Security Statement
Last updated: April 2, 2026
Runs on Atlassian
Zero data egress. All processing happens on Atlassian Cloud infrastructure.
Architecture
ReDo is built on Atlassian Forge, Atlassian’s serverless cloud app platform. This means:
- No external servers: The App runs entirely within Atlassian’s infrastructure. We do not operate any external servers, APIs, or databases.
- No data egress: Issue data never leaves Atlassian Cloud. There are no outbound network calls to external services.
- Serverless execution: App functions run in Atlassian-managed sandboxed environments with automatic scaling.
Data Storage
All App data is stored in Atlassian Forge Key-Value Store (KVS):
- Encrypted at rest using Atlassian’s encryption standards
- Scoped per-app and per-installation — data is isolated between customers
- Automatically deleted when the App is uninstalled
- Hosted in Atlassian’s cloud regions with SOC2 compliance
We store only: app configuration (enabled rules, custom criteria), manual check states (checkbox toggles per issue), and app mode settings. We do not store copies of Jira issue data.
Data Access
The App accesses Jira issue fields read-only at the time of evaluation. Fields are read, evaluated against criteria, and the result is displayed — no issue data is persisted by the App.
The only write operations are to the App’s own managed custom fields (DoR Score, DoR Status, DoD Score, DoD Status), which store calculated readiness scores.
Permissions (Scopes)
The App requests the following Atlassian scopes, each with a specific and limited purpose:
| Scope | Purpose |
|---|---|
| read:jira-work | Read issue fields (description, assignee, labels, etc.) to evaluate DoR/DoD criteria |
| write:jira-work | Write to app-managed custom fields (DoR Score, DoR Status, DoD Score, DoD Status) |
| read:board-scope:jira-software | Access board configuration to determine project type (Scrum/Kanban) |
| read:project:jira | Read project metadata for per-project configuration |
| read:sprint:jira-software | Read sprint data for the Sprint Readiness dashboard |
| read:issue-details:jira | Read detailed issue information including subtasks and comments for DoD evaluation |
| read:jql:jira | Search for issues using JQL for sprint-level readiness calculations |
| storage:app | Store app configuration and manual check states in Atlassian Forge KVS |
Authentication
The App uses Atlassian Forge’s built-in authentication. It does not handle user credentials, OAuth tokens, or API keys. All API calls are made through the Forge runtime using scoped app permissions.
Compliance
- GDPR: The App is designed for GDPR compliance. See our Privacy Policy for details.
- SOC2: Infrastructure compliance is inherited from Atlassian Cloud, which maintains SOC2 Type II certification.
- Data residency: Data is stored in the Atlassian region associated with the customer’s Jira instance.
Vulnerability Reporting
If you discover a security vulnerability in ReDo, please report it to hello@monteteam.com. We will respond within 48 hours and work to resolve the issue promptly.
Contact
For security-related questions, contact us at hello@monteteam.com.