Stakeholder Update Generator - Security Policy

Last updated: 2026-06-22

This describes how Aria Code secures Stakeholder Update Generator, how we manage vulnerabilities, and how to report a security issue. What the app reads, processes, and stores is detailed in our Privacy Policy.

Platform & architecture

Stakeholder Update Generator is built on Atlassian Forgeand runs entirely within Atlassian’s cloud (it qualifies for “Runs on Atlassian”). We operate no external servers or databases:

  • Data is processed and stored within Atlassian’s platform, inheriting its tenant isolation, encryption in transit and at rest, and physical/network security.
  • The AI narrative is generated by Atlassian’s platform-hosted LLM, no external AI provider, no API key, and no data leaves Atlassian.
  • We hold no customer credentials or secrets; auth is handled by Forge.
  • The app requests the minimum OAuth scopes needed; it only reads work items and never modifies your Jira.
  • It makes no third-party network calls, no external data egress.

Reporting a security issue

Report suspected vulnerabilities or incidents to hello@ariacode.dev with reproduction steps and impact. We acknowledge within 2 business days.

Vulnerability management

  • Triage: issues are assessed and assigned a severity (critical / high / medium / low) on receipt.
  • Remediation targets (from confirmation): critical within 7 days, high within 30 days, medium/low at the next scheduled release.
  • Deployment: fixes ship via Atlassian Forge and reach customers automatically; production releases are versioned.

Technical & organizational controls

  • Access control: least-privilege OAuth scopes; no standing access to customer data beyond app function; Forge developer-console access is protected by Atlassian-account authentication with multi-factor authentication.
  • Data protection: no external storage; only the generated update and lightweight settings in Forge storage; no issue content retained beyond what the privacy policy describes.
  • Monitoring: Forge platform logs and alerts for errors and anomalies.
  • Change management: changes reviewed and deployed via the Forge CLI with versioned production deployments.

Incident response & notification

For a confirmed incident affecting customer data, we notify affected customers without undue delay and within 72 hours of confirmation, via the support channel and contact on file, describing the incident, the data involved, and remediation. Critical incidents are escalated immediately, coordinating with Atlassian where the platform is involved.

Contact

Security and privacy: hello@ariacode.dev.