Mobiversal Logomobiversal

Partner Security Policy

Last updated: March 17, 2026

This document outlines the security practices and policies for Atlassian Marketplace applications developed by Mobiversal.

1. Cloud Architecture & Shared Responsibility

The Team Alerts app is built exclusively on the Atlassian Forge platform. This means the application operates entirely within Atlassian's secure cloud infrastructure (AWS-based). All compute functions and data storage are managed by Atlassian, leveraging their enterprise-grade security, logging, and compliance controls.

Key points:

  • No External Servers: Mobiversal does not host, manage, or operate any infrastructure outside of the Atlassian Forge platform for this application.
  • Data Residency & Storage: Any data generated by the app resides strictly within your Jira instance using Atlassian's Storage API. We do not extract, transmit, or store Customer Data on third-party servers.
  • Data Privacy: Customer Data flowing through our application inherits the security and compliance certifications provided by Atlassian Cloud.

2. Vulnerability Management

We take a proactive approach to maintaining the security of the components we control (our source code and dependencies).

  • Dependency Scanning: We regularly review and scan third-party dependencies (like @forge/api, @forge/resolver, and React components) for known vulnerabilities using automated tools (e.g., npm audit, GitHub Dependabot).
  • Patch Management: If a critical or high-severity vulnerability is discovered in our dependencies, we aim to release a patched version of the application within 72 hours of a fix becoming available.
  • Atlassian Advisories: We strictly follow Atlassian Developer Community guidelines and actively monitor security advisories related to the Forge platform.

3. General Security Controls

While the application runtime is secured by Atlassian, Mobiversal enforces strict development lifecycle controls to prevent malicious code injection or data compromise.

  • Access Control: All source code repositories and CI/CD pipelines require strong authentication, including mandatory Multi-Factor Authentication (MFA).
  • Least Privilege: Developer access to Atlassian Marketplace vendor portals and publishing environments is restricted on a strict need-to-know basis.
  • Code Review: All code changes must pass through a peer review process to ensure secure coding practices before being merged to the main branch.
  • Permission Scopes: Team Alerts strictly requests the minimum necessary Jira permissions (Scopes) required for the app to function. We do not request excessive read or write capabilities that violate the principle of least privilege.

4. Security Incident Management & Response

In the highly unlikely event of a data breach, vulnerability exploitation, or an Atlassian-disclosed security incident affecting our application, we have a documented procedure.

  • Detection & Triage: We actively monitor error logs and Atlassian developer communications. Any suspected security incident is immediately escalated to our core engineering team for triage.
  • Notification: If an incident affects Customer Data, Atlassian platform security, or requires customer action, we will notify affected administrators via the contact channels provided through the Atlassian Marketplace within 72 hours of confirming an incident.
  • Reporting a Vulnerability: We welcome reports from security researchers and customers. If you believe you have found a security vulnerability in Team Alerts, please contact us immediately at info@mobiversal.com.
    • We ask that you provide details of the vulnerability so we can reproduce it.
    • Please allow us a reasonable amount of time to resolve the issue before disclosing it publicly.