Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Advanced JQL capabilities without compromising security??

March 27, 2026

In the era of hybrid warfare, digital ecosystems are becoming a frontline.
Attacks on software supply chains, insider threats, and data manipulation campaigns are no longer hypothetical—they are part of modern conflict and corporate risk landscapes not only in Europe.

When you install an app from the Atlassian Marketplace, you're making a trust decision. That app is going to interact with your Jira data — your issues, your users, your workflows. But not all Marketplace apps handle your data the same way.

There are two fundamentally different architectures for Atlassian apps: Connect and Forge. The difference matters more than most teams realize.

Connect: The External Server Model

Most established Marketplace apps — including many of the most popular ones — are built on Atlassian Connect. Connect apps run on the vendor's own servers, outside of Atlassian's infrastructure. When you use a Connect app:

  • Your data is sent to the vendor's servers via REST API calls
  • The vendor manages their own infrastructure, security, and compliance
  • You're trusting a third party to handle, store, and protect your data
  • The vendor pays Atlassian a 20–25% revenue share on every transaction

This model has worked for years. But it creates a real tension: every Connect app is another vendor in your security review pipeline, another data processor in your compliance documentation, another external endpoint your data flows through.

Forge: The Native Model

Forge apps run entirely inside Atlassian's infrastructure. When you install a Forge app:

  • Your data never leaves Atlassian's servers
  • The app runs in a sandboxed environment managed by Atlassian
  • No external API calls, no vendor-hosted servers, no data export
  • The app inherits Atlassian's own security controls (SOC2, ISO 27001)

For teams that care about data security — and especially teams pursuing compliance certifications — this is a meaningful difference. A Forge app doesn't add a new entry to your vendor risk register.

Why We Chose Forge

At Orbiscend, every product we build runs on Forge. This wasn't a convenient default — it was a deliberate architectural decision.

For Argon (our JQL search extension), this means your search queries and results never leave Jira. When you run a regex match across your issues or query parent-child hierarchies, that processing happens inside Atlassian's infrastructure.

JQL Argon Powerful Search  

For Dike (our SOC2 compliance tool), the irony would be too painful otherwise. A compliance tool that sends your data to external servers would undermine the very compliance posture it's supposed to improve. Dike runs where your data already lives.

What This Means in Practice

If you're a Jira admin evaluating Marketplace apps, here are the practical implications:

Security reviews are simpler. A Forge app doesn't require a separate vendor security assessment. The app runs in Atlassian's environment, under Atlassian's security controls.

Compliance documentation is lighter. For SOC2, ISO 27001, or GDPR purposes, a Forge app is processed by Atlassian — not by a third-party vendor. That's one fewer data processor to document and audit.

Performance is more predictable. No external API latency, no dependency on a vendor's uptime. If Jira is up, the app is up.

Data residency is preserved. Your data stays where Atlassian stores it. No cross-border transfers to vendor servers in different jurisdictions.

The Trade-Off

We should be honest about what Forge doesn't do. The Forge platform is newer and more constrained than Connect. Some types of apps — particularly those that need to integrate with systems outside of Atlassian — are better suited to Connect. Forge apps can't do everything.

But for tools that operate on your Jira data — searching, analyzing, monitoring, reporting — Forge is the right architecture. The security and performance advantages are real, and they compound as your organization's compliance requirements grow.

Try the Forge Difference

Both Argon and Dike are now free to install and use. If you're curious about what Forge-native apps feel like compared to Connect-based alternatives, install one and see for yourself. The "Runs on Atlassian" badge on our listings isn't just a logo — it's a promise about where your data lives.

Greetings and have a nice weekend

Comment
Watch
Like # people like this
130 views

4 comments

Aaron Morris
Aaron Morris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
March 27, 2026

This is an incredibly misleading and inaccurate article.  For example:

Forge apps run entirely inside Atlassian's infrastructure. When you install a Forge app:

  • Your data never leaves Atlassian's servers
  • The app runs in a sandboxed environment managed by Atlassian
  • No external API calls, no vendor-hosted servers, no data export
  • The app inherits Atlassian's own security controls (SOC2, ISO 27001)

What you described is only true for Forge apps with the Runs on Atlassian badge. Granted, the app you're advertising has that badge (congratulations!), but it is unhelpful to mislead the community by generalizing Runs on Atlassian to all Forge apps.

Another example:

Security reviews are simpler. A Forge app doesn't require a separate vendor security assessment. The app runs in Atlassian's environment, under Atlassian's security controls.

Forge apps, even with the Runs on Atlassian badge, still require a vendor security assessment.  There is more to software security than just hosting. Yes, the reviews are simplified, as you led with. But to say a separate security assessment is not required is simply not true for most enterprises or regulated companies.

And finally, this article is two years too late. Connect is end-of-life...every vendor is moving to Forge. This is not the competitive advantage you're making it out to be.

Like # people like this
Allan Maxwell
Allan Maxwell
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 27, 2026

Thanks for sharing and, at risk of derailment, may I ask if you are able to access Focus Areas through your Forge app and how?

Like
Aaron Morris
Aaron Morris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
Get recognized
March 27, 2026

Update:  I only posted a reply because this article was initially published to a different group in the community.  Thank you for moving this to App Central where it belongs. :-) 

 

Like Bartek Szajkowski _ Orbiscend OU likes this
Bartek Szajkowski _ Orbiscend OU
Bartek Szajkowski _ Orbiscend OU
Atlassian Partner
March 27, 2026

Dear Aaron,
Dear Allan,

Thanks for the corrections — fair points!


You're right that we should have been more specific — the benefits we described apply to Runs on Atlassian apps, not all Forge apps. We'll fix that in the article.


On security assessments — agreed, it depends on the company and their internal processes. Some will always require a full review regardless.


As for timing — we're launching now because, frankly, building something like this on Forge two years ago wasn't really feasible. The platform is still maturing, and anyone who's tried to build a serious app on it knows it's not always smooth sailing.

Thanks for keeping us honest! 🙂

Have a nice weekend!
Greeting
Bartek

Like

Comment

Log in or Sign up to comment
Bartek Szajkowski _ Orbiscend OU

Bartek Szajkowski _ Orbiscend OU

Atlassian Partner

About this author

34 total posts

View profile
groups-icon
App Central
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security