Privacy & Security Policy
Tick by Veloxy Labs · Version 2.0
Last updated: April 22, 2026 · Effective date: April 19, 2026
Short version: Tick runs entirely inside your Atlassian tenant on Atlassian Forge. Your data never leaves the Atlassian environment and never reaches Veloxy Labs servers — because we don't have any.
1. Introduction
Tick (“the App”, “we”, “our”) is a Jira Cloud application developed by Veloxy Labs and built on Atlassian Forge. It helps teams track, analyze, and manage work time directly within Jira.
This document sets out our Privacy Policy and Security Policy in a single, transparent statement.
Foundational principle: Tick runs entirely on Atlassian Forge infrastructure. We do not operate any external servers, databases, or third-party services. Your data never leaves Atlassian's platform.
2. Information We Collect
2.1 Data read from Jira
| Data Type | Purpose | API Scope |
|---|---|---|
| Worklogs (time spent, date started, worklog ID) | Display, analyze, and export time tracking data | read:jira-work |
| Worklog comments | Display the comment text associated with each worklog entry. Comments are shown as-is and not analyzed, processed, or stored externally. | read:jira-work |
| Issue details (key, summary, type, status, priority, assignee, reporter) | Associate worklogs with issues and enrich reporting context | read:jira-work |
| Project information (key, name) | Group and filter worklogs by project | read:jira-work |
| User profiles (display name, account ID, avatar thumbnail) | Show worklog authors; avatar (24×24px) displayed in collaborator views only | read:jira-user |
| Sprint and board data | Sprint-based filtering and predictive reporting | read:jira-work |
| Custom fields (story points, squad, and admin-configured fields) | Enrich worklog entries with project metadata configured by the Jira admin | read:jira-work |
| User group memberships | Determine role (member / manager / admin) for access control within the App | read:jira-user |
2.2 Data written to Jira
| Data Type | Purpose | API Scope |
|---|---|---|
| Worklogs | Log, update, and delete time entries on behalf of users | write:jira-work |
2.3 App configuration data (Forge Storage)
| Data Type | Storage Location | Purpose |
|---|---|---|
| Admin settings (group access, custom field config, menu visibility) | Forge Storage (storage:app) — key: timesheet-access-config | App configuration and access control |
| Menu configuration | Forge Storage (storage:app) — key: timesheet-menu-config | Control which navigation items are visible to which groups |
| Temporary worklog cache | Forge Storage (storage:app) — keys prefixed cache:* | Short-lived performance cache (5-minute TTL). Automatically expires. Contains worklog data fetched within the session; never persisted beyond the TTL. |
2.4 What we do not collect
- Personal email addresses or passwords
- Authentication tokens or credentials
- Financial or billing information
- Browser cookies, IP addresses, or device identifiers
- Data from other Atlassian products (Confluence, Bitbucket, etc.)
- Data from any third-party services
3. How We Use Your Information
- Display and Reporting: Render time-tracking dashboards, weekly views, and analytics derived exclusively from Jira worklog data.
- Time Management: Allow users to create, edit, and delete worklogs on Jira issues.
- Export: Generate CSV, XLS, and JSON exports of worklog data on explicit user request.
- Access Control: Evaluate Jira group memberships at runtime to enforce role-based permissions (member, manager, admin). Group data is not stored — it is checked live on each relevant request.
- Analytics: Compute efficiency metrics, audit summaries, and predictive sprint insights derived solely from worklog time and issue metadata. No personal profiling is performed.
- Worklog comments: Displayed in the App interface as entered by users in Jira. Comments are not analyzed, categorized, or processed beyond plain-text rendering.
3.1 Legal Basis for Processing (GDPR Art. 6)
For users located in the European Economic Area (EEA) or other jurisdictions with equivalent laws, we process personal data under the following legal bases:
| Processing Activity | Legal Basis | Explanation |
|---|---|---|
| Reading and displaying worklogs and issue data | Performance of a contract (Art. 6(1)(b)) | Necessary to deliver the time-tracking service the user or their organization has installed the App to use. |
| Writing and modifying worklogs on behalf of users | Performance of a contract (Art. 6(1)(b)) | Explicitly requested by the user through the App interface. |
| Checking user group memberships for access control | Legitimate interest (Art. 6(1)(f)) | Necessary to enforce role-based security and prevent unauthorized access to administrative features. |
| Storing admin configuration in Forge Storage | Legitimate interest (Art. 6(1)(f)) | Required to persist app settings across sessions as configured by the Jira administrator. |
4. Data Storage & Privacy
4.1 Infrastructure
Tick is deployed exclusively on Atlassian Forge, a serverless, sandboxed execution environment managed by Atlassian. All application logic runs within Atlassian's infrastructure and is subject to Atlassian's own security controls and certifications (ISO 27001, SOC 2 Type II, and others).
- All code executes inside Atlassian's secure Forge sandbox.
- No external servers, databases, or third-party cloud services are used.
- Application configuration is stored in Forge Storage, managed and encrypted by Atlassian.
- All Jira API calls are made through Forge's built-in authenticated proxy.
4.2 Data residency
Your data remains within Atlassian's infrastructure and is subject to Atlassian's Privacy Policy and the data residency settings configured by your Jira administrator.
4.3 Encryption
- Data in transit: Encrypted via TLS 1.2+ (HTTPS) enforced by Atlassian.
- Data at rest: Encrypted at rest by Atlassian's managed infrastructure.
5. Security Policy
Veloxy Labs is committed to maintaining a strong security posture for Tick and all related systems.
5.1 Security Incident Response
| Detection | Continuous Monitoring | Atlassian Forge audit logs and platform alerts are reviewed regularly for anomalous behavior. |
| Response Time | 48-Hour Initial Response | Critical incidents receive an initial internal triage within 48 hours of detection. |
| Notification | Transparent Disclosure | Affected customers will be notified without undue delay if their data was involved in a confirmed incident. |
| Post-Incident | Root Cause Review | Every significant incident triggers a post-mortem to identify root cause and prevent recurrence. |
Where a confirmed incident involves personal data and meets the threshold under applicable law (e.g., GDPR Art. 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
To report a suspected security incident, contact guilherme.rosa@veloxylabs.com with the subject line [Security Incident] — Tick.
5.2 Vulnerability Management
- Dependency scanning: Third-party npm and Node.js dependencies are reviewed for known CVEs during the development cycle.
- Code review: All changes to production code undergo peer review before deployment to the Forge runtime.
- Forge platform updates: We apply Atlassian-provided Forge runtime updates promptly to incorporate upstream security patches.
- Responsible disclosure: We welcome responsible disclosure from security researchers. Report potential vulnerabilities to guilherme.rosa@veloxylabs.com. We commit to acknowledging reports within 48 hours and providing a remediation timeline for confirmed issues.
- Severity classification: Vulnerabilities are classified by severity (Critical, High, Medium, Low) and remediated accordingly, with Critical issues prioritized within 72 hours.
5.3 General Security Controls
Because Tick is a pure Atlassian Forge application, it inherits Atlassian's enterprise-grade security certifications automatically — including those required by SOC 2 Type II, ISO 27001, and PCI DSS standards at the platform level.
| Control Area | Implementation |
|---|---|
| Access Control | The App enforces Jira group-based permission checks on every sensitive operation at runtime. Administrative functions are restricted to users confirmed as Jira administrators or members of the timesheet-admins group. |
| Principle of Least Privilege | The App declares exactly 4 scopes in manifest.yml: read:jira-work, write:jira-work, read:jira-user, storage:app. No additional scopes are requested. |
| Input Validation & JQL Injection Prevention | All user-supplied search inputs are sanitized before use in Jira API queries. The App implements dedicated escapeJql() and sanitizeSearchQuery() functions that strip special characters and enforce a 100-character limit. |
| Date Range Enforcement | Date inputs are validated server-side. Ranges exceeding 365 days are rejected to prevent excessive data access. Invalid date formats return an error without executing any API call. |
| No External Data Transmission | All Jira API calls are made exclusively through Atlassian's Forge egress proxy. No data is transmitted to any external endpoint, webhook, or third-party service. |
| Secrets Management | No secrets, API keys, or credentials are stored in the App's source code or version control. All environment values use Atlassian Forge's encrypted variables system. |
| Secure Development Lifecycle | All production deployments are made via the Atlassian Forge CLI under authenticated developer accounts. Code is version-controlled and reviewed before each release. |
| Audit Logging | Atlassian Forge maintains invocation logs and audit trails for all App runtime activity, accessible to Jira administrators through Atlassian's standard audit interfaces. |
| Data Minimization | Worklog and issue data are fetched on demand and are never persisted outside of Jira or Forge Storage. The Forge Storage cache has a 5-minute TTL and contains only data already visible to the requesting user. |
6. Data Sharing & Sub-Processors
We do not share, sell, rent, or transfer your data to any third party. Specifically:
- No data is transmitted to external servers or services operated by Veloxy Labs.
- No analytics or tracking platforms (e.g., Google Analytics, Mixpanel) are integrated.
- No advertising networks receive any data.
- No data is used for AI or machine-learning training purposes by Veloxy Labs or any partner.
6.1 Sub-Processors
The App relies exclusively on Atlassian Pty Ltd as its infrastructure and platform provider. Atlassian acts as a sub-processor for the data processed by the App, subject to Atlassian's Data Processing Addendum and their own compliance certifications (SOC 2 Type II, ISO 27001). No other sub-processors are used.
7. Data Retention
- Worklog and issue data: Not stored permanently by the App. Fetched live from Jira APIs on each user request.
- Performance cache: Worklog data may be temporarily cached in Forge Storage with a 5-minute TTL (keys prefixed cache:*). Expires automatically and is explicitly invalidated upon any write operation.
- App configuration: Stored in Forge Storage for the duration of the App's installation (keys: timesheet-access-config, timesheet-menu-config).
- On uninstallation: All Forge Storage data associated with the App is automatically deleted by Atlassian upon App removal, including configuration and any residual cache entries.
8. User Rights
Because all personal data is stored within Jira (Atlassian's platform), most rights are exercised directly through Jira or through the App interface:
- Access (Art. 15 GDPR): View all worklog data attributed to you through the App's interface at any time.
- Export / Portability (Art. 20 GDPR): Download your data in CSV, XLS, or JSON format via the App's export feature.
- Rectification (Art. 16 GDPR): Edit or correct your worklogs through the App or directly in Jira.
- Deletion (Art. 17 GDPR): Delete your worklogs through the App or directly in Jira. App-specific configuration data is removed automatically upon uninstallation.
- Restriction of processing (Art. 18 GDPR): Contact your Jira administrator to restrict access to your worklog data within your organization's Jira instance.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest by contacting us at guilherme.rosa@veloxylabs.com. We will review each objection and respond within 30 days.
- Lodge a complaint: You have the right to lodge a complaint with the data protection supervisory authority in your country of residence. In Brazil: ANPD. In the EU: your national DPA (find yours at edpb.europa.eu).
- Uninstall: Remove the App at any time via Jira's app management, triggering automatic deletion of all App-specific Forge Storage data.
9. Children's Privacy
Tick is a professional productivity tool intended for use in workplace environments. It is not designed for, nor directed at, individuals under the age of 16. We do not knowingly collect or process information from children.
10. Changes to This Policy
We may update this Privacy and Security Policy periodically. Any material changes will be communicated by updating the “Last updated” date at the top of this document. Continued use of the App after a policy update constitutes acceptance of the revised terms.
11. Contact
For questions about this policy, data privacy inquiries, or security disclosures:
Security disclosures: If you believe you have discovered a security vulnerability in Tick, please contact us at guilherme.rosa@veloxylabs.com before any public disclosure. We are committed to working with researchers to address confirmed issues promptly.
Tick by Veloxy Labs · Privacy & Security Policy — Version 2.0 — April 22, 2026
© 2026 Veloxy Labs. All rights reserved.