DRIFT

Security Policy

Last updated: 27 March 2026

DRIFT is built on Atlassian Forge and is designed to minimize direct handling of customer credentials and application infrastructure.

Security contact

For security questions or vulnerability reports, contact support@jordanmurray.dev.

How DRIFT handles data

• Application data is stored in Atlassian Forge hosted storage.
• DRIFT reads Jira data through Atlassian-authorized Forge permissions.
• DRIFT does not ask customers for Atlassian passwords or Personal Access Tokens.
• AI-assisted features are optional and use configured provider API keys stored as Forge environment variables.

Third-party services

When AI-assisted features are enabled, DRIFT may send relevant issue or requirement content to the configured AI provider solely to generate extraction, review, or story-draft outputs.

Reporting vulnerabilities

Please include a clear description of the issue, reproduction steps if available, and any affected app area. We will review good-faith reports and aim to respond as promptly as reasonably possible.

Security posture

• DRIFT uses Atlassian Forge runtime isolation, permissions, and hosted storage controls.
• Sensitive provider keys are stored as encrypted Forge environment variables.
• The app is designed so core Jira and requirement data remain in Atlassian-hosted storage.

Important note

DRIFT does not currently claim formal compliance certifications such as SOC 2 or ISO 27001 unless explicitly stated elsewhere in official product documentation.