Security Statement for Knack3 Smart Ticket

1. Platform Security

Knack3 Smart Ticket is built on Atlassian Forge, leveraging Atlassian's enterprise-grade security infrastructure.

2. Infrastructure

• Hosting: Atlassian Forge (serverless, managed infrastructure)
• Architecture: ARM64, Node.js 22.x runtime
• Memory: 256MB allocated per function execution
• Isolation: Multi-tenant with namespace isolation

3. Data Security

Encryption

• In Transit: TLS 1.2+ for all communications
• At Rest: Managed by Atlassian Forge storage encryption
• API Communications: HTTPS only (OpenAI API)

Authentication

• Method: JWT-based authentication
• User Authentication: Managed by Atlassian
• Session Management: Forge framework handles session security
• No Credentials Storage: No passwords or API keys stored in app (OpenAI API key managed via manifest.yml permissions)

Access Control

• Role-Based Access: Admin, Member, Viewer roles
• Project-Level Permissions: Admins control project access
• Jira Permissions: Respects existing Jira permissions

4. Data Processing

Scopes and Permissions

Our app requests only necessary Jira permissions:

• read:jira-work - Read work items
• write:jira-work - Update ticket assignments
• read:jira-user - Read user information
• storage:app - Store app configuration
• read:issue:jira - Read issue details
• read:project:jira - Read project information
• Additional read permissions for comprehensive ticket analysis

External fetch permission:

• api.openai.com - For AI-powered skills detection

Data Retention

• Active Usage: Data cached temporarily during analysis
• Post-Uninstall: All data automatically deleted by Forge
• External APIs: No long-term data retention (OpenAI follows their data retention policy)

Third-Party Processing

OpenAI API

• Purpose: NLP skills detection
• Data sent: Ticket title and description
• No PII sent unless in ticket content
• OpenAI's security standards apply
• Configured via Forge manifest.yml external fetch permissions

Internal Processing

• All scoring algorithms and calculations performed within the Forge app
• No external API calls for candidate scoring or metrics calculation
• Proprietary algorithms run entirely on Forge infrastructure

5. Security Practices

Development

• Regular dependency scanning
• Code review process
• Security-first development principles
• Forge platform security updates automatically applied

Monitoring

• Error logging and monitoring
• No sensitive data in logs
• Anomaly detection (planned)

Incident Response

• Response Time: 24 hours (weekdays)
• Contact: security@knack3.com
• Disclosure: Responsible disclosure policy
• User Notification: Immediate notification in case of breach

6. Compliance

• GDPR: Compliant for EU users
• Data Residency: Follows Atlassian Forge location policies
• Privacy by Design: Minimal data collection principle
• Regular Reviews: Annual security audit (planned)

7. Vulnerability Reporting

Report security vulnerabilities to: security@knack3.com

Response SLA:

• Critical: 24 hours
• High: 72 hours
• Medium: 1 week
• Low: 2 weeks

8. Updates and Maintenance

• Security patches: Applied within 48 hours of discovery
• Platform updates: Automatic via Forge (refresh is required if the application is opened)
• User notification: Via app and email for major security updates

9. Third-Party Security

OpenAI API maintains:

• SOC 2 compliance
• Regular security audits
• Incident response procedures
• Privacy policy: https://openai.com/privacy

10. Contact

Support: support@knack3.com

Last updated: 2025/02/01