Voice to Ticket for Jira — Security & Privacy
Last updated: 2026-04-15
Security contact: support@choulledigital.com
Privacy contact: support@choulledigital.com
1. Scope
This page explains how Voice to Ticket for Jira handles data and security for customers using the app in Atlassian Cloud environments.
Scope: This document covers the Forge-hosted app’s processing when handling inbound calls, transcription, Jira request creation, and optional SMS confirmations.
2. Data categories
Caller identifiers (for example, phone number).
Call metadata (for example, call SID, timestamps, duration).
Audio recordings and transcript text.
Generated ticket summary and description.
Jira issue keys and workflow context.
App configuration values and encrypted API credentials.
3. How data is used
Receive and process inbound support calls.
Transcribe and analyze caller messages to extract intent and important entities.
Create Jira Service Management requests with structured fields and context.
Provide issue activity context for agent review and follow-up.
Send optional SMS confirmations to callers when enabled.
Data is not sold.
4. Data storage and location
App configuration and runtime operational values are stored in Forge app storage.
Call metadata may be stored on Jira issue properties for traceability.
Request content (summary, description, transcript excerpts) is stored in Jira issues and comments per workflow.
Recordings may be attached to Jira issues or retained by the telephony provider based on configuration.
5. Subprocessors and external services
The App uses the following platforms and services for specific functions:
Atlassian Forge / Jira Cloud: App runtime, secure storage, and Jira data handling within the customer’s Jira Cloud site.
Twilio: Telephony webhooks, call handling, recordings, and optional SMS delivery.
OpenAI: Speech-to-text transcription and language analysis (for example, summarization, entity extraction).
Customer is responsible for reviewing and accepting terms and data processing terms for these providers.
6. Security controls
Forge-hosted runtime and permission model to isolate execution and data access.
Minimal required OAuth scopes declared in the app manifest following least-privilege principles.
Restricted external egress domains to approved endpoints only.
Secrets stored using Forge secure secret storage with no plaintext in code or logs.
License checks enforced in admin configuration UI to prevent unauthorized use.
Access controlled by Jira/Atlassian admin permissions and project roles.
Best practice: Restrict who can configure telephony credentials and confirm that API keys are rotated regularly.
7. Data retention
Retention depends on Customer configuration and host product behavior:
Jira issue data and properties: retained per Jira Cloud product policies and the Customer’s lifecycle controls (projects, schemes, backups).
Twilio recordings: retained per Twilio account settings and Customer-managed retention rules.
Operational logs and diagnostics: retained according to the Vendor’s operational policy.
Define your exact retention commitment here:
<Retention period for support logs>
<Retention period for derived metadata>
8. Customer controls
Choose whether the caller’s phone number is written to a custom field or stored only in issue properties.
Select caller and ticket language handling (for example, language auto-detect vs. enforced project language).
Enable or disable SMS confirmations to callers and customize message content where supported.
Update and rotate API credentials from the admin configuration UI.
Uninstall the App to stop future processing and revoke credentials stored by the app.
9. Incident response
Investigate and contain the incident, including isolating affected components and rotating keys if needed.
Notify affected customers without undue delay where required by contract or law.
Provide available details, impact assessment, and remediation guidance as information is validated.
10. Compliance responsibilities
Customer is responsible for:
Providing legally required caller notices and consents appropriate to their jurisdiction(s).
Ensuring a lawful basis for processing personal data and configuring retention consistent with policy.
Handling data subject requests for data in Customer-controlled systems (for example, Jira issues, recordings in Twilio).
11. Privacy requests
For privacy and data protection requests, contact: <privacy@your-domain.com>
12. Changes
This Security & Privacy page may be updated to reflect product, legal, or operational changes. The date at the top indicates the latest revision.