Security Policy

Prism for Jira is a Forge application built on Atlassian’s serverless platform. All computation, data storage, and network access occur entirely within Atlassian’s managed infrastructure. OpsShark does not operate any external servers, databases, or third-party services in connection with this app.

Prism stores data exclusively within Atlassian Forge Key-Value Storage (KVS). No personally identifiable information is stored beyond Jira issue keys and project keys, which are already internal identifiers within your Atlassian instance. All stored data resides within Atlassian’s data centers and is subject to Atlassian’s Security Practices.

Issue links — Associations between JSM requests and Jira Software work items (issue keys only).

Issue cache — Temporary snapshots of issue fields (summary, status, progress) used for portal display.

App settings — Global and per-project configuration preferences (display toggles, field references).

Prism accesses the following Jira data via the Atlassian Forge runtime, using app-level credentials scoped to the installing instance. Data is never transmitted outside of Atlassian’s platform.

Issue fields: summary, status, priority, assignee display name, progress, due date.

Project metadata: project key, name, type, avatar.

JSM request context: request key, linked portal.

Prism does not send any data to external servers or APIs, share data with third-party analytics, advertising, or data brokers, log or export user data outside of Atlassian’s platform, or use any external CDN, tracking pixel, or remote resource.

Prism requests the following OAuth scopes at installation:

read:jira-work — Read issue fields, status, and project metadata.

write:jira-work — Post public comments on JSM tickets when a link is created.

read:servicedesk-request — Access JSM request context for the customer portal panel.

storage:app — Read and write Forge KVS (app-scoped, not accessible to other apps).

No user-level tokens, passwords, or Personal Access Tokens (PATs) are requested or stored.

Prism uses Atlassian’s built-in Forge app authentication (api.asApp()). All API calls are made on behalf of the app installation, not on behalf of individual users. No credentials are stored, transmitted, or exposed to end users.

The customer-facing portal panel uses Atlassian’s unlicensedAccess feature to display linked work item progress to portal customers who are not licensed Jira users.

Read-only — portal customers cannot modify any data.

Scoped to KVS only — no Jira API calls are made in the portal resolver.

Instance-scoped — data is isolated to the installing Atlassian instance.

If you discover a security vulnerability in Prism for Jira, please report it responsibly to support@opsshark.com with the subject line: [SECURITY] Prism for Jira – Vulnerability Report.

Please include a description of the vulnerability, steps to reproduce, and a potential impact assessment.

We commit to acknowledging reports within 2 business days and providing a resolution timeline within 7 business days. Please do not disclose vulnerabilities publicly until we have had an opportunity to investigate and respond.

As a Forge app, Prism for Jira is subject to and compliant with Atlassian Marketplace Security Requirements, Atlassian Cloud Security Practices, and the Forge Platform Security standards.

OpsShark reserves the right to update this security policy as the app evolves. Material changes will be reflected in the Last Updated date above and communicated via the Atlassian Marketplace listing changelog.