Security
Last updated: July 1, 2026
Cloud Scheduler is designed as a Forge-native Jira Cloud app. This page is intentionally detailed for customers, procurement teams and Atlassian Marketplace review.
Executive summary
- Built for Jira Cloud and presented as an Atlassian Forge app.
- Normal operation does not require a vendor-hosted external backend.
- Application data is intended to be stored in Forge Storage.
- Authentication is handled by Atlassian; authorization follows Jira permissions and Forge scopes.
- The app does not intentionally collect Atlassian passwords, login sessions, card data or authentication secrets.
Architecture
- Atlassian Forge runtime for app execution.
- Jira Cloud APIs for reading/writing Jira work information needed by planning features.
- Forge Storage for configuration, planning data and app settings.
- Public marketing/support website hosted separately on Cloudflare Pages.
- Optional contact form email sending via Cloudflare Pages Function and transactional email service.
Authentication and authorization
- Cloud Scheduler relies on Atlassian authentication context.
- Access to Jira data is governed by Jira permissions and scopes granted at installation.
- The app does not access Atlassian login credentials or sessions.
- The app does not modify Atlassian identity properties or user passwords.
Scopes
read:jira-work— read Jira work data required for planning.write:jira-work— create/update Jira work-related data where enabled.read:jira-user— read Jira user information for resource planning.storage:app— store app configuration and planning data in Forge Storage.
Security controls
- Least-privilege scope review before release.
- No API keys or secrets in client-side code.
- Input validation and output encoding for user-provided values.
- No intentional collection of passwords, payment card data or authentication secrets.
- Security reports accepted at support@cloudschedulerapp.com.
Vulnerability management
- Receive report through support/security email.
- Acknowledge within the support target.
- Classify severity and customer impact.
- Fix, test and deploy remediation.
- Update documentation or customers if required.