Architecture
- Atlassian Forge application for Jira Cloud.
- Forge Custom UI frontend and Forge resolver functions.
- No QTI Labs-operated backend server or external database.
- No Firebase use inside StatusDeck.
- No external Jira-data egress beyond Atlassian/Jira APIs.
- PowerPoint and PDF generation occurs in the browser.
Data protection
- HTTPS/TLS and platform authentication are provided through Jira Cloud and Forge.
- Forge-hosted storage encryption at rest is managed by Atlassian.
- Temporary cache retention is limited to 5 minutes for active sprints and 1 hour for closed sprints.
- Expired cache entries are deleted by application logic when accessed.
- QTI Labs does not retain generated exports.
Operational controls
- Multi-factor authentication enabled for Atlassian and GitHub accounts.
- StatusDeck source repository is private.
- Dependabot security alerts and updates are enabled.
- Production access is limited to authorised QTI Labs personnel.
forge lintis run before production deployment.- Dependencies and relevant audit findings are reviewed before release.
- Manifest scopes and external egress are reviewed when code changes.
Logging
StatusDeck uses structured operational logging for events such as report generation, installation identifiers, user-context identifiers, issue counts, cache-hit status and duration. Logs are processed in Atlassian Forge logging infrastructure and are not used for advertising or behavioural profiling.
Vulnerability reporting
Report suspected vulnerabilities to support@qtilabs.com. Do not include sensitive customer data unless requested through a secure channel. See the Vulnerability Disclosure Policy.
Effective date: upon first public availability of StatusDeck on the Atlassian Marketplace. Review at least annually and after material product, scope, storage, subprocessor, security or legal changes.