Security
Complexity Prism is a Jira Cloud app built on Atlassian Forge. The app is designed to keep customer issue data within Atlassian-hosted Jira and Forge-connected product surfaces used by the app.
Current Architecture
Complexity Prism currently stores app data in:
- Jira custom fields - AI Complexity Score, blocker data, notes
- Jira issue entity properties - session state and aggregate metadata
- Jira project entity properties - project-level configuration
- Jira comments - optional, when enabled by customer configuration
No external backend
The app does not use an external application backend, external database, external analytics or telemetry pipeline, or third-party AI APIs for customer issue data. Access and Permissions
The app relies on Jira and Forge security primitives:
- Jira permission checks - access control based on Jira project permissions
- Server-side authorization - all write operations are authorized server-side
- Forge runtime identity - session identity via
context.accountId - Role-based behavior - participants, facilitators, contributors, and project administrators distinguished by Jira permissions and active session state
Data Minimization
Complexity Prism is designed to reduce retained personal data:
- Participant-linked session data is temporary
- Individual votes are purged by default after save
- Persistent output is focused on final score, blockers, notes, and minimal aggregate metadata
- The app does not require its own external user profile store
- The app does not require names or email addresses to be stored as part of its business logic
Retention Summary
| Data type | Lifecycle |
|---|---|
| Final scores, blockers, notes | Persist in Jira until customer removes them |
| Active session data | Exists during the session lifecycle |
| Participant-linked votes | Temporary - purged by default after save |
| Project configuration | Persists until admin changes it |
Secure Development Controls
The current codebase includes the following controls:
- Server-side input validation
- Output sanitization
- React rendering without unsafe HTML insertion
- Permission checks for privileged actions
- Scoped Forge permissions
- Dependency review prior to release
Encryption
Complexity Prism relies on Atlassian Cloud and Forge platform protections for:
- Encryption in transit (TLS)
- Encryption at rest within Atlassian-managed infrastructure
Data Residency
Data Residency
Complexity Prism does not operate its own external data storage layer. App data is stored within Atlassian-hosted Jira and Forge-connected product surfaces. Customers should refer to Atlassian's documentation for information about regional hosting and data residency applicable to their Jira Cloud environment. Responsible Disclosure
If you discover a security vulnerability in Complexity Prism, we encourage responsible disclosure.
Important
Please do not publicly disclose vulnerabilities until we have confirmed a fix and deployed it to production. - Email security@iqmatic.studio with a detailed description
- Include app version, Jira site URL, and steps to reproduce
- We will acknowledge your report within 48 hours
- We aim to resolve critical vulnerabilities within 7 business days
Related Pages
- Privacy Policy & Legal - including Complexity Prism-specific terms
- Contacts & Disclosure - security contact and responsible disclosure process