Legal
Security Statement
How we protect your data — and what we rely on others to protect.
Last updated: March 20, 2026
Our approach
We believe in transparency. This page clearly separates what we build and control from what our infrastructure and AI providers provide. We don't claim certifications we don't hold.
1. Architecture
SuperTemplates is built on Atlassian Forge, Atlassian's cloud app platform. This means:
- No external servers — the App runs entirely on Atlassian's infrastructure
- No external databases — all persistent data is stored in Forge Key-Value Storage
- No self-hosted backend — there is no server we operate that stores or processes your Jira data
The only outbound network calls from the App are to AI providers for task generation, and these are made through Forge's egress controls with anonymized data. If AI-Powered Features (as defined in our Terms of Service) are unused or disabled by the site administrator, no Jira issue content or user-entered content is sent to third-party AI providers. If both AI-Powered Features and analytics are disabled, no data is sent to third-party services outside Atlassian infrastructure.
SuperTemplates is operated by a registered business (działalność gospodarcza) in Poland.
2. What We Build and Control
Security measures implemented by SuperTemplates directly.
Smart Anonymization
Before data is sent to AI providers, we automatically pseudonymize known Jira user identifiers — display names from your project's member list are replaced with anonymous codes (e.g., “User_1”), and system identifiers such as Atlassian account IDs, email addresses, project keys, and board names are stripped. AI providers never see these identifiers. Important: Free-text content you enter in prompts is sent to AI providers as written. You are responsible for not including sensitive personal data in AI generation prompts.
Minimal Data Access
The App requests only the Jira scopes necessary for its functionality. We never read existing issue content (titles, descriptions, comments, attachments). We access project metadata (issue types, priorities, fields, sprints) only to populate the editor UI.
Bring Your Own Key (BYOK)
Site admins can connect your organization's own API keys for OpenAI, Anthropic, or Google Gemini. Keys are stored encrypted in Atlassian Forge Secrets — isolated from app data and used only for direct calls to your chosen provider.
Admin Controls
Site administrators can disable specific AI models, manage BYOK keys (add, revoke, rotate), view per-user usage statistics, and disable analytics egress entirely. The App functions normally without analytics.
Code Practices
All code is reviewed before deployment. The App is built on Atlassian Forge, which enforces sandboxed execution and declared egress. Dependencies are regularly audited for known vulnerabilities.
3. What Atlassian Forge Provides
Security measures provided by the Forge platform. We rely on these but do not operate them ourselves.
| Measure | Detail |
|---|---|
| Encryption at rest | AES-256 via AWS infrastructure |
| Encryption in transit | TLS 1.2+ |
| Data residency | Forge storage respects your Atlassian data residency region |
| App isolation | Forge apps run in sandboxed environments, isolated from other apps |
| Egress controls | All outbound network calls are declared and audited by Atlassian |
| Secrets storage | Dedicated encrypted storage for sensitive values (API keys) |
For full details on Forge security, see Atlassian Forge Security Documentation.
4. What Our AI Providers Provide
Security certifications and guarantees held by our AI providers. These are their certifications, not ours.
| Provider | Type | Their Security Posture |
|---|---|---|
| Cerebras | AI Included (Advanced) | SOC 2 Type II; inputs/outputs never retained; no training on API data |
| Google Vertex AI | AI Included | SOC 2, ISO 27001; EU regional endpoints; no training on API data; abuse monitoring retention (opt-out with BYOK) |
| OpenAI | BYOK | SOC 2 Type II; no training on API data |
| Anthropic | BYOK | SOC 2 Type II; no training on API data |
| Google Gemini | BYOK | SOC 2, ISO 27001; no training on API data (paid tier; BYOK keys are always paid) |
We select providers with strong security postures, but their certifications are theirs — not ours. We recommend reviewing each provider's security documentation directly if your organization requires it.
Model updates and region availability: AI models are periodically updated, retired, or replaced by their providers (e.g., a model version may be deprecated in favor of a newer release). When we adopt a newer model, the available processing regions are determined by the provider and may differ from the previous version. We will always select EU endpoints when available and notify site administrators if a model change materially affects data residency options.
5. What We Don't Have (Transparency)
In the interest of honesty, here's what we don't currently hold:
- SOC 2 Type II certification — our AI providers hold this; we do not
- ISO 27001 certification — Google holds this; we do not
- Dedicated security team — we are an independent development team; security is built into our process, not a separate department
- Penetration testing reports — we have not commissioned independent penetration testing
- Bug bounty program — we accept vulnerability reports at security@supertemplates.ai but do not offer monetary rewards
We compensate for this by building on Forge (inheriting Atlassian's infrastructure security), anonymizing all data before it leaves Forge, selecting AI providers with strong security postures, and being fully transparent about what we do and don't control.
6. Vulnerability Reporting
If you discover a security vulnerability in SuperTemplates, please report it responsibly to security@supertemplates.ai. We will acknowledge receipt within 2 business days and work to address confirmed vulnerabilities promptly. Please do not disclose vulnerabilities publicly until we've had reasonable time to address them.
7. Incident Response
In the event of a security incident affecting customer data, we will notify affected site administrators via email within 72 hours of becoming aware of the incident (GDPR Article 33). Where the breach is likely to result in high risk to individuals, we will also assist administrators in fulfilling their obligation to notify affected data subjects without undue delay (GDPR Article 34). Notifications will include the nature of the incident, data potentially affected, and steps taken to mitigate.
8. CAIQ Lite v4 Self-Assessment
We have completed a self-assessment against the CSA Cloud Controls Matrix (CCM) v4 Consensus Assessments Initiative Questionnaire. The assessment covers 46 controls across 16 security domains with a 95.1% compliance rate.
Security Contact
For security questions or vulnerability reports: security@supertemplates.ai
For privacy-related questions: privacy@supertemplates.ai