StoryScale docs

Information security policy.

A short, customer-friendly summary of how StoryScale handles access control, secure development, incident response, and data boundaries.

Policy Summary

StoryScale is built as an Atlassian Forge app for Jira Cloud. The product follows a least-privilege model, uses Atlassian-hosted services for app execution, and keeps user control at the center of import, estimation, and publish flows.

Core Security Controls

Access controlRoles and access are reviewed through Jira and Atlassian account controls, with MFA required for company systems where applicable.

Secure developmentChanges are reviewed before deployment, and inputs are normalized and sanitized before processing.

Vulnerability hygieneDependencies are reviewed with automated checks, and releases are kept aligned with current library versions.

LoggingOperational logs are kept limited and do not intentionally store secrets, passwords, or access tokens.

Data Handling

StoryScale processes Jira issue data needed for estimation, readiness review, and publish actions.
Session snapshots are stored in Forge Storage and scoped to the Jira cloud, project, and board context.
No external remote backend is used for the Core Forge app.
No Atlassian credentials, API tokens, or third-party secrets are collected for product functionality.
Controlled write-back happens only after a user confirms the publish action.

Incident And Contact Path

Security questions, vulnerability reports, and trust requests can be sent to [email protected]. Product and support requests can be sent to [email protected].

When reporting an issue, include the Jira site URL, project key, affected workflow, approximate time, and the visible error message if any.