Security and privacy

Where data lives, what permissions the app requests, and what licensing controls access.

Platform

Proxy Agent runs entirely on Atlassian Forge, Atlassian's serverless platform for Cloud apps. There are no external servers operated by Qwerty Craft involved in handling your Jira data. All function execution and storage happen inside Atlassian's infrastructure, in the region your Atlassian organization is hosted in.

Data stored

The app stores the following in Forge's encrypted storage, scoped to your tenant:

  • Global app config: your selected mode (app or impersonation) and, in impersonation mode, the accountId of the configured agent.
  • Per-project config: the same shape, scoped to a project ID.
  • Audit records: see Audit log for the schema. Retained 90 days.

No comments, ticket bodies, or customer messages are stored by Proxy Agent itself. The comment, transition, edit, and worklog operations write directly to Jira and are not duplicated into app storage. Audit records reference the issue ID; they do not store the customer-visible content of the action beyond a structured details payload (for example, the ADF body of a comment for traceability).

Authentication

All Jira API calls use Forge-managed authentication. The app never stores or sees user passwords or OAuth tokens. Impersonation works via Forge's allowImpersonation scope, which lets the app invoke Jira APIs as a designated account. Atlassian's platform performs the impersonation, not Qwerty Craft.

Permission scopes requested

ScopeWhy it's needed
read:jira-workRead issue details and metadata.
write:jira-work (with impersonation)Add comments, transitions, field edits, links on Jira issues.
read:jira-userDisplay agent names and avatars.
read:servicedesk-requestRead JSM request data.
write:servicedesk-request (with impersonation)Comment on and transition JSM requests.
read:app-data:jira, write:app-data:jiraRead and write app configuration.
storage:appRead and write app storage (config and audit log).
view:team:teamsPower the Team field picker in the Edit Issue tab.

Tenant isolation

Forge enforces strict per-tenant isolation. Qwerty Craft staff have no standing access to customer data; they can only see anonymized telemetry that Atlassian exposes to Marketplace vendors.

Vulnerability reporting

Please report suspected security issues to ata@qwertycraft.com. We aim to acknowledge within two business days.

Licensing

Proxy Agent uses the Atlassian Marketplace licensing system.

  • During an active evaluation or paid subscription, all features are available.
  • When the license expires or is canceled, the app shows a single warning panel on every surface asking you to contact your Jira admin or visit the Marketplace listing to renew. No further actions can be taken until the license is restored.
license-expired-overlay
Full-screen "License required" panel shown when the app's license has expired

Uninstalling the app deletes all app-scoped storage (config and audit log) as part of Forge's standard uninstall flow.