...
This document contains information for TFS4JIRA server and TFS4JIRA cloud.
TFS4JIRA Server
...
cloud
Connection credentials
TFS4JIRA Synchronizer needs to store credentials for JIRA and TFS/VSTS - every password provided is stored in an encrypted(AES) form. (since version 7.1.2)
TFS4JIRA Server
In TFS4JIRA server all data is stored/processed in client infrastructure. The only thing, that is sent outside, are product analytics that does not contain any personal data
Private data stored / processed by TFS4JIRA components
| Component | Data processed/stored | Remarks |
|---|---|---|
Jira |
Server App
| Change set metadata : author, comment etc. | Just processed, nothing is stored. No source code is processed. | ||||||
Synchronizer
| TFS/VSTS username | For synchronisation profiles and checkins scanning connection configurations. | ||||||
| Jira username | For synchronisation profiles. | |||||||
| Mapping configurations provided by TFS4JIRA user. | Any mappings configuration, that can contain private data (e.g. users mappings) | |||||||
| Data synchronised by TFS4JIRA | Any private data that is configured, by TFS4JIRA user, to be synchronised between TFS/VSTS and Jira. | |||||||
| Change set metadata : author, comment etc |
...
| . |
TFS4JIRA Cloud
In our Jira Cloud solution most of the data is processed/stored by TFS4JIRA Synchronizer component - which runs in client infrastructure.
Only data needed for Jira Cloud app are processed (proxied) trough our infrastructure. See below table, diagram and description for details.
Security rules
- All external incoming or outgoing connections (or connection that go via public network) are made using secure protocol (for example: https,ssh).
If secure protocol cannot be used the sensitive content must be protected by other means. - Every connection, that is crossing network border(external or internal, physical, virtual or logical), is protected by at least one security measure (certificate, jwt token, etc).
- No security measure can be used to cross multiple network borders.
For example, if we protect connections to Cloud external using Certificate A, then it cannot be used to protect connections to Cloud internal - Application data is stored in separate, dedicated database.
Logs
We collect various logs (access logs, application logs). Maximum retention period for TFS4JIRA Cloud logs is 14 days.
Change sets data additional encryption.
Due to possibility that, in some scenarios, the Synchronizer is deployed without https (against recommendations), we have implemented additional, custom, data encryption for change sets. All this data is secured using AES cipher with an encryption key provided in TFS4JIRA plugin configuration.
TFS4JIRA cloud architecture overview
| Gliffy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Private data stored / processed by TFS4JIRA components
| Component | Data processed/stored | Remarks | ||||||
|---|---|---|---|---|---|---|---|---|
Jira Cloud app
| Change set metadata : author, comment etc. | Just processed, nothing is stored. No source code is processed. | ||||||
Synchronizer
| TFS/VSTS username | For synchronisation profiles and checkins scanning connection configurations. | ||||||
| Jira username | For synchronisation profiles. | |||||||
| Mapping configurations provided by TFS4JIRA user. | Any mappings configuration, that can contain private data (e.g. users mappings) | |||||||
| Data synchronised by TFS4JIRA | Any private data that is configured, by TFS4JIRA user, to be synchronised between TFS/VSTS and Jira. | |||||||
| Change set metadata : author, comment etc. | ||||||||
| Additional info for TFS4JIRA cloud users: | ||||||||
TFS4JIRA cloud backend
| Change set metadata : author, comment etc. | No data is stored, it is just passed (proxied) from the Synchronizer to Jira Cloud user browser. | ||||||
...
| title | Product Analitycs |
|---|
...
Data subprocessors for TFS4JIRA Cloud
TFS4JIRA cloud is using the following services as a sub processors:
Amazon Web Services, Inc. - https://aws.amazon.com
Other services for TFS4JIRA Cloud
- Google Analytics by Google Inc. - https://analytics.google.com/