompt notification to affected administrators
3

Recovery & Documentation

  • System Recovery: Restoration of normal operations
  • Incident Documentation: Detailed incident reports and lessons learned
  • Process Improvement: Security enhancements based on incidents

Support Channels

24/7 Emergency Support

Critical security incidents receive immediate response through Atlassian's support infrastructure

Security Team Coordination

Direct coordination with your security teams for incident response and investigation

Compliance Reporting

Detailed incident reports for regulatory compliance and internal security reviews

Security Contact

For security-related concerns or to report potential vulnerabilities, contact our security team at projectclone1003@gmail.com with "SECURITY" in the subject line.

Vulnerability Management

Continuous Security Assessment

Regular security assessments and vulnerability testing:

  • Automated Scanning: Continuous vulnerability assessment
  • Penetration Testing: Regular third-party security testing
  • Code Reviews: Security-focused code reviews and analysis
  • Dependency Management: Regular updates to security dependencies