Legal
Security Statement
How we protect your data — and what we rely on others to protect.
Last updated: February 27, 2026
Our approach
We believe in transparency. This page clearly separates what we build and control from what our infrastructure and AI providers provide. We don't claim certifications we don't hold.
1. Architecture
SuperTemplates is built on Atlassian Forge, Atlassian's cloud app platform. This means:
- No external servers — the App runs entirely on Atlassian's infrastructure
- No external databases — all persistent data is stored in Forge Key-Value Storage
- No self-hosted backend — there is no server we operate that stores or processes your Jira data
The only outbound network calls from the App are to AI providers for task generation, and these are made through Forge's egress controls with anonymized data.
2. What We Build and Control
Security measures implemented by SuperTemplates directly.
Smart Anonymization
Before any data leaves Forge to reach an AI provider, we strip all personal identifiers — Atlassian account IDs, email addresses, display names, project keys, and board names. AI providers receive only the task context needed for generation, with anonymous placeholders.
Minimal Data Access
The App requests only the Jira scopes necessary for its functionality. We never read existing issue content (titles, descriptions, comments, attachments). We access project metadata (issue types, priorities, fields, sprints) only to populate the editor UI.
BYOK Key Security
Bring Your Own Key API keys are stored in Forge Secrets — a dedicated encrypted storage separate from regular app data. Keys are never logged, never sent to our own systems, and are only used for direct API calls to the configured provider.
Admin Controls
Site administrators can disable specific AI models, manage BYOK keys (add, revoke, rotate), view per-user usage statistics, and disable analytics egress entirely. The App functions normally without analytics.
Code Practices
All code is reviewed before deployment. The App is built on Atlassian Forge, which enforces sandboxed execution and declared egress. Dependencies are regularly audited for known vulnerabilities.
3. What Atlassian Forge Provides
Security measures provided by the Forge platform. We rely on these but do not operate them ourselves.
| Measure | Detail |
|---|---|
| Encryption at rest | AES-256 via AWS infrastructure |
| Encryption in transit | TLS 1.2+ |
| Data residency | Forge storage respects your Atlassian data residency region |
| App isolation | Forge apps run in sandboxed environments, isolated from other apps |
| Egress controls | All outbound network calls are declared and audited by Atlassian |
| Secrets storage | Dedicated encrypted storage for sensitive values (API keys) |
For full details on Forge security, see Atlassian Forge Security Documentation.
4. What Our AI Providers Provide
Security certifications and guarantees held by our AI providers. These are their certifications, not ours.
| Provider | Type | Their Security Posture |
|---|---|---|
| Cerebras | AI Included | SOC 2 Type II; zero data retention |
| Groq | AI Included | SOC 2 Type II; zero data retention |
| Google Vertex AI | AI Included | SOC 2, ISO 27001; EU regional endpoints |
| OpenAI | BYOK | SOC 2 Type II; no training on API data |
| Anthropic | BYOK | SOC 2 Type II; no training on API data |
| Google Gemini | BYOK | SOC 2, ISO 27001; no training on API data |
We select providers with strong security postures, but their certifications are theirs — not ours. We recommend reviewing each provider's security documentation directly if your organization requires it.
5. What We Don't Have (Transparency)
In the interest of honesty, here's what we don't currently hold:
- SOC 2 Type II certification — our AI providers hold this; we do not
- ISO 27001 certification — Google holds this; we do not
- Dedicated security team — we are an independent development team; security is built into our process, not a separate department
- Penetration testing reports — we have not commissioned independent penetration testing
- Bug bounty program — we accept vulnerability reports at support@supertemplates.ai but do not offer monetary rewards
We compensate for this by building on Forge (inheriting Atlassian's infrastructure security), anonymizing all data before it leaves Forge, selecting AI providers with strong security postures, and being fully transparent about what we do and don't control.
6. Vulnerability Reporting
If you discover a security vulnerability in SuperTemplates, please report it responsibly to support@supertemplates.ai. We will acknowledge receipt within 2 business days and work to address confirmed vulnerabilities promptly. Please do not disclose vulnerabilities publicly until we've had reasonable time to address them.
7. Incident Response
In the event of a security incident affecting customer data, we will notify affected site administrators via email within 72 hours of becoming aware of the incident, in accordance with GDPR requirements. Notifications will include the nature of the incident, data potentially affected, and steps taken to mitigate.
Security Contact
For security questions or vulnerability reports: support@supertemplates.ai
For privacy-related questions: support@supertemplates.ai