Security
How JSM LaunchPad protects your data, our security posture, and CSA CAIQ self-assessment.
No External Servers
JSM LaunchPad runs on Atlassian Forge. There are no third-party servers, no external databases, and no data leaving the Atlassian trust boundary.
Least Privilege
The Forge manifest declares only the minimum permission scopes required. The app requests only JSM Assets API permissions necessary for schema deployment.
Tenant Isolation
Multi-tenant isolation is enforced by the Forge platform at the infrastructure level. Each customer's data is fully segregated by Atlassian.
Data Handling
JSM LaunchPad processes CMDB configuration metadata — object types, attributes, and relationships. The app processes limited personal data provided by Atlassian Forge (Atlassian account ID and permission context) solely for authorisation and audit purposes. The app does not access or store user content, tickets, attachments, or CMDB records outside the Atlassian platform.
JSM Assets schema definitions: object type names, attribute configurations, reference types, and optional sample data for seeding.
All processing occurs within Atlassian Forge infrastructure (AWS regions). No data is transferred outside the platform.
On app uninstallation, all schemas and data created by the app remain in the customer's JSM Assets instance. No data is held hostage.
Forge Storage is encrypted at rest with AES-256 and in transit with TLS 1.2+, managed entirely by the Atlassian platform.
The app minimises data collection, processes only limited personal data required for authorisation, respects tenant boundaries enforced by Forge, and defaults to the most privacy-preserving configuration.
The only external endpoint the app communicates with is api.atlassian.com for Atlassian API operations. No third-party services. The app never requests Atlassian user passwords, API tokens, or personal credentials. Authentication is handled entirely through Atlassian Forge app authentication.
Application logs do not contain personal data. Operational logs may include technical identifiers such as Atlassian Account ID strictly for audit and debugging purposes. All logs remain within Atlassian Forge infrastructure and are not accessible to Let's Talk Solutions outside the Atlassian platform.
The app also records lightweight operational metrics (aggregated usage counters and a rolling log of the most recent 20 events) within Forge storage in the customer's own Jira Cloud tenant. These metrics contain no personal data and are never transmitted externally. They power the in-app activity dashboard and diagnostics bundle, and are removed automatically on uninstall. Full details are described in our Privacy Policy.
Shared Responsibility Model
As a Forge marketplace app, security responsibilities are shared between Atlassian (the cloud service provider) and Let's Talk Solutions Ltd (the app vendor). This follows the CSA Shared Security Responsibility Model (SSRM).
| Security domain | Owner | Detail |
|---|---|---|
| Infrastructure & datacenter | Atlassian | Physical security, network, compute, OS hardening, time synchronisation |
| Encryption & key management | Atlassian | AES-256 at rest, TLS 1.2+ in transit, key lifecycle management |
| Authentication & SSO | Atlassian | User authentication, SSO integration, session management |
| Backup & disaster recovery | Atlassian | Platform-level backups, availability SLAs, failover |
| Permission scoping | Shared | Atlassian enforces Forge scopes; app declares minimum required permissions |
| API security | Shared | Forge authentication framework + app-level permission scoping and input validation |
| Logging & monitoring | Shared | Forge platform logging + app-level structured logging for operations audit |
| Data minimisation | Shared | Platform-level encryption + app-level data minimisation and privacy-by-design |
| Application security (SDLC) | Let's Talk Solutions | Secure development lifecycle, code reviews, automated testing, deployment via Forge CLI |
| Dependency management | Let's Talk Solutions | npm audit, Dependabot/Snyk scanning, SBOM via package-lock.json |
| Change management | Let's Talk Solutions | Git version control, pull request reviews, CI/CD pipeline, Forge deployment controls |
| Incident response | Let's Talk Solutions | Defined procedures, Jira tracking, breach notification within 72 hours |
| Governance & compliance | Let's Talk Solutions | Policy reviews, regulatory mapping, GDPR & UK DPA 2018 compliance |
Vulnerability Management
Dependencies are continuously scanned using automated tools (npm audit, Dependabot, Snyk). Vulnerabilities are triaged by CVSS score with the following remediation targets:
CSA CAIQ Self-Assessment
We have completed a Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) v4.1 covering 283 controls across 17 security domains. The assessment follows the CSA Shared Security Responsibility Model, documenting which controls are owned by Atlassian (CSP), by Let's Talk Solutions (CSC), or shared.
Domain coverage
Download CAIQ Assessment
Complete CSA CAIQ v4.1 with 283 answered controls, implementation descriptions, and SSRM ownership classification.
Regulatory Compliance
JSM LaunchPad is developed and operated by Let's Talk Solutions Ltd, a UK-registered company. The app complies with applicable data protection and marketplace regulations.
A Data Protection Impact Assessment (DPIA) is not required because the app performs only limited, transient processing of Atlassian account identifiers within Atlassian-managed infrastructure and does not persist personal data beyond the runtime session. Material breaches are reported within GDPR/UK DPA mandated timeframes (72 hours to supervisory authority where applicable).
Data Protection Roles
The customer organisation that installs JSM LaunchPad. The controller determines the purposes and means of processing any data within their Jira instance.
Atlassian, as the operator of the Forge platform and Jira Service Management infrastructure on which the app executes.
JSM LaunchPad (the app) operates as a sub-processor under Atlassian's data processing framework. It processes data only within Atlassian-managed infrastructure and solely for the purposes initiated by the customer.
Security Contact
If you have security questions, need the CAIQ for procurement review, or want to report a vulnerability, contact us at security@jsm-launchpad.com or raise a request through the support portal.
For data protection and privacy enquiries, see our Privacy Policy or contact privacy@jsm-launchpad.com.
Ready to Get Started?
See what LaunchPad installs into your Jira Service Management environment, or get in touch to discuss your implementation.