Security Policy

This Policy applies to the App distributed through the Atlassian Marketplace and to the ekko.technology website. Because the App is a Forge app, its security model follows the Atlassian Forge shared responsibility model.

• Atlassian is responsible for the security, availability, and patching of the Forge platform, the runtime, Forge storage, and the underlying Atlassian Cloud infrastructure on which the App executes.
• Ekko is responsible for the security of the App itself — the code we write, the scopes we request, our handling of vulnerabilities and incidents, and the organizational controls of our development team.
• You, the customer, are responsible for managing your Atlassian users, groups, and permissions, since the App enforces access through your existing Jira identity and permission model.

Because the App runs entirely within your Atlassian tenant, the platform-level controls Atlassian operates (network security, physical security, data center compliance, and platform patching) extend to the App by design.

We welcome reports from customers, users, and security researchers. If you believe you have found a security vulnerability in the App or the website, please email us at support@ekko.technology with the subject line "Security". We aim to acknowledge reports within two business days and to keep you informed as we investigate and remediate.

To help us triage quickly, please include where possible:

• A description of the issue and the potential security impact.
• Steps to reproduce, including affected URLs, App screens, or API calls.
• Any proof-of-concept, logs, or screenshots that demonstrate the issue.
• Your assessment of severity and the conditions required to exploit it.

We support responsible disclosure. We ask that you give us a reasonable opportunity to remediate before public disclosure, that you do not access, modify, or delete data that is not yours, and that you avoid privacy violations, service degradation, or destruction of data while testing. We will not pursue or support legal action against researchers who act in good faith under these guidelines.

Vulnerabilities that concern the Atlassian platform itself, rather than the App, can also be reported to Atlassian through https://www.atlassian.com/trust/security/report-a-vulnerability.

We maintain an ongoing vulnerability management process covering identification, triage, remediation, and verification. Vulnerabilities reach us through several channels:

• Direct reports from customers, users, and security researchers.
• Atlassian Marketplace Security (AMS) tickets raised by Atlassian, which are routed to our designated security contact registered in the Atlassian Marketplace Partner portal.
• Automated dependency and code scanning (SCA, SAST, and DAST) run against our codebase and third-party libraries.

Triage and severity

Each reported vulnerability is validated and assigned a severity using the CVSS v3 framework, consistent with Atlassian’s classification (P1 Critical, P2 High, P3 Medium, P4 Low, P5 Informational). Severity reflects the probable impact to customers and the conditions required to exploit the issue.

Remediation timeframes

We remediate confirmed vulnerabilities within timeframes that meet or exceed the Atlassian Marketplace Security Bug Fix Policy for cloud apps:

• Critical (CVSS ≥ 9.0): resolved within 10 days.
• High (CVSS ≥ 7.0): resolved within 4 weeks (28 days).
• Medium (CVSS ≥ 4.0): resolved within 12 weeks (84 days).
• Low (CVSS < 4.0): resolved within 25 weeks (175 days).

After a fix is deployed we verify the remediation and, where the issue was tracked in an AMS ticket, update Atlassian accordingly. We maintain at least one designated security contact responsible for responding to AMS tickets and coordinating remediation.

We maintain a documented security incident response process so we can detect, respond to, and recover from incidents affecting the App or our customers. When a suspected or confirmed incident occurs, we follow these phases:

• Investigation — confirm the issue, determine root cause, identify affected customers and data, and establish a timeline of exposure.
• Notification — notify Atlassian by raising a P1 incident ticket promptly and no later than 24 hours after we become aware of an incident impacting a Marketplace app, with status updates provided as required.
• Containment — take rapid action to limit further impact, which may include disabling affected functionality or temporarily delisting the App.
• Remediation — deploy corrective technical and organizational controls to eliminate the underlying cause.
• Customer communication — notify affected customers without undue delay, with a target of within 72 hours of identification, and provide the information needed to assess and respond to the incident.
• Post-incident review — confirm full resolution, capture lessons learned, and implement improvements to prevent recurrence.

We comply with applicable legal and contractual breach-notification obligations in the jurisdictions where we and our customers operate. Customers can reach us about any suspected incident at support@ekko.technology.

• The App requests only the least-privilege Forge scopes required for its features, and it accesses Jira data under each user’s own Atlassian identity and permissions. The App does not introduce a separate login or credential store.
• The App does not collect, transmit, or store Atlassian user API tokens or personal access tokens (PATs).
• Multi-factor authentication is enforced for access to our source code repositories, cloud provider consoles, and internal administrative systems.
• Access to systems and tooling follows least-privilege principles and is granted based on role and business need, and reviewed periodically.

• Customer Data accessed by the App stays within your Atlassian Cloud tenant. Configuration the App saves (team rosters, capacity settings, PTO and holidays, templates, and preferences) is stored in Atlassian-managed Forge storage inside your tenant.
• Data is encrypted in transit using TLS and encrypted at rest by the Atlassian platform that hosts Forge storage and the underlying infrastructure.
• We practice data minimization: the App reads Jira content in real time under the user’s permissions and does not maintain a parallel copy of your Jira issues, comments, or attachments outside of Atlassian.
• Configuration data stored by the App is removed in accordance with Atlassian Forge data lifecycle behavior when the App is uninstalled or the data is deleted.

• We capture application and platform telemetry — error reports, timing metrics, and anonymized usage counts — to detect anomalies, errors, and potential abuse.
• Operational logs are designed to avoid containing Customer Data; where diagnostic detail is required, we minimize and protect it.
• We rely on Atlassian Forge platform logging and monitoring for runtime and infrastructure events, and we review alerts for unusual or unauthorized activity.

• Changes to the App are made through version control and require peer code review before they are merged and released.
• We run dependency scanning (SCA) and static and dynamic analysis (SAST and DAST) to identify vulnerable libraries and insecure code, and we keep dependencies up to date.
• Secrets and credentials are managed through secure secret storage and are never committed to source control.
• Our developers are familiar with common application security risks, including the OWASP Top 10, and apply secure-coding practices throughout development.

• Workstations used for development are protected with endpoint protection and full-disk encryption, and require strong authentication.
• Team members receive security awareness guidance and understand their responsibilities under this Policy and the Atlassian Marketplace security requirements.
• We rely on Atlassian as the primary infrastructure processor for the App and limit the use of additional subprocessors; any subprocessors are assessed for an appropriate security posture.

We align our security program with the requirements Atlassian publishes for Marketplace Partners, including the Marketplace Security Requirements for cloud apps, the Security Bug Fix Policy, the app security incident management guidelines, and the ISO 27001 responsibilities that apply to Forge Marketplace Partners.

Because the App runs on Atlassian Forge, it inherits the compliance posture of the Atlassian Cloud platform on which it operates. Details of Atlassian’s certifications and platform controls are available through the Atlassian Trust Center.

Security questions, vulnerability reports, and incident notifications can be sent to support@ekko.technology, or via the support link on the Atlassian Marketplace listing at https://marketplace.atlassian.com/apps/4273715812.

We review and update this Policy periodically and whenever our practices change materially. The effective and last-updated dates above indicate the current version.