Security Practices
Excel to Jira Importer is designed as an Atlassian Forge app for Jira Cloud, with data minimization and user-controlled import flow at the center of the product.
Jira Cloud and Atlassian Forge. No Jira Data Center, Connect or separate vendor-hosted product backend is used.
The app avoids storing full Excel files and stores only operational metadata required for product features.
Uses Jira project permissions and a dedicated app access permission for day-to-day use control.
Architecture
The app uses Forge Custom UI for the browser experience and Forge resolvers for Jira REST API operations. Excel parsing is designed to happen client-side where practical. Structured import data is then sent to Forge backend resolvers for validation and Jira issue creation within Atlassian-hosted infrastructure.
Atlassian Forge security posture
Atlassian describes Forge as a serverless app development platform where compute and storage can be hosted on Atlassian infrastructure. Atlassian also states that Forge apps run with tenancy isolation and manifest-controlled external egress. The app is designed to use this Forge model and not send backlog data to a separate vendor backend.
Product analytics boundary
The app may send product usage events from the Forge backend to Google Analytics 4 through Google Analytics Measurement Protocol. Analytics is used to understand workflow usage and reliability, not to inspect customer backlog content. The frontend does not load a Google Analytics script inside the Forge app, and analytics payloads are designed to exclude file names, sheet names, Excel column names, Jira issue keys, project keys, account IDs, user names, email addresses, workbook content, issue summaries and field values.
Vendor access to backlog data
The app creator does not receive customer backlog files, backlog rows or Jira task content on an external product server. Operational access is limited to what Atlassian Forge and Jira make available according to installed app scopes, logs and customer support interactions.
Access control
Jira administrators can grant the app permission to selected groups. Users must still have Jira permissions required to browse projects, create issues, edit issues and set parent-child relationships where those actions are part of the import.
Data storage
- Saved mapping setups may be stored per project.
- Import reports and history may be stored for audit and troubleshooting.
- Duplicate detection identities may be stored in Forge Storage and Jira issue properties.
- Full Excel workbook files are not intended to be stored by the app.
Value cleanup safety
Value cleanup supports bounded regex extraction for mapped fields. The app is designed to block invalid regex patterns, overly long patterns, overly long inputs, invalid result templates and simple nested-quantifier patterns that are commonly risky for import performance.
- Regex preview is limited to a small sample of rows.
- Active advanced regex cleanup rules per import are limited.
- Value cleanup preview values and full source cell values should not be logged as support or diagnostic data.
Logging
The app should avoid logging sensitive backlog content. Technical logs should focus on operational status and error diagnosis.
Vulnerability reporting
Security issues can be reported to support.jira@mederak.app. Please include reproduction steps, impact, affected tenant context and screenshots where appropriate.
Atlassian Marketplace alignment
The app is prepared with Marketplace security expectations in mind, including least-privilege thinking, privacy documentation, customer terms, support contact and transparency about data handling.