Legal and trust

Security overview

Architecture, operational controls and security responsibilities for StatusDeck.

StatusDeck for Jira Cloud Last updated: 12 July 2026

Architecture

  • Atlassian Forge application for Jira Cloud.
  • Forge Custom UI frontend and Forge resolver functions.
  • No QTI Labs-operated backend server or external database.
  • No Firebase use inside StatusDeck.
  • No external Jira-data egress beyond Atlassian/Jira APIs.
  • PowerPoint and PDF generation occurs in the browser.

Data protection

  • HTTPS/TLS and platform authentication are provided through Jira Cloud and Forge.
  • Forge-hosted storage encryption at rest is managed by Atlassian.
  • Temporary cache retention is limited to 5 minutes for active sprints and 1 hour for closed sprints.
  • Expired cache entries are deleted by application logic when accessed.
  • QTI Labs does not retain generated exports.

Operational controls

  • Multi-factor authentication enabled for Atlassian and GitHub accounts.
  • StatusDeck source repository is private.
  • Dependabot security alerts and updates are enabled.
  • Production access is limited to authorised QTI Labs personnel.
  • forge lint is run before production deployment.
  • Dependencies and relevant audit findings are reviewed before release.
  • Manifest scopes and external egress are reviewed when code changes.

Logging

StatusDeck uses structured operational logging for events such as report generation, installation identifiers, user-context identifiers, issue counts, cache-hit status and duration. Logs are processed in Atlassian Forge logging infrastructure and are not used for advertising or behavioural profiling.

Shared responsibility

Customers are responsible for Jira access controls, user permissions, secure handling of downloaded exports, endpoint security and preventing unauthorised sharing of reports.

Vulnerability reporting

Report suspected vulnerabilities to support@qtilabs.com. Do not include sensitive customer data unless requested through a secure channel. See the Vulnerability Disclosure Policy.

Effective date: upon first public availability of StatusDeck on the Atlassian Marketplace. Review at least annually and after material product, scope, storage, subprocessor, security or legal changes.