All 3T Apps products are built entirely on Atlassian Forge. Forge is Atlassian's serverless platform that runs all app code within Atlassian's own infrastructure. There are no external servers, no third-party backends, and no data leaving the Atlassian ecosystem.
All application data — configuration, technician availability, location data, API keys, and feedback — is stored exclusively in Forge KVS (Key Value Store), which is Atlassian's own managed storage layer. Data residency follows your Atlassian organisation's configured data residency region.
All user inputs are validated and sanitised server-side. All write operations require server-side authorisation checks. Admin functions are protected by a three-tier permission check. XSS protection via React's built-in escaping. AQL injection prevention via character escaping and query sanitisation.
| Scope | Purpose |
|---|---|
read:jira-work, write:jira-work | Reading and updating JSM tickets, comments, time logs |
read:jira-user | Displaying assignee and user information |
read:servicedesk-request, write:servicedesk-request | Handling JSM service requests and forms |
manage:jira-configuration | Reading project configuration for admin settings |
manage:jira-project | Fetching project statuses and request types |
read:cmdb-* | Asset field AQL discovery and display |
storage:app | Forge KVS for storing app configuration |
| Scope | Purpose |
|---|---|
read:jira-work, write:jira-work | Reading tickets and updating assignments, statuses |
read:jira-user | Displaying technician profiles and assignee information |
read:servicedesk-request, write:servicedesk-request | Reading and transitioning JSM service requests |
manage:jira-configuration | Reading project configuration for dispatcher settings |
manage:jira-project | Fetching project statuses and request types for filtering |
storage:app | Forge KVS for configuration, availability, and location data |
| Scope | Purpose |
|---|---|
read:cmdb-* | Reading Jira Assets schemas, object types, and records for export |
manage:jira-configuration | Reading project and Assets configuration for schema discovery |
storage:app | Forge KVS for API keys, export configuration, and sync schedules |
TechDesk: The only external API call is to api.atlassian.com. No third-party services.
DispatchDesk: Contacts api.atlassian.com for all Jira data. Map tiles load via Leaflet npm package from OpenStreetMap — no user data is transmitted to tile servers.
Assets to SQL: Reads Assets data from api.atlassian.com. The pull endpoint is served by Forge's own runtime. Webhook push sends export payloads to the URL configured by the admin — no default external endpoint.
We use npm audit as part of our development process to identify and remediate dependency vulnerabilities. All vulnerabilities with available fixes are resolved before release. Remaining unfixable vulnerabilities are confined to upstream Atlassian SDK packages (@atlaskit/*, @forge/react) where no patched versions are currently available from Atlassian.
In the event of a confirmed security incident or critical vulnerability, we will notify affected customers via email within 72 hours and notify Atlassian per the Atlassian Security Incident Management Guidelines. Critical vulnerabilities will be patched within the timeframes defined in the Atlassian Marketplace Security Bug Fix Policy.
Our development environment requires Multi-Factor Authentication (MFA) on all source code access (GitLab). All Forge app secrets are stored using Atlassian's Forge Secrets API — no credentials or API keys are hardcoded in source code or committed to repositories. Input validation and sanitisation is applied to all user-supplied data both client-side and server-side.
Email support@3t-apps.com with a description of the vulnerability, steps to reproduce, and potential impact. We will acknowledge within 2 business days and aim to resolve confirmed vulnerabilities within 30 days in accordance with Atlassian's bug fix policy. Please do not report security vulnerabilities through public channels.
Detailed DATA-RESIDENCY.md and PRIVACY.md documents are available for enterprise security reviews. Contact support@3t-apps.com to request them.