Partner Security Policy

This policy applies to:

• SprintVitals — a Forge app for Jira Software (Scrum boards)
• Future PerpetualAgile apps distributed through the Atlassian Marketplace unless a product-specific policy is published

This policy covers PerpetualAgile's responsibilities as the app vendor. Atlassian is responsible for securing the Forge platform, Jira Cloud, and related Atlassian infrastructure on which the app runs.

SprintVitals is built entirely on Atlassian Forge. Key properties:

Data processed includes Jira issue and sprint metadata, board configuration, administrator completion settings, backlog health snapshots, and limited user identifiers (for example assignee account IDs and display names) needed for sprint metrics.

Data residency follows the customer's Atlassian cloud site configuration and Atlassian's data residency options for Forge-hosted storage.

Platform and infrastructure. Because SprintVitals runs on Forge, platform-level controls (network isolation, runtime sandboxing, encryption in transit, and Forge SQL protection) are provided by Atlassian. We design the app to rely on those controls and to minimize our own attack surface.

Least privilege. Marketplace manifest scopes are limited to what the product requires (read-only Jira work, sprint, board, and related metadata). Admin-only configuration is exposed only on the global settings page and uses admin-scoped APIs where required. Resolver entry points enforce Marketplace license checks in production so unlicensed sites cannot use paid functionality.

Application security. Input from the UI is validated in resolvers before database or API use. SQL access uses parameterized queries via the Forge SQL API. Error handling avoids returning sensitive internal details to end users. Logging is limited to operational metadata (for example board or sprint identifiers) and does not intentionally log full issue bodies or unnecessary personal data.

Access control (PerpetualAgile). Access to app source code, Forge developer console, and deployment pipelines is restricted to authorized PerpetualAgile personnel. We do not grant customers direct access to Forge SQL; data is accessed only through the app's defined Forge functions.

Business systems. Our public website and business email are operated with standard access controls. Website contact form data is not used as a store for Jira customer content.

Development practices. Changes are tracked in version control with peer review before release. Dependencies are managed through npm lockfiles; updates are applied for security-relevant packages. We run forge lint and production builds before deployment. Production deployments use the Forge CLI to the production environment; development and staging are used for testing.

Vulnerability management.

• Monitor npm advisories; patch or upgrade dependencies when issues affect the app
• Submit app versions through Marketplace review, including Atlassian's automated vulnerability scanning
• Test security-sensitive changes (licensing, SQL, scopes) before production release
• Investigate all reports received at security@perpetualagile.com

We aim to assess reported vulnerabilities within 5 business days and to provide status updates to reporters until resolution or documented mitigation.

Patch and release process. Security fixes are prioritized by severity. Critical issues affecting confidentiality, integrity, or availability of customer data are targeted for remediation and Forge production deployment as soon as practicable after validation, typically within 30 days for high-severity issues and faster for critical production-impacting vulnerabilities. Customers receive updates through normal Marketplace version releases.

Reporting. To report a security vulnerability or suspected incident:

• Email: security@perpetualagile.com
• Alternative: support@perpetualagile.com(mark subject "Security")

Please include the app name, affected Atlassian site URL (if applicable), a description of the issue, and steps to reproduce if known. We support responsible disclosure and will not pursue legal action against researchers who report issues in good faith without accessing or exfiltrating unrelated customer data.

Our response process.

1. Acknowledge receipt, typically within 2 business days
2. Triage severity and impact (confidentiality, integrity, availability, scope of affected customers)
3. Contain and remediate — develop and deploy fixes through Forge where applicable; coordinate with Atlassian if platform involvement is required
4. Communicate with affected customers and Atlassian as required by severity, contract, and applicable law
5. Post-incident review — document root cause and preventive actions

For critical production issues (confirmed active exploitation or significant data exposure), we target initial customer communication within 72 hours of confirmation, in addition to any Atlassian Marketplace or regulatory obligations.

Where an incident involves the Forge platform or Jira Cloud, we coordinate with Atlassian support. Customers may also contact Atlassian directly regarding their cloud site.

• Install apps only from trusted sources (Atlassian Marketplace)
• Grant app access only to users who need it, using Jira project and global permissions
• Keep Jira Cloud and Marketplace app subscriptions current
• Report suspected issues to security@perpetualagile.com
• Uninstall the app when no longer needed so Atlassian's uninstall and data lifecycle processes apply

• Marketplace billing and licensing are handled by Atlassian; we receive entitlement information needed to operate paid features, not payment card data.
• Primary subprocessor for app processing and storage: Atlassian (Forge platform and Forge SQL), governed by Atlassian's terms and the Forge Data Processing Addendum.
• We do not sell customer data. See our Privacy Policy for data subject rights and retention.

We may update this policy as our apps, practices, or regulatory expectations change. The effective date at the top will be revised when updates are posted on this page. Material changes may also be noted on our Marketplace listing.

PerpetualAgile