Hill Chart for Jira (Shape Up Board)

Security Policy

Effective Date: August 31, 2022

Last Updated: December 1, 2025

1. Introduction

At Curious Lab Group (a trading name of Gani Software Pty Ltd), security is fundamental to how we build and operate Hill Chart for Jira (Shape Up Board). This Security Policy describes the security measures, practices, and commitments we maintain to protect your data and ensure the integrity of our Jira application.

Hill Chart for Jira (Shape Up Board) is built on Atlassian's Forge platform, leveraging enterprise-grade infrastructure and security controls provided by Atlassian, combined with our own security best practices.

2. Platform Security

2.1 Atlassian Forge Platform

Hill Chart for Jira (Shape Up Board) is built as a Forge app, which means it runs entirely within Atlassian's secure cloud infrastructure:

  • Isolated Execution Environment: The app runs in a sandboxed, isolated environment that prevents unauthorized access to other systems

  • Managed Infrastructure: All infrastructure, including servers, networking, and runtime environments, is managed by Atlassian

  • Automatic Security Updates: The Forge platform receives automatic security patches and updates from Atlassian

  • Built-in Rate Limiting: Forge provides automatic rate limiting and protection against abuse

For more information about Forge platform security, see Atlassian's Forge Security Documentation.

2.2 Cloud Infrastructure

Hosting: Hill Chart for Jira (Shape Up Board)'s backend infrastructure is hosted exclusively on Atlassian's cloud platform

  • Geographic Data Residency: Data automatically resides in the same geographic region as your Jira instance

  • Compliance: Atlassian's infrastructure maintains SOC 2 Type II, ISO 27001, and other major compliance certifications

  • Network Security: All communications are protected by Atlassian's network security controls

3. Data Security

3.1 Data Storage

Forge Persistent Storage:

  • Hill Chart for Jira (Shape Up Board) stores app-specific data using Atlassian's Forge persistent hosted storage

  • Data is encrypted at rest using industry-standard encryption

  • Storage access is controlled through Forge's secure storage API

  • No direct storage access is possible from outside the Forge runtime environment

What We Store:

  • Hill chart snapshots (data points representing progress on hill charts with timestamps)

  • Rankings (positional data for stories and subtasks on hill charts)

  • Project properties and configuration settings

  • Cached metadata for performance optimization

What We Don't Store:

  • Actual issue attachments (only metadata and references)

  • Complete copies of your Jira issues (we reference them by key)

  • User passwords or authentication credentials

  • Individual user behavioral tracking data

Your data stays in your Jira Cloud instance. Hill Chart for Jira (Shape Up Board) does not use Google Analytics, Amplitude, Mixpanel, or any kind of product analytics.

3.2 Data in Transit

  • HTTPS/TLS: All data transmitted between users and Hill Chart for Jira (Shape Up Board) is encrypted using TLS 1.2 or higher

  • API Security: All communications with Jira APIs use Atlassian's secure authentication mechanisms

  • No External Data Transfer: Hill Chart for Jira (Shape Up Board) does not transmit your Jira data to external services

3.3 Data Access Controls

  • Principle of Least Privilege: Hill Chart for Jira (Shape Up Board) requests only the minimum Jira permissions necessary to function

  • User-Context Access: Data access is always performed in the context of the authenticated user

  • Permission Validation: All operations validate user permissions before execution

  • No Backdoor Access: We have no administrative backdoor access to your Jira data

3.4 Third-Party Services

Hill Chart for Jira (Shape Up Board) does not integrate with any third-party services. All data processing occurs within the Atlassian Forge environment, and all API interactions are exclusively with your Jira instance via Atlassian's secure APIs.

4. Authentication and Authorization

4.1 Authentication

No Separate Login Required:

  • Hill Chart for Jira (Shape Up Board) uses Atlassian's authentication system exclusively

  • Users are authenticated automatically through their Jira session

  • No additional usernames, passwords, or API keys are required

  • We never handle or store user authentication credentials

4.2 Authorization and Permissions

Granular Permission Model:

Hill Chart for Jira (Shape Up Board) requests the following Jira permissions:

  • read:jira-work, in order to read issue data (Epics, Stories, Subtasks), projects, and metadata

  • write:jira-work, in order to create and update Stories and Subtasks, update issue fields*

  • read:jira-user, in order to read user information (username, avatar) for displaying assignees

  • manage:jira-project, in order to support project-level configuration and settings

*Impersonation allows Hill Chart for Jira (Shape Up Board) to create and update issues on behalf of the authenticated user, ensuring proper audit trails and ownership.

4.3 User Access Controls

  • Project-Based Access: Users can only interact with projects they have access to in Jira

  • Permission Checks: All operations validate user permissions before execution

  • Audit Trail: All snapshot creations record the user who performed the action

4.4 User Data Handling

The only user data handled by Hill Chart for Jira (Shape Up Board) is username and avatar, which are used to display assignee information and allow you to conveniently assign people to Stories and Subtasks from within the app. This is the only place user data is processed by Hill Chart for Jira (Shape Up Board).

The rest of the app only works with project and issue data.

5. Application Security

5.1 Secure Development Practices

Code Quality:

  • TypeScript for type safety and reduced runtime errors

  • Comprehensive input validation on all user inputs

  • Use of parameters to prevent injection

  • Structured error handling to prevent information disclosure

Dependency Management:

  • Regular dependency updates and security audits

  • Automated vulnerability scanning

  • Use of well-maintained, reputable open-source libraries only

5.2 Client-Side Security

Frontend Application:

  • Hill Chart for Jira (Shape Up Board)’s user interface is a JavaScript application that runs in your browser

  • The client-side portion of the app has an in-built mechanism to notify you to refresh your browser whenever a bug fix or security patch is available

  • All client-server communications are conducted over HTTPS

5.3 Input Validation and Sanitization

  • Validation Layer: All API requests pass through a validation layer

  • Schema Validation: Request data is validated before processing

  • Sanitization: User inputs are sanitized before processing

  • Error Messages: Error messages do not expose sensitive system information

5.4 API Security

  • Rate Limiting: Forge provides built-in rate limiting to prevent abuse

  • Request Validation: All API requests are validated before processing

  • CORS Protection: Cross-origin requests are controlled by Forge platform security

  • No Public API: Hill Chart for Jira (Shape Up Board) does not expose any public-facing APIs outside the Forge runtime

6. Incident Response

6.1 Security Incident Management

In the event of a security incident:

  1. Detection: Automated monitoring and manual reviews detect potential incidents

  2. Assessment: Incidents are immediately assessed for severity and impact

  3. Containment: Affected systems are isolated to prevent further impact

  4. Notification: Affected customers are notified in accordance with legal requirements

  5. Remediation: Root cause is identified and addressed

  6. Post-Mortem: Incident is documented and preventive measures are implemented

6.2 Notification

When We Notify:

  • Unauthorized access to customer data

  • Data breaches or security compromises

  • Incidents that may impact service availability or data integrity

How We Notify:

  • In-app notifications within Hill Chart for Jira (Shape Up Board) (if system is operational)

  • Updates posted to our website

  • For critical incidents, we will work with Atlassian Support to coordinate communication and rectification

Timeline:

  • Notification within 72 hours of discovering a qualifying incident

  • Updates provided as investigation progresses

7. Contact and Questions

7.1 Security Contact

For security-related inquiries, vulnerability reports, or incident notifications:

Email[email protected]

Subject: Security - Hill Chart for Jira (Shape Up Board)

7.2 General Security Questions

For general questions about our security practices:

Email[email protected]

Support Portalhttps://trj.atlassian.net/servicedesk/customer/portal/35

Last Updated: December 1, 2025