Platform
Proxy Agent runs on Atlassian Forge, a serverless, sandboxed runtime hosted by Atlassian. There are no external Qwerty Craft servers in the request path, and the app cannot reach out to third-party services for customer data processing.
Data residency
All app data is kept in Forge's encrypted storage. It resides in the Atlassian region you have selected for your Cloud site. We do not copy or replicate customer data outside that region.
Permissions
The app requests only the Jira scopes it needs to perform the documented actions. Each scope is declared in the Forge manifest with a comment explaining the reason it is required.
Authentication
All Jira API calls use Forge-managed authentication. The app never sees, requests, or stores user passwords, OAuth tokens, or API keys.
Impersonation safety
The ability to act as another agent is gated by:
- An app-defined Forge project permission,
act-as-agent, that the Jira admin grants explicitly. - Per-issue permission checks (e.g., Current Assignee scheme rules).
- An immutable audit log entry for every action, including failed attempts.
Tenant isolation
Forge enforces strict per-tenant isolation. Qwerty Craft staff have no standing access to customer data and cannot read storage from any customer's tenant.
Vulnerability reporting
Please report any suspected vulnerability to ata@qwertycraft.com. We aim to acknowledge reports within 2 business days. Please do not publicly disclose details until we have had a reasonable opportunity to remediate.
Compliance posture
The app inherits Atlassian Cloud's SOC 2, ISO 27001, and GDPR compliance for hosting and underlying data processing. Qwerty Craft does not hold independent certifications at this time.