This Security Policy describes the technical and organizational measures Fuksia Labs applies to protect data processed by the ClockIn for Jira app ("the App"). It complements our Privacy Policy, which covers what data we collect and why.
The App is built entirely on Atlassian Forge and runs within Atlassian's managed cloud infrastructure. Fuksia Labs does not operate its own servers, databases, or third-party cloud services to store or process App data. All storage relies on Forge Storage, which inherits Atlassian's own security, availability, and compliance controls.
The App does not implement its own authentication system or store user credentials. All identity verification is delegated to Atlassian's native Forge invocation context. Access to functionality is enforced server-side according to the role assigned to each user (employee, manager, or administrator), so that users can only view or modify data they are authorized to access.
Data in transit between the App's frontend, its backend resolvers, and Atlassian's APIs is encrypted using TLS. Data at rest in Forge Storage is encrypted by Atlassian as part of the underlying Forge platform. No data is transmitted to or stored on infrastructure outside Atlassian Cloud.
The App only requests the Atlassian API scopes strictly necessary for its functionality, and only processes the data described in our Privacy Policy: account identifiers, names, email addresses, clock events, and configuration data required for legal time-tracking compliance.
Every version of the App submitted to the Atlassian Marketplace goes through Atlassian's automated security scanning as part of the approval workflow. Any vulnerability findings raised through this process are reviewed and remediated by Fuksia Labs within the timelines required by Atlassian's Marketplace Security Enforcement Policy.
If you believe you have found a security vulnerability in the App, please report it to info@fuksia.com. We investigate all reports and respond as quickly as possible. Fuksia Labs does not currently participate in the Atlassian Marketplace Bug Bounty program.
In the event of a confirmed security incident affecting customer data, Fuksia Labs will notify the affected organization's administrator without undue delay, consistent with our obligations under the GDPR (Articles 33 and 34), and will cooperate with Atlassian's own incident response procedures where applicable.
Atlassian is the only infrastructure provider involved in processing App data, through the Forge platform. Fuksia Labs does not use additional third-party subprocessors, analytics services, or trackers within the App.
The App's source code is maintained under version control with restricted access. Changes are reviewed before being deployed to production. The App requests the minimum set of Forge permissions and API scopes required for its features, following the principle of least privilege.
For any questions about this Security Policy or to report a security concern, write to us at info@fuksia.com.