/
Security Policy — Backlog Refinement, Sprint Planning & Capacity Planning for Jira

Security Policy — Backlog Refinement, Sprint Planning & Capacity Planning for Jira

This Security Policy describes how Backlog Refinement, Sprint Planning & Capacity Planning for Jira ("the app"), published by Divim, Inc., is secured and operated, and the safeguards that protect customer data. It applies to all Atlassian Marketplace cloud installations of the app.

Last reviewed: 2026-06-15

1. Atlassian Marketplace trust programs

  • Cloud Fortified. The app is Cloud Fortified — Atlassian's designation for apps that meet higher, continuously re-verified standards across security, reliability, and support. Maintaining the badge requires participation in Atlassian's security programs, defined Service Level Objectives, real-time monitoring, and a committed support response for critical issues.

  • Marketplace Bug Bounty Program. The app participates in the Atlassian Marketplace Bug Bounty Program, which incentivizes independent security researchers to find and responsibly report vulnerabilities. Participation is a requirement of the Cloud Fortified badge.

  • Ecoscanner. The app is continuously monitored by Atlassian's Marketplace security scanning (Ecoscanner) for common vulnerability classes.

  • SOC 2. A SOC 2 report is available upon request — contact support@divim.io.

2. Platform and hosting

The app runs as a cloud app integrated with Jira Cloud. The underlying Atlassian Cloud platform is operated by Atlassian and is covered by Atlassian's own security certifications and controls, including SOC 2, ISO 27001, and the broader Atlassian Trust program. See the Atlassian Trust Center.

3. Authentication and authorization

  • The app authenticates through Atlassian's standard Marketplace app-installation and authentication model.

  • It requests least-privilege Jira permissions — only those required to read the selected projects' board, sprint, issue, and subtask data (including past sprints, to calculate team velocity) and to create and update the subtasks, time estimates, and story points used for refinement and planning.

  • Administrative configuration — including selecting the projects the app operates on — is restricted to users with the appropriate Jira permissions.

4. Encryption

  • In transit: all communication between the user's browser, Jira Cloud, and the app is protected with HTTPS / TLS.

  • At rest: data persisted by the app is encrypted at rest.

5. Data handling

The app processes Jira data — projects, boards, sprints (including historical sprints used to compute past velocity), issues, subtasks, story points, time estimates, and assignees — to provide its backlog-refinement, planning, and capacity features. Data is used only to deliver app functionality and is never sold. How the app accesses, uses, and retains data is described in the Privacy Policy. Because this app operates under Divim's partner privacy policy, the Privacy Policy is the authoritative description of data processing for this app.

6. Software development lifecycle

  • Source is maintained in a private repository with branch protection; changes land through reviewed pull requests.

  • Dependencies are monitored against published security advisories.

  • Releases are versioned and published through the Atlassian Marketplace.

7. Vulnerability disclosure

  • Report suspected vulnerabilities to support@divim.io with the subject "Security Vulnerability Report — Backlog Refinement". Researchers may also report through the Atlassian Marketplace Bug Bounty Program.

  • Please do not publicly disclose a vulnerability before a fix is available.

  • We acknowledge reports within 5 business days and aim to remediate verified high-severity issues promptly.

8. Incident response

In the event of a confirmed security incident affecting the app, Divim will triage, contain, and remediate the issue, notify affected customers via the published support contact where appropriate, and coordinate with Atlassian where the incident touches Atlassian-operated infrastructure.

9. Customer responsibilities

  • Maintain appropriate Jira user and administrator permissions; the app respects Jira's permission model but cannot compensate for excessive permissions granted by the customer.

  • Review the Jira permissions requested at install and upgrade, and the projects the app is configured to operate on.

  • Keep the contact details on the Atlassian site current so Divim can reach you with security notices.

10. Contact

This policy is reviewed at least annually and updated as the app evolves. Trust-program participation is verified on the Atlassian Marketplace listing.