Security Statement

Old Skool Board is a Jira Cloud app built on Atlassian Forge, Atlassian's serverless app platform. The app runs entirely on Atlassian's infrastructure. There are no external servers, databases, or third-party services.

• Platform: Atlassian Forge (Custom UI)
• Runtime: Forge serverless functions (Atlassian-hosted)
• Frontend: React application served via Forge Custom UI sandbox
• Communication: All API calls are made to Jira Cloud via Forge's requestJira bridge
• External network calls: None. The app makes no outbound requests to any server outside Atlassian's infrastructure.

Old Skool Board reads issue, board, and workflow data from Jira Cloud using the Jira REST API via Forge's requestJira mechanism. All data flows between the app and Jira remain within Atlassian's infrastructure.

The app does not send data to external servers, use analytics or tracking services, set cookies, or log user activity outside Atlassian's platform.

The app uses the Forge Storage API to persist:

Storage keys include the user's Atlassian account ID to scope preferences per user. No display names, email addresses, or other personal profile data is stored.

All Forge Storage data is encrypted at rest by Atlassian, scoped to the app installation, and deleted when the app is uninstalled.

Authentication is handled entirely by the Atlassian platform. Old Skool Board does not implement its own authentication. The app respects Jira's existing permission model — users can only view and modify issues they have access to in Jira.

Forge provides automatic tenant isolation. Each app installation operates in its own isolated context. Cross-tenant data access is prevented at the platform level by Atlassian.

• At rest: Forge Storage is encrypted at rest by Atlassian.
• In transit: All communication between the app and Jira APIs uses TLS, enforced by the Forge platform.

• Dependencies are reviewed and updated regularly
• npm audit is run as part of the development workflow
• Atlassian's Ecoscanner automatically scans all Marketplace apps for known vulnerabilities on an ongoing basis

If you discover a security vulnerability in Old Skool Board:

1. Email: security@spindriftlabs.net
2. Do not disclose the issue publicly until it has been addressed
3. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days

For non-security bugs and feature requests: github.com/spindriftlabs/old-skool-board-feedback

Old Skool Board runs on Atlassian Forge, which operates under a shared responsibility model.

Atlassian is responsible for: infrastructure security, user authentication, encryption at rest and in transit, tenant isolation, DDoS protection, and platform monitoring.

Spindrift Labs is responsible for: application logic and input validation, output encoding, dependency management, authorisation logic within the app, and responding to security reports about app-specific behaviour.

In the event of a security incident:

1. Investigate and contain the issue
2. Assess breach scope — determine whether personal data (e.g. Atlassian account IDs) was involved and whether affected individuals are likely to face risk
3. Notify as required — if a personal data breach is confirmed, notify the relevant supervisory authority within 72 hours as required by GDPR (Art. 33), and notify affected customers without undue delay where risk to individuals is high (Art. 34). Notification is via the Marketplace listing and support channels.
4. Deploy a fix via Forge deployment
5. Publish a post-incident summary where appropriate

For platform-level incidents, Atlassian's own incident response processes apply.

• Security issues: security@spindriftlabs.net
• General support: support@spindriftlabs.net
• Bug reports: github.com/spindriftlabs/old-skool-board-feedback

Spindrift Labs is a sole trader business based in Australia.