Cloud Security Statement

1. Overview

Sign for Jira ("Sign") is built on the Atlassian Forge platform. This statement describes how we use Forge and which controls we apply to help protect customer data and support compliance requirements.

2. Hosting & Architecture

• All core application logic executes within Atlassian Forge's isolated runtime.
• Data used by the App is stored using Forge storage services within Atlassian's infrastructure.
• No production Jira content is stored on servers operated directly by MyStatement, Inc. unless explicitly agreed for support or troubleshooting.

3. Data Protection

• Data at rest is encrypted using Atlassian-managed encryption.
• Data in transit is protected using TLS (HTTPS) enforced by Atlassian.
• Signing PINs and other secrets are stored only as hashed or encrypted values.
• Access to configuration and logs is restricted to authorized personnel of MyStatement, Inc. under least-privilege principles.

4. Application Security Practices

• Use of secure coding practices and regular internal reviews.
• Separation of environments for development and production.
• Logging of security-relevant events such as signature actions and PIN lifecycle events.

5. Compliance Alignment

While customers are responsible for their overall validation and procedural controls, Sign is designed to support requirements of:

• FDA 21 CFR Part 11 (electronic records and signatures)
• EU GMP Annex 11 (computerized systems)
• Industry best practices for audit trails and access control

6. Incident Response

In the event we become aware of a security incident affecting data processed by the App, we will investigate promptly and, where required, notify affected customers in cooperation with Atlassian's incident management processes.

7. Vulnerability Reporting

We encourage responsible disclosure of potential vulnerabilities.