Built with security-first principles - powered by Atlassian Forge.
🧱 Forge Sandbox
Dynamic Score runs entirely inside Atlassian Forge, which enforces strict security guarantees by design:
Full code isolation per app and per Jira site
No external servers, no external databases
Zero network access unless explicitly declared (Dynamic Score declares none)
Strict permission boundaries defined in the Forge manifest
Automatic data residency within Atlassian infrastructure
No access to Jira fields beyond what is explicitly permitted
Forge ensures the app cannot access or transmit any data beyond its declared scopes.
🔐 Permission Scopes
Dynamic Score requests only the scopes required for loading configurations and saving scoring results - nothing more.
Below are the scopes from your manifest and why they are needed:
Scope | Why It’s Needed |
|---|---|
read:jira-work | Load issue details and read previously saved scoring values |
write:jira-work | Save scoring results into issue properties |
read:jira-user | Display user-friendly names when adding optional comments |
manage:jira-project | Read and write project (space) properties used for scoring configurations |
What this means:
The app cannot read issue descriptions or attachments
The app cannot access Jira data outside the current project
The app cannot write anything outside issue/project properties
No other scopes are requested.
🗂️ Data Residency
All data used by Dynamic Score stays inside your Jira Cloud instance and Atlassian's infrastructure:
Project configurations stored in project properties
Issue scoring data stored in issue properties
No export, transmission, or duplication outside Atlassian systems
Dynamic Score does not send or store any information externally.
🔍 No Secrets Stored
The app stores no secrets:
No environment variables
No API tokens
No credentials
No external endpoints
No hidden storage
All operations rely entirely on the authenticated user session and Jira’s secure APIs.
👥 User Data
Dynamic Score only accesses:
User display names — but only when adding comments, and only to show who posted them
It never reads:
Email addresses
Full user profiles
Internal Atlassian account IDs
No personal identifying information is stored or transmitted.
🧪 Secure Dev Process
We follow a security-focused development workflow:
Code reviews for every update
Testing via Forge tunnel in isolated sandbox
Static analysis of React + Forge components
Validation of permission scopes
Strong separation between admin and user operations
Verification of fallback logic for all formulas to avoid invalid outputs
✅ Atlassian-Backed Protection
Because Dynamic Score is a Forge app, it inherits Atlassian’s robust security framework:
SSO authentication
OAuth2-protected REST API access
Tenant isolation (no cross-project or cross-site access)
Enforced permission scopes per manifest
Encryption at rest and in transit
Compliance with:
ISO/IEC 27001
SOC 2
GDPR
CCPA
Atlassian Marketplace security requirements