Security & Privacy
Security & Privacy
Hey WhatsApp Me for Jira runs on Atlassian Forge. Security and privacy combine platform controls, your configuration, and restricted outbound access.
This document covers both the app's security architecture and Choulle Digital's security practices as the vendor.
Vendor Security Policy
Security Governance
Choulle Digital maintains a security-first approach to app development and operations. As a Forge-native app, Hey WhatsApp Me runs entirely within Atlassian's infrastructure — there are no vendor-managed servers, databases, or middleware. This significantly reduces the attack surface and shifts infrastructure security responsibilities to Atlassian's SOC 2 Type II–certified platform.
Secure Development Lifecycle
Code reviews — All code changes go through peer review before merging to the production branch.
Static analysis — ESLint and Forge Lint are run on every build to catch code quality and manifest issues before deployment.
Dependency management — Third-party dependencies are kept minimal and monitored for known vulnerabilities. The app uses only `@forge/api`, `@forge/react`, `@forge/resolver`, `@forge/kvs`, and `@forge/bridge` as core dependencies.
Least-privilege scoping — OAuth scopes in the manifest are limited to the minimum required for each feature. New scopes are only added when a new feature explicitly requires them, and each scope is documented with its justification.
No hardcoded secrets — All credentials (Twilio, AI provider keys) are stored using Forge's encrypted secret management. No secrets exist in source code.
Vulnerability Management
Dependency scanning — `npm audit` is run regularly to identify known vulnerabilities in dependencies. Critical and high-severity findings are patched promptly.
Forge platform updates — The app targets a current Node.js runtime (nodejs22.x) and is updated when Atlassian releases new Forge runtime versions.
Marketplace security reviews — The app undergoes Atlassian's Marketplace security review process, including the Ecoscanner automated security assessment, before each major release.
Responsible disclosure — External security researchers and customers can report vulnerabilities to security@choulledigital.com. Reports receive an initial acknowledgment within 48 hours and are triaged based on severity (Critical/High patched within 7 days, Medium within 30 days, Low within 90 days).
Incident Response
In the event of a security incident affecting the app or its data:
Identification — The incident is logged and assessed for scope and severity.
Containment — If the incident involves the app's functionality, we can immediately redeploy a patched version or disable the affected feature via Forge deployment.
Notification — Affected customers are notified within 72 hours of confirmed incidents that impact their data, in accordance with GDPR requirements.
Remediation — A root cause analysis is performed, a fix is developed and tested, and a patched version is deployed to the Marketplace.
Post-incident review — Lessons learned are documented and applied to prevent recurrence.
Because the app runs on Forge, infrastructure-level incidents (server compromise, storage breach) fall under Atlassian's own incident response process and their SOC 2 controls.
Access Controls (Internal)
Source code access — Restricted to authorized development team members only.
Forge deployment credentials — Managed through Atlassian's developer console with role-based access.
Marketplace publishing — Requires authenticated access to the Atlassian Marketplace vendor account.
No production data access — The vendor does not have access to customer data stored in Forge KVS. All app data is tenant-isolated by the Forge platform. The vendor cannot read, export, or view customer configurations, identity mappings, or conversation history.
Third-Party Risk
The app integrates with two categories of external services, both configured and controlled by the customer:
Third Party | Purpose | Data Sent | Customer Control |
|---|---|---|---|
Twilio | WhatsApp message delivery | Phone numbers, message text | Customer provides their own Twilio account credentials |
AI Provider (e.g. OpenAI) | Optional AI features | Message text for intent classification | Customer provides their own API key; AI is off by default |
No customer data is shared with Choulle Digital or any other third party. The app does not include analytics, telemetry, or tracking beyond Atlassian's standard Forge platform telemetry.
Compliance
The app runs on Atlassian Forge, which operates under Atlassian's SOC 2 Type II compliance program.
Data residency follows the customer's Atlassian cloud region settings.
The app does not store personal data outside of Forge KVS (which is encrypted at rest and tenant-isolated).
The app supports customer data deletion through the admin panel (remove mappings, clear conversation history).
App Security Architecture
Architecture
The app runs entirely on Atlassian Forge—no separate server for you to host. Execution stays in Atlassian’s infrastructure.
Outbound traffic follows the manifest. The app uses Twilio for WhatsApp. With AI Concierge enabled, it may call your AI provider (for example OpenAI) using keys you provide.
Data encryption
Twilio credentials
Your Twilio Auth Token is handled through Forge secret management and is not stored in plain text.
Forge storage
Configuration, identity mappings, and conversation-related data are stored in Forge Key-Value Storage (KVS). That storage is encrypted at rest and operated by Atlassian as part of Forge.
Access control
User identity mapping
The app associates WhatsApp phone numbers with Jira users where you configure mappings. In Internal mode, only mapped users can use the bot to work with Jira.
Support modes
Mode | Who can interact | Use case |
|---|---|---|
Internal | Only mapped users | Internal teams (for example field staff or employees) |
External | Anyone who messages the number | Customer-facing support desk |
Role-based permissions
You assign a role to each mapped identity:
Role | Allowed actions |
|---|---|
Customer | Create requests, comment on own requests, view own request details |
Agent | Full access to commands, flows, and actions across tickets |
Senders who are not mapped default to Customer. If a customer tries an agent-only action (for example transitioning or assigning someone else’s work), the app responds with a denial. This aligns with the Jira Service Management model in which customers interact primarily with their own requests.
In Internal mode, numbers that are not mapped receive a configurable rejection message and cannot proceed.
Phone number blocklist
You can maintain a blocklist of phone numbers. For a blocked number, the app does not run commands or flows, does not reply, and you can remove the block when appropriate.
Jira permissions
The app requests the smallest set of OAuth scopes needed for its features:
Scope | Purpose |
|---|---|
read:jira-work | Read issues, projects, and fields |
write:jira-work | Create issues, comments, and transitions |
read:jira-user | Resolve users for assignment and mapping |
storage:app | Persist app configuration and conversation data |
read:servicedesk-request | Read JSM requests and SLA information |
write:servicedesk-request | Create JSM requests and customer-visible comments |
manage:servicedesk-customer | Create and manage JSM customers |
manage:jira-configuration | Read project configuration where required |
read:confluence-content.all | Read Confluence pages for the AI knowledge base |
search:confluence | Search Confluence for KB-style answers |
read:knowledgebase:jira-service-management | Search the JSM Knowledge Base |
External network access
Domain | Purpose |
|---|---|
api.twilio.com | WhatsApp messaging API |
*.twilio.com | Other Twilio API endpoints as needed |
*.twiliocdn.com | Media downloads for attachments |
api.openai.com | AI requests when AI Concierge is on and OpenAI is the provider |
When AI is off, no traffic is sent to AI providers. When AI is on, your API key is used; the app ships without shared third-party AI credentials. Keys are stored with Forge’s encrypted storage mechanisms.
Forge platform compliance
Running on Forge gives you:
SOC 2 Type II–aligned operations on Atlassian infrastructure
Data residency in your Atlassian region
Controlled egress: content is not sent to arbitrary hosts; Twilio and (if enabled) your AI provider are the defined exceptions
Maintained runtimes and sandboxed execution between apps
License enforcement
The app verifies an active Atlassian Marketplace license. If the license lapses, the UI indicates expiration and app behavior is disabled until you renew.
Data processing
Data type | Storage location | Retention |
|---|---|---|
Twilio credentials | Forge Secrets (encrypted) | Until you remove or rotate them |
User mappings | Forge KVS | Until you delete or change them |
Conversation history | Forge KVS | Until you remove it or replace configuration |
Jira issue data | Jira only | Governed by your Jira retention and policies |
WhatsApp message bodies | Processed in memory for handling; durable copy in conversation log only where logged | Conversation log rows live in KVS per your admin actions |
Responsible Disclosure
If you believe you have found a security vulnerability in Hey WhatsApp Me for Jira, contact security@choulledigital.com. We take all reports seriously.
Severity | Response SLA |
|---|---|
Critical / High | Acknowledged within 48 hours, patch within 7 days |
Medium | Acknowledged within 48 hours, patch within 30 days |
Low | Acknowledged within 48 hours, patch within 90 days |
We do not pursue legal action against researchers who report vulnerabilities in good faith.