Security Practices

Security and privacy are integral to our products, infrastructure, and processes, ensuring your data is always safeguarded. Jira data remains on your site and never leaves it.

Accessing Jira data

Released enables users to author release notes based on Jira data they have read access to. To do so, Released, running in the user's browser, invokes the Jira REST API directly or through gateway services operated by Released Software. The Jira REST API respects the signed-in user's, as well as the app's, permissions. No Jira data is ever loaded, created, updated, deleted, or otherwise manipulated in a way that has not been initiated by the user, or does not respect the permission model of the Jira site.

Storage and access to release notes

Both published and draft release notes and metadata are stored in a database in the us-east-1 region of AWS. Published and publicly accessible release notes are also stored around the world in S3 and cached in all regions by AWS Cloudfront and Cloudflare, for faster delivery to users.

Backup copies of data are stored in the us-east-1 region of AWS for up to 30 days.

Private information in the database and in backups is only accessible by select employees when they are specifically needed to perform business duties.

  1. Public release notes

    Public release notes provide general information about software releases, including new features, bug fixes, and performance improvements. Public release notes are publicly accessible and are a great way to increase transparency and build trust with customers. To ensure the security and privacy of sensitive information, it is important to carefully consider the information included in public release notes and avoid disclosing sensitive information that could be used by attackers.

  2. Private release notes

    Private release notes are intended for internal communication and updates. Private release notes are displayed within the Jira user interface and only accessible to users with read access to related projects.

Infrastructure Access

The Released Software team does not require access to production infrastructure as build, test, and deployment processes are automated. This helps ensure the security and protection of sensitive information and reduces the risk of security breaches.

Identity and Access Management

Released Software leverages a Cloud identity provider and a Cloud access management platform to manage access to infrastructure and services. A strict password policy is enforced for team members, and all privileged level infrastructure and service provider access require 2FA tokens for an added layer of security.

Security vulnerabilities management

We commit to the Accelerated Resolution Timeframes of Atlassian's security bugfix policy and to our Service level agreement.

Last updated