Trust Center for Divim Inc
Divim, Inc. is committed to earning and keeping your trust. We build Jira Cloud apps to enterprise standards on the Atlassian platform, and we are transparent about exactly how each app is hosted and how it handles your data. This Trust Center is the single, canonical source for our security, privacy, compliance, and legal posture across every product, and is published publicly at trust.divim.io.
Divim's portfolio spans two clearly defined trust tiers. Knowing which tier an app belongs to answers the questions security and procurement teams ask first — where the app runs, and whether any data leaves Atlassian.
Runs on Atlassian (Forge) apps run entirely on Atlassian Forge. Customer data stays inside your Atlassian tenant, with no data egress to Divim or any third party.
Cloud Fortified apps carry Atlassian's enterprise-readiness badge for security, reliability, and support, participate in the Atlassian Marketplace Bug Bounty Program, and can provide a SOC 2 report on request. Their data handling is governed by Divim's partner Privacy Policy and each app's dedicated policy pages.
Last updated: June 2026 · Reviewed at least annually
About Divim, Inc.
Divim, Inc., founded in 2018 in New York City, builds advanced Jira Cloud applications that help teams plan smarter and deliver faster. Our newer apps are built natively on Atlassian Forge and run entirely within your Atlassian environment; our established flagship apps are Atlassian Cloud Fortified, meeting Atlassian's higher bar for security, reliability, and support. This Trust Center describes the posture of each tier accurately, rather than applying a single label across products that are built differently.
Our portfolio at a glance
Attribute | Runs on Atlassian (Forge) apps | Cloud Fortified apps |
|---|---|---|
Apps | Advanced Release Planning · Productivity Metrics (Flow Metrics) · Enterprise Sprint Automation · Dependency Manager | Scrum Agile Sprint Planning · Backlog Refinement · Sprint Automation (Automatic Start & Close) |
Atlassian program | Runs on Atlassian (auto-verified Forge) | Cloud Fortified |
Hosting model | Atlassian Forge — fully serverless | Atlassian Cloud app |
Customer data sent to Divim | None | Governed by the app's partner Privacy Policy |
Data egress outside Atlassian | None | Per the app's partner Privacy Policy |
Third-party subprocessors | None (Atlassian is the sole provider) | Per the app's partner Privacy Policy; list available on request |
Marketplace Bug Bounty Program | — | Participating |
SOC 2 | Inherits Atlassian platform SOC 2 Type II | Inherits Atlassian platform SOC 2 + app SOC 2 report on request |
Data residency | Follows your host Jira Cloud site | Per the app's partner Privacy Policy |
Encryption in transit | HTTPS / TLS | HTTPS / TLS |
Encryption at rest | Atlassian-managed | Encrypted at rest |
Authentication | Atlassian-managed Forge identity | Atlassian Marketplace app authentication |
Least-privilege Jira scopes | Yes | Yes |
Vulnerability response | Acknowledged within 5 business days | Acknowledged within 5 business days |
Security
Divim's security model differs by tier, and each is described honestly below. Both tiers run on Atlassian's cloud, request only least-privilege Jira scopes, encrypt data in transit and at rest, and enforce administrator checks server-side for configuration-changing operations.
Runs on Atlassian (Forge) apps
These apps are built around a single architectural decision: they run entirely on Atlassian Forge, so compute, storage, networking, and authentication are operated by Atlassian under its own enterprise security program.
Serverless and self-contained. Apps run inside Atlassian's Forge runtime. There is no Divim-operated server, no self-hosted infrastructure, and no third-party hosting.
No external egress. Apps make no outbound network calls outside Atlassian's cloud — no analytics SDK, no third-party error reporter, no external messaging integration.
Data stays in Forge. Persistent data is held in Forge storage (Forge SQL / KVS), inheriting Atlassian's tenant isolation, encryption, and data-residency controls.
Atlassian-managed identity. Apps authenticate through Forge's managed app identity; no OAuth client secrets, refresh tokens, or API keys are held by Divim.
Cloud Fortified apps
These established apps carry Atlassian's Cloud Fortified badge, which Atlassian grants only to apps that meet higher, continuously re-verified standards across security, reliability, and support.
Marketplace Bug Bounty Program. Each app participates in Atlassian's Bug Bounty program — a requirement of the Cloud Fortified badge — and is continuously scanned by Atlassian's Ecoscanner.
Monitored reliability. Defined Service Level Objectives and real-time health monitoring through Atlassian's framework.
Encryption. Data is encrypted in transit (HTTPS / TLS) and at rest.
Least-privilege access. Each app requests only the Jira scopes needed to deliver its features, enforced through Atlassian's app-authentication model.
Partner-managed data handling. Data processing for these apps is governed by Divim's partner Privacy Policy and each app's dedicated Privacy Policy, linked in the Product Documentation section below.
Secure development lifecycle (all apps)
Changes land through reviewed pull requests with branch protection on the default branch.
Automated tests run before release builds; dependency versions are monitored against published security advisories.
Only authorized maintainers can publish to production.
Compliance and Certifications
Both tiers run on Atlassian's cloud, so the security and compliance posture of the underlying infrastructure is provided and certified by Atlassian. Divim apps inherit that posture rather than operating a separate certified infrastructure stack.
Framework / Program | How it applies |
|---|---|
SOC 2 Type II | Held by Atlassian for the Cloud/Forge infrastructure all Divim apps run on. For Cloud Fortified apps, a SOC 2 report is additionally available on request. |
ISO/IEC 27001 & 27018 | Held by Atlassian for cloud infrastructure and privacy. |
PCI DSS | Held by Atlassian; Divim apps never process payment data (billing is handled by the Atlassian Marketplace). |
GDPR / UK GDPR | Divim acts as a data processor; see Data Privacy below and each app's Privacy Policy. |
CCPA / CPRA | Divim does not sell or share personal information. |
Runs on Atlassian | Applies to the Forge tier — auto-verified Forge apps that run entirely on Atlassian. |
Cloud Fortified | Applies to the Cloud Fortified tier — Atlassian's higher bar for security, reliability, and support, including Bug Bounty participation. |
To obtain Atlassian's own platform compliance reports (SOC 2, ISO certificates), see the Atlassian Compliance Resource Center. For Divim-specific documentation, see How to Request Documentation below.
Data Privacy and Handling
Divim apps are designed around data minimization: they read only what they need to deliver their features, and persist only the minimum configuration required to operate. No Divim app sells or shares personal information, and none is used for advertising.
Runs on Atlassian (Forge) apps
What is accessed: Jira metadata required for each app's function (for example boards, sprints, issue references, version/release metadata, and the account identifier of an administrator performing a configuration action).
No data egress: no customer data is transmitted to Divim or any third party outside Atlassian's cloud.
Roles: the customer is the data controller; Divim is a data processor; Atlassian is the subprocessor providing the Forge runtime.
On uninstall: Atlassian deletes all app data as part of the standard Forge app-removal lifecycle.
Cloud Fortified apps
What is accessed: the Jira data each app needs for refinement, planning, capacity, and automation — for example projects, boards, sprints (including historical sprints used to compute velocity), issues, subtasks, story points, time estimates, and assignees.
Roles: the customer is the data controller; Divim acts as a data processor under its partner Privacy Policy.
Authoritative detail: data processing, storage, retention, and international-transfer details for these apps are described in each app's dedicated Privacy Policy (linked below). A current subprocessor list for these apps is available on request.
On uninstall: associated app data is removed in line with the Atlassian Marketplace app-removal lifecycle.
A Data Processing Addendum (DPA) is available on request — see Legal & Compliance Documents below.
Subprocessors
Tier | Subprocessors |
|---|---|
Runs on Atlassian (Forge) apps | Atlassian, Inc. and its group companies only — Forge platform compute, storage, and networking. No analytics, advertising, error-reporting, or messaging subprocessor is used inside any Forge app. |
Cloud Fortified apps | Governed by the app's partner Privacy Policy. A current subprocessor list for these apps is available on request via support@divim.io. |
Material changes to subprocessors are announced through the Marketplace listings and reflected here.
Data Residency
Runs on Atlassian (Forge) apps: all persisted data is stored within your Atlassian environment using Forge storage, inheriting the data residency of your host Jira Cloud site. Divim operates no separate data store for these apps. Where Atlassian moves data between regions, those transfers are governed by Atlassian's DPA and Standard Contractual Clauses.
Cloud Fortified apps: data residency and international-transfer safeguards are described in each app's Privacy Policy; appropriate safeguards consistent with applicable data-protection law are applied to any cross-region transfer.
Reliability and Business Continuity
Runs on Atlassian (Forge) apps: availability, backup, and disaster recovery for app data are inherited from Atlassian Forge's own SLA and DR posture; Divim operates no additional infrastructure requiring a separate continuity plan.
Cloud Fortified apps: these apps meet Cloud Fortified reliability requirements, including defined Service Level Objectives and Atlassian real-time monitoring, with a committed support response for critical issues.
Report a Vulnerability
If you believe you have found a security vulnerability in any Divim application, please report it responsibly:
Do not publicly disclose details before a fix is available.
Email: support@divim.io with the subject "Security Vulnerability Report," including a description, steps to reproduce, the affected app name, and the app version.
For Cloud Fortified apps, researchers may also report through the Atlassian Marketplace Bug Bounty Program.
We acknowledge receipt within 5 business days and aim to remediate verified high-severity issues within 30 days.
Legal and Terms
Divim does not impose separate or additional terms of service. Use of every Divim app is governed by Atlassian's standard Marketplace terms:
Atlassian Marketplace Terms of Use — covers your order and use of Marketplace apps, including the standard EULA that applies to apps without custom vendor terms.
Atlassian Customer Agreement — governs the underlying Atlassian Cloud products the apps run on.
See Divim Terms & Licensing for a short summary of how our apps are licensed.
Data Processing Addendum (DPA): available on request via support@divim.io.
Per-product Privacy and Security policies are listed in Product Documentation below.
Product Documentation
Each product publishes its own trust resources. This Trust Center is the single company-wide source; the links below go to product-specific detail.
Runs on Atlassian (Forge) apps
Product | Security, Trust & Programs | Security Policy | Privacy | User Guide | Marketplace |
|---|---|---|---|---|---|
Advanced Release Planning & Management | |||||
Productivity Metrics, Charts, Reports & Insights (Flow Metrics) | |||||
Enterprise Sprint Automation — Bulk Create & Auto Start/End | |||||
Dependency Manager for Jira Cloud |
Cloud Fortified apps
Product | Security, Trust & Programs | Security Policy | Privacy | User Guide | Marketplace |
|---|---|---|---|---|---|
Scrum Agile Sprint Planning with Capacity Planning | |||||
Backlog Refinement, Sprint Planning & Capacity Planning | |||||
Sprint Automation for Jira Cloud — Automatic Start & Close |
How to Request Documentation
For documents not published here — such as a security-questionnaire response, a Cloud Fortified app's SOC 2 report, or a subprocessor list — contact support@divim.io. Atlassian's own platform reports (SOC 2, ISO certificates) can be obtained directly from the Atlassian Compliance Resource Center.
Frequently Asked Questions
Where is my data stored?
For Runs on Atlassian (Forge) apps, entirely within your Atlassian environment in Forge storage — Divim operates no separate data store. For Cloud Fortified apps, data handling is described in each app's Privacy Policy.
Does Divim ever see our Jira data?
For Forge apps, no — they process data inside Atlassian's cloud and transmit nothing to Divim or any third party. For Cloud Fortified apps, data processing is governed by Divim's partner Privacy Policy and the app's dedicated Privacy Policy.
Are the apps SOC 2 certified?
The Atlassian Cloud/Forge infrastructure all apps run on is covered by Atlassian's SOC 2 Type II. For Cloud Fortified apps, an app SOC 2 report is additionally available on request.
Which apps run on Forge with no data egress?
Advanced Release Planning, Productivity Metrics (Flow Metrics), Enterprise Sprint Automation, and Dependency Manager.
Which apps are Cloud Fortified?
Scrum Agile Sprint Planning, Backlog Refinement, and Sprint Automation (Automatic Start & Close).
Does Divim have its own terms of service or EULA?
No. Divim does not impose separate or additional terms — use of our apps is governed by the standard Atlassian Marketplace Terms of Use and the Atlassian Marketplace standard EULA shown on each app's listing.
What happens to our data if we uninstall?
App data is removed as part of the standard Atlassian Marketplace / Forge app-removal lifecycle.
Do you have a DPA?
Yes — request one via support@divim.io.
Contact
Purpose | Contact |
|---|---|
Security vulnerabilities | |
Privacy and data-subject requests | |
General support | |
Sales and partnerships | |
Website |
This Trust Center is the canonical source for Divim's security, privacy, and compliance posture and is reviewed at least annually. Material updates are announced through the Atlassian Marketplace listings for each product.