JSM LaunchPad is in the final stages of development. Coming soon to the Atlassian Marketplace.Get notified when we launch →

Security

How JSM LaunchPad protects your environment — built on Atlassian Forge, running entirely inside your Jira Cloud instance.

Last updated: February 2026

Overview

JSM LaunchPad is an Atlassian Forge application for Jira Service Management. The app operates entirely within Atlassian's cloud platform and does not run its own servers or external backend services.

All processing occurs inside the Atlassian Forge runtime and interacts only with the customer's Jira Cloud instance using Atlassian's official APIs.

The app does not operate as a standalone service and does not receive copies of customer Assets data outside the Atlassian environment.

Hosting and Infrastructure

JSM LaunchPad is built using the Atlassian Forge platform.

This means:

  • The app runs inside Atlassian infrastructure
  • No application servers are operated by Let's Talk Solutions
  • No databases are hosted outside Atlassian
  • The app cannot directly access the public internet except where explicitly permitted by Atlassian

All requests to Jira Service Management Assets are executed through Atlassian's authenticated Forge API gateway.

Data Handling

JSM LaunchPad does not collect or store customer operational data.

The app interacts with configuration information necessary to create Assets schemas, including:

  • object types
  • attributes
  • relationships
  • schema metadata

Assets objects and customer service data remain stored only within the customer's Jira Cloud instance.

Let's Talk Solutions does not receive copies of Assets objects, tickets, attachments, or user content.

No analytics, tracking, or telemetry services are embedded in the application.

No data is transferred to third party services.

Permissions and Access Control

Write operations are restricted to administrators authorised by Jira Cloud.

The app checks permissions on each request and only allows configuration actions to users with appropriate administrative rights within Jira and JSM Assets.

Read-only functionality, such as browsing templates, is available only to users who already have access to the app through Jira.

The app cannot grant itself permissions and cannot elevate privileges beyond those already assigned within Jira Cloud.

External Network Access

External network access is restricted.

The application communicates only with Atlassian endpoints required for Jira Service Management functionality, including api.atlassian.com.

The app does not connect to external SaaS providers, external APIs, analytics platforms, or vendor-operated servers.

Credential Handling (Optional API Token Feature)

Some optional template features require creation of custom Assets reference types. Atlassian currently requires an API token for these specific operations.

If a customer chooses to provide an API token:

  • The token is stored in Forge encrypted storage
  • The token remains within the customer's Atlassian environment
  • The token is never transmitted to Let's Talk Solutions systems
  • The token is used only to perform the requested configuration operation
  • The token can be revoked by the customer at any time in Atlassian account settings

The app does not request Atlassian user passwords and does not access Atlassian accounts outside the authenticated API context.

Data Retention

The application does not retain customer data outside the Atlassian platform.

Configuration metadata necessary for app functionality may be stored in Forge storage associated with the installation. This data is limited to deployment tracking and schema management information and does not include Assets objects or service desk data.

Uninstalling the app removes the app's stored configuration metadata from the Forge installation.

Security Practices

The application follows secure development practices, including:

  • input validation for all user supplied values
  • sanitised error messages
  • least-privilege API usage
  • per-request permission checks
  • dependency updates and vulnerability monitoring

All write operations require authenticated Atlassian sessions.

Responsible Disclosure

If you believe you have discovered a security vulnerability in JSM LaunchPad, please contact:

security@jsm-launchpad.com

We will acknowledge receipt of vulnerability reports and work to resolve confirmed issues promptly.

Atlassian Platform Security

JSM LaunchPad relies on Atlassian Cloud and the Forge platform for infrastructure, authentication, and tenant isolation.

For information about Atlassian's security controls, certifications, and data residency, please refer to Atlassian's public security documentation.

Questions?

If you have questions about our security practices or want to report a concern, we are here to help.

Contact Security Back to Home