Privacy Policy
1. Who we are
EvidencePack ("we", "our") is an Atlassian Marketplace app that helps teams collect SOC 2 and ISO 27001 audit evidence from Jira and Confluence. Contact: privacy@evidencepack.axons.cc.
2. What we process
EvidencePack processes metadata only from the Jira issues and Confluence pages that you explicitly map to a control via JQL or CQL queries. Specifically:
- Jira: issue key, summary, status, issue type, labels, project key, assignee + reporter display names, created and updated timestamps, and the issue URL.
- Confluence: page id, title, space key and name, version number and timestamp, creator and last-updater display names, and the page URL.
EvidencePack does not collect issue descriptions, comments, work logs, attachments, page bodies, page comments, or page attachments.
3. Where we store it
All data is stored exclusively in Atlassian Forge KVS, region-pinned to the same data residency as your Atlassian site. We use no external databases, no third-party storage providers, and no sub-processors.
4. Where we don't send it
EvidencePack does not transmit any customer data outside the Atlassian platform. Specifically: no analytics, no telemetry, no logging endpoints, no LLM / AI services, and no third-party APIs. This is enforced at the platform level by the Forge runtime — our app declares zero external.fetch permissions in its manifest.
5. Legal basis (GDPR)
EvidencePack acts as a data processor. The customer (controller) decides which Jira issues and Confluence pages are collected via their JQL / CQL source mappings. Processing is based on the controller's contractual instructions through the Atlassian Marketplace EULA.
6. Retention
App configuration persists until the customer changes it or uninstalls the app. Evidence runs retain the 25 most recent runs per installation; older runs are auto-deleted. Uninstalling the app removes all EvidencePack data from Forge KVS — Atlassian's platform handles this automatically.
7. Your rights
Customers control all data via standard Atlassian site administration: uninstall to remove all data; use the in-app reset feature to clear stored data on demand. For data-subject requests (access, correction, deletion under GDPR / CCPA), contact us at privacy@evidencepack.axons.cc.
8. Personal data
The only personal data EvidencePack processes are display names of Jira and Confluence users that Atlassian's APIs return as part of issue and page metadata (assignee, reporter, creator, last-updater). We do not perform separate user-lookup calls. We never collect email addresses, IP addresses, or any other personal identifier.
9. Security
EvidencePack inherits Atlassian Forge's security posture: AES-256 encryption at rest, TLS in transit, region-pinned storage, audit-logged platform operations. We make no calls to user-supplied URLs and do not accept URLs as input. Our trust posture is detailed at /security/.
10. Changes
We will update this policy when product changes warrant. Material changes will be noted in the app's Marketplace release notes.
11. Compliance disclaimers
EvidencePack helps you collect and organise audit evidence. It does not certify your organisation as SOC 2, ISO 27001, or any-other-framework compliant. Certification requires an independent third-party audit by an accredited auditor and controls that extend beyond Atlassian. SOC 2 is a service mark of the AICPA; ISO 27001 is a standard of the International Organization for Standardization. EvidencePack is not affiliated with or endorsed by either organisation.
12. Contact
Privacy questions: privacy@evidencepack.axons.cc. Security reports: security@evidencepack.axons.cc. General support: support@evidencepack.axons.cc.