Skip to main content

Security Overview

Key takeaways

  • Accelerate for Jira does not store any user personal data.
  • Data that is used to power the service is exclusively stored in Atlassian's Forge storage of your cloud site.
  • The only data egress is towards the Accelerate for Jira Realtime API hosted on Amazon Web Services in the Frankfurt region.
  • Data processed by the Accelerate for Jira Realtime API is end-to-end encrypted. It is not possible for the API to understand the contents of the data.
  • All user actions are verified by strict authentication & authorization checks. It is not possible for users to access content in an Atlassian Cloud Site that you did not grant access via Atlassian's product.
  • All modifications to Jira content (such as issues, comments, etc.) that are made by Accelerate for Jira are triggered by user actions. No modifications are being made in an automated or unintended manner.

GDPR & PII

Accelerate for Jira does not process or store user personal data in any backend service. User personal data such as names are exclusively fetched and displayed in Atlassian's product environments, for example within the Jira Dashboard Gadgets frontend.

Forge Application

Accelerate for Jira is an Atlassian Forge application and as such has all the security guarantees that Forge applications are equipped with. It is not possible for the application to make any external network requests beyond the Accelerate for Jira Realtime API.

All requests to the Forge application are made exclusively via HTTPS.

The Realtime API is provided at https://api.accelerate-for-jira.com

Authentication & Authorization

  • User authentication is guaranteed by Atlassian's Forge platform. It is not possible for any user outside your cloudsite to access the Accelerate for Jira app or data from your cloud site.
  • User authorization is checked by every endpoint of the Accelerate for Jira Forge application. Users cannot access content of Accelerate for Jira gadgets on dashboards they don't have access to.

Accelerate for Jira Realtime API

Accelerate for Jira is powered by a custom Realtime API that is hosted on Amazon Web Services in the Frankfurt region. It does not contain any persistent data storage. Realtime Messages are stored in an in-memory cache for up to 2 minutes, to allow temporary disconnected clients to catch up upon reconnection.

All requests to the Realtime API are made exclusively via HTTPS & WSS.

Purpose

The Accelerate for Jira gadgets are meant to empower product & engineering teams to be more efficient during their team ceremonies such as their daily standup. To enable this, the dashboard that the team is using for their work should provide realtime updates on changes and reflect the latest state for everyone when it happens - without requiring a refresh.

The Forge Application platform does not offer a realtime API, and the gadgets would therefore need to rely on manual refresh or frequent polling, both of which are not an acceptable experience for end users in 2023.

To demonstrate on how the Realtime API is used, consider the following example workflow:

A team is using two Accelerate for Jira gadgets: A team Rotation gadget to determine a team member to watch out for alarms and "fight fires" when needed and an Absences gadget to have an overview of all current and upcoming absences in the team.

When adding an absence, the team member (and all other team members that are looking at the dashboard) should immediately see the changes made, to understand the consequences of their actions.

System overview

System overview

Authentication & Authorization
  • The Accelerate for Jira Forge application is responsible for generating authentication tokens that are namespaces by the dashboard that the user is viewing
    • The Forge backend verifies that the user has access to the dashboard before issuing a token.
    • Tokens are expiring after a maximum duration of 24 hours.
    • The token generation is performed with a secure HMAC using the SHA-512 hash algorithm.
  • The Accelerate for Jira Realtime API is verifying the authentication token during a new client connection to check against matching namespaces. If a an invalid token is provided, the client is immediately disconnected. Clients are disconnected as soon as their expiration token expires.
  • The following data is stored as a part of the authentication token.
    • The Account ID of the user provided by Atlassian for Accelerate for Jira
      • This ID is stored in the token for auditing purposes, in case the token holder tries to access content outside the specified namespace.
      • The user Account ID is unique to Accelerate for Jira on your cloud site, and can not be used to reference back to the user.
    • The ARI of your cloud site and the ID of the dashboard are stored to classify and verify the realtime namespace
End-to-end encryption
  • Data that is passing through the Realtime API is end-to-end encrypted and its contents can not be read or understood by the Realtime API itself.
  • An encryption key is created on your Jira Cloud site and stored within Atlassian's Forge secret storage module.
  • The encryption key is used by the Forge Application & Forge Frontend to encrypt & decrypt realtime messages to update the UI.
  • The end to end encryption is performed via the AES-256 encryption standard.
  • The following data is sent to the Realtime API during event publishing:
    • channel: Clear text - A combination of your cloud site ARI, dashboard & gadget ID to route the message to the correct target
    • event: Clear text - An event type such as "AddAbsence" to route the message to the correct target
    • data: Encrypted text - The event data that contains the actual content of the message