Security Policy
Last Updated: January 1, 2025
Version: 1.0
1. Security Architecture
Cheap AI for Workplace is designed with a privacy-first, zero-trust architecture that ensures your data never leaves your Jira instance.
🔒 Core Security Design Principles
- Zero Data Exfiltration: No Jira issue data is ever transmitted to external servers
- Zero Data Retention: We cannot access, store, or log your Jira data
- Local Processing Only: All prompt generation occurs client-side in your browser's memory
- Network Isolation: The plugin makes zero external network calls
- Credential-Free: No API keys, tokens, or credentials are stored by the plugin
- Memory-Only Processing: Data exists only in RAM during active session, then permanently discarded
2. Data Protection Measures
2.1 In-Transit Protection
- All Jira API calls use HTTPS/TLS encryption provided by your Jira instance
- Contact form submissions use TLS 1.3 encryption to FormSubmit.co
- Website served over HTTPS via GitHub Pages
2.2 At-Rest Protection
Critical: We do not store any of your Jira data at rest. The only data we retain is:
- Support communications (90 days, then auto-deleted)
- Contact form submissions (90 days, then manually deleted)
- No databases, logs, or file storage of customer data
2.3 Processing Security
- Prompt generation occurs entirely in-memory using JavaScript (no server-side processing)
- Clipboard operations use browser's secure Clipboard API
- No temporary files or caches written to disk
3. Vulnerability Management
3.1 Security Testing & Assessment
| Activity |
Frequency |
Scope |
| Code Security Review |
Every release |
Static analysis for OWASP Top 10 vulnerabilities |
| Dependency Scanning |
Weekly |
NPM packages for known CVEs |
| Penetration Testing |
Annually |
Plugin installation and operation |
| Atlassian Security Check |
Per Marketplace submission |
Automated scans and manual review |
3.2 Vulnerability Disclosure Program
We welcome security researchers to report vulnerabilities:
- Reporting Email: contactcheapai+security@gmail.com
- Response SLA: Initial response within 48 hours, resolution within 30 days for confirmed issues
- Safe Harbor: We support responsible disclosure and will not pursue legal action for good-faith security research
- Scope: Plugin code, website, and email infrastructure (excludes Jira platform itself)
⚠️ Out of Scope
- Atlassian Jira platform vulnerabilities (report to Atlassian directly)
- Self-XSS or issues requiring user interaction to exploit
- Rate limiting on contact form (we use FormSubmit.co's protections)
- GitHub Pages infrastructure issues (report to GitHub)
3.3 Security Updates
- Critical security patches released within 48 hours of fix availability
- Automatic notifications sent to all active license holders
- Rollout via Atlassian Marketplace update mechanism
4. Compliance & Certifications
4.1 Atlassian Marketplace Requirements
- ✅ Complies with Atlassian Developer Terms and Marketplace Partner Agreement
- ✅ Passed Atlassian's automated security scans (no malicious code, no data exfiltration)
- ✅ Meets data handling requirements for Cloud Fortified program eligibility
- ✅ Annual security self-assessment completed
4.2 Standards Alignment
- OWASP Top 10: Designed to prevent all category vulnerabilities
- GDPR Article 32: Appropriate technical measures for data protection
- SOC 2 Type II: Architecture aligns with Trust Service Criteria (though not formally audited)
5. Infrastructure Security
5.1 Website (cheap-ai.net / GitHub Pages)
- HTTPS enforced (TLS 1.2/1.3 only)
- DDoS protection via GitHub's infrastructure
- No server-side code execution (static HTML/CSS/JS only)
- SRI (Subresource Integrity) for all external scripts
- Content Security Policy headers enforced
5.2 Email Infrastructure
- FormSubmit.co used for contact form processing (their security standards apply)
- Gmail for support email with 2FA enabled
- No storage of sensitive data in email archives
6. Incident Response
6.1 Security Incident Definition
Any event that compromises the confidentiality, integrity, or availability of:
- Our plugin code or distribution mechanism
- Website or email infrastructure
- Customer support communications
6.2 Incident Response Process
| Phase |
Action |
Timeline |
| Detection |
Monitor for anomalies via user reports and automated scans |
Continuous |
| Containment |
Isolate affected systems, revoke access if compromised |
Within 1 hour |
| Investigation |
Root cause analysis, impact assessment |
Within 24 hours |
| Notification |
Notify affected parties (if any) and Atlassian if Marketplace impact |
Within 48 hours |
| Remediation |
Patch, update, and verify fix |
Within 30 days |
6.3 Customer Notification
We will notify you if we become aware of any security incident affecting:
- Your data (though we have no access to your Jira data)
- The plugin's integrity or distribution mechanism
- Any vulnerability that could affect your Jira instance
7. User Security Responsibilities
While we ensure our service is secure, you are responsible for:
- Access Control: Managing user permissions to install and use plugins in your Jira instance
- Network Security: Ensuring your Jira instance is accessible only via secure networks
- Updates: Keeping Jira and the plugin updated to latest versions
- AI Tool Security: Securing credentials for third-party AI tools you use
- Data Classification: Not processing highly sensitive data without proper authorization
8. Security Best Practices
✅ Recommended Configuration
- Install plugin only from official Atlassian Marketplace
- Review plugin permissions during installation (only requests read-only access to issues)
- Regularly audit plugin usage in your instance
- Monitor clipboard usage for sensitive data handling
- Use AI tools that offer enterprise-grade security and data handling
9. Audit & Compliance Reports
Available upon request for enterprise customers:
- Security architecture diagram
- Most recent penetration test summary (sanitized)
- Third-party security assessment (if available)
- Compliance mapping to SOC 2 / ISO 27001 (if needed)
Requests take 5-7 business days to process. Available to customers with active licenses.
10. Security Contact
For all security-related inquiries:
- Email: contactcheapai+security@gmail.com
- Response Time: 48 hours for security issues (24 hours for critical)
- PGP Key: Available upon request for encrypted communications
- Do NOT use this email for general support questions
Terms of Service
Support Policy
Service Level Agreement
Privacy Policy
End User License Agreement
← Back to Home