Data Storage
The eSign for Jira app stores data ONLY within the Atlassian Cloud environment, inside of each customer’s Jira site (e.g. https://<customername>.atlassian.net). These environments are ISO 27001/SOC 2 compliant as per Atlassian https://www.atlassian.com/trust/compliance/resources .
The stored app data is also data residency compliant as it shares the same geographic location as the host Jira instance: https://support.atlassian.com/security-and-access-policies/docs/understand-data-residency-and-realms/ .
Data Access for Processing
For Signature processing, eSign requires temporary access to Jira instance data to implement electronic signature functionality. This information is retrieved via the Atlassian Jira API, encrypted in transit and used temporarily by eSign during signature processing; it is not permanently stored.
The eSign processing services are provisioned securely by Render.com (EU, US). See https://render.com/trust for more information their ISO 27001 and SOC 2 compliance.
The following table identifies the Jira data that is accessed temporarily by the eSign services and how it is used.
|
Jira API |
Fields Accessed (Not Stored) |
Purpose |
|---|---|---|
|
Jira Configuration |
Project name, enabled Work Types, defined User Fields and allowed Work Item States |
eSign workflow controls allow restricting Signatures to User Fields. The list of defined User Fields is retrieved for eSign Configuration (e.g. Reporter, Assignee, Custom). eSign allows restricting Signature function by Work Item Status (e.g. Open/In Progress) Project display name and work types are displayed on the Verification Report |
|
Work Item Data |
Project, Work Type, Work Item Status, and additional configured fields |
Status is required to enforce workflow status restrictions configured at the project level. Through configuration, administrators can include additional fields as controls and/or to be included in the Archive PDF report. |
|
Work Item |
Work Type, Summary, Description, Attachments, Work Item History |
Signature verification requires a stored hash of the Summary, Description and Attachment (metadata) is hashed into a checksum that is stored with each executed signature. This checksum is used during signature verification to detect if contents or attachments were changed after signing. Work Item history is also accessed to flag changes in configured custom fields. |
|
User Profile Data |
Display Name, Time zone and Locale, E-mail Address |
The user name, time zone and locale are retrieved to populate the signee name and local date/time for the electronic signature.
|
Data Processing Locations
eSign for Jira has multiple data processing locations. Customers have the option to “Pin” their eSign app location to one of the following locations via Atlassian Security administration. Once pinned, the eSign server(s) in that location will perform all signature processing for that cloud site.
As detailed above, eSign only stores data within the Atlassian cloud. The EU vs US pinning is for temporary data processing and can provide the following benefits.
-
For customers with regional compliance requirements, pinning the location to within a specific region ensures that signature data processing occurs within that region.
-
Customers with Atlassian cloud sites located closer to the EU may notice faster response time when working with eSign as compared to the US locations.
See this Atlassian article for more information on Data Residency. Data Residency: Manage Where Your Data is Hosted | Atlassian . Pinning apps is available within admin.atlassian.com
|
Location |
eSign Host Region |
|---|---|
|
Default |
US (East) |
|
European Union |
Europe (Frankfurt) |
|
Germany |
Europe (Frankfurt) |
|
USA |
US (East) |