All 3T Apps products are built entirely on Atlassian Forge. Forge is Atlassian's serverless platform that runs all app code within Atlassian's own infrastructure.
For TechDesk and Assets to SQL, there are no external servers, no third-party backends, and no data leaves the Atlassian ecosystem.
For DispatchDesk, the same holds by default. The optional routing feature is the one exception: when an admin configures a routing provider in Settings → Routing, GPS coordinate pairs are sent to the customer's chosen provider using the customer's own API key — and, when address geocoding is enabled, the postal address composed from a ticket's configured fields, so the provider can resolve it to coordinates. Nothing else leaves Atlassian. Customers who require zero egress can leave routing unconfigured.
For Worktime, the same holds by default — it reads worklogs from api.atlassian.com and computes period reports entirely within Forge. Two optional features are the only exceptions: enabling a third-party worklog source (Tempo, Clockwork or eazyBI) adds egress to that provider using the customer's own API key, and the "Import holidays" admin action calls a public holidays API with only a country code and year. Customers who require zero egress can leave both unconfigured and use native Jira worklogs.
All application data — configuration, technician availability statuses, admin-pinned technician locations, technician home addresses (DispatchDesk; never surfaced in dispatcher views), cached geocoded address coordinates (DispatchDesk only; the geocode cache expires after 30 days), API keys, in-app feedback, and the data backing the admin Insights view (DispatchDesk usage counts and completed-job summaries) — is stored exclusively in Forge KVS (Key Value Store), which is Atlassian's own managed storage layer. Data residency follows your Atlassian organisation's configured data residency region. Insights data is computed in-app, visible only to admins, and is not transmitted to the app publisher or any external analytics service.
All user inputs are validated and sanitised server-side. All write operations require server-side authorisation checks. Admin functions are protected by a three-tier permission check. XSS protection via React's built-in escaping. AQL injection prevention via character escaping and query sanitisation.
| Scope | Purpose |
|---|---|
read:jira-work, write:jira-work | Reading and updating JSM tickets, comments, time logs |
read:jira-user | Displaying assignee and user information |
read:servicedesk-request, write:servicedesk-request | Handling JSM service requests and forms |
manage:jira-configuration | Reading project configuration for admin settings |
manage:jira-project | Fetching project statuses and request types |
read:cmdb-* | Asset field AQL discovery and display |
storage:app | Forge KVS for storing app configuration |
| Scope | Purpose |
|---|---|
read:jira-work, write:jira-work | Reading tickets and updating assignments, statuses |
read:jira-user | Displaying technician profiles and assignee information |
read:servicedesk-request, write:servicedesk-request | Reading and transitioning JSM service requests |
manage:jira-configuration | Reading project configuration for dispatcher settings |
manage:jira-project | Fetching project statuses and request types for filtering |
storage:app | Forge KVS for configuration, availability statuses, and admin-pinned technician locations |
| Scope | Purpose |
|---|---|
read:cmdb-* | Reading Jira Assets schemas, object types, and records for export |
manage:jira-configuration | Reading project and Assets configuration for schema discovery |
storage:app | Forge KVS for API keys, export configuration, and sync schedules |
| Scope | Purpose |
|---|---|
read:jira-work | Reading Jira worklogs for period calculation |
read:jira-user | Reading user timezones and display names |
storage:app | Forge KVS for snapshots, recuperation balances, audit log, and configuration |
TechDesk: The only external API call is to api.atlassian.com. No third-party services.
DispatchDesk:
api.atlassian.com — Jira REST API. All ticket, user and configuration data flows through here.*.tile.openstreetmap.org — map base tiles, loaded client-side. No ticket data, user data or authentication tokens are sent — only standard public tile requests at the coordinates displayed.api.openrouteservice.org or api.mapbox.com — routing and geocoding provider. Called only when an admin has configured a provider in Settings → Routing and a user triggers a route or a job site needs geocoding. Routing requests contain the GPS coordinates of admin-pinned technician locations and ticket job sites; when geocoding is enabled, geocoding requests instead send the postal address composed from a ticket's configured fields (street, number, postal code, city, country) so the provider can resolve it to coordinates. No live technician GPS, no Jira identifiers, and no other ticket fields (summary, description, comments, SLA) are sent. All requests use the customer's own API key. DispatchDesk does not hold a shared routing account; the customer's contractual relationship is directly with their chosen provider.If routing is left unconfigured, DispatchDesk never contacts a routing provider. The map still works.
Assets to SQL: Reads Assets data from api.atlassian.com. The pull endpoint is served by Forge's own runtime. No external endpoints are contacted beyond the Atlassian API.
Worktime: Reads worklogs from api.atlassian.com by default. Customers may optionally enable a third-party worklog source (Tempo, Clockwork or eazyBI), which adds egress to *.tempo.io, *.clockwork.report or *.eazybi.com respectively — controlled per installation, using customer-owned API keys, never shared. The "Import holidays" admin action calls the public date.nager.at API with only a country code and year (no end-user data). With native Jira worklogs and no holiday import, Worktime contacts no endpoint beyond the Atlassian API.
We use npm audit as part of our development process to identify and remediate dependency vulnerabilities. All vulnerabilities with available fixes are resolved before release. Remaining unfixable vulnerabilities are confined to upstream Atlassian SDK packages (@atlaskit/*, @forge/react) where no patched versions are currently available from Atlassian.
In the event of a confirmed security incident or critical vulnerability, we will notify affected customers via email within 72 hours and notify Atlassian per the Atlassian Security Incident Management Guidelines. Critical vulnerabilities will be patched within the timeframes defined in the Atlassian Marketplace Security Bug Fix Policy.
Our development environment requires Multi-Factor Authentication (MFA) on all source code access (GitLab). All Forge app secrets are stored using Atlassian's Forge Secrets API — no credentials or API keys are hardcoded in source code or committed to repositories. Input validation and sanitisation is applied to all user-supplied data both client-side and server-side.
Email support@3t-apps.com with a description of the vulnerability, steps to reproduce, and potential impact. We will acknowledge within 2 business days and aim to resolve confirmed vulnerabilities within 30 days in accordance with Atlassian's bug fix policy. Please do not report security vulnerabilities through public channels.
Detailed DATA-RESIDENCY.md and PRIVACY.md documents are available for enterprise security reviews. Contact support@3t-apps.com to request them.