Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

ScriptRunner access to site data

warrencai
warrencai
Contributor
July 29, 2024

As part of a privacy and security review, I'm trying to understand what data gets transferred and stored by Adapatavist when we use the addon for Jira Cloud. 

Is there any documentation to what data ScriptRunner collects and what Adapativist stores?

When I try to interact with their support, they point to their general documentation for data storage and privacy policy, not for ScriptRunner itself.

I would like to create some controls (even if it's just process controls where we as admins make sure we don't put certain data into ScriptRunner or ask ScriptRunner to log certain data). But I'm not able to find any documentation on the boundaries of what ScriptRunner will and will not access/store.

Does any admins have any experience with this?

Answer
Watch
Like # people like this
582 views

3 answers

2 votes
Trudy Claspill
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 29, 2024

Hello @warrencai 

Welcome to the Atlassian community.

I see that you said you've been directed to their general documentation. Does that include the information referenced here, and the documents referenced in that page?

https://marketplace.atlassian.com/apps/6820/scriptrunner-for-jira?hosting=cloud&tab=privacy-and-security

View More Comments
warrencai
warrencai
Contributor
July 29, 2024

Hi Trudy,

Yes. Specifically, I'm was trying to understand the line "Content posted, received or shared in the app by end-users". I asked their support what constitutes in the app but could not get a clear answer.

Thank you,

Warren

Like
Trudy Claspill
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 29, 2024

Hi Warren,

I'm reaching out to contacts at Adaptavist to see if they have any more specific reference materials publicly available.

Like • Matt Doar _Adaptavist_ likes this
warrencai
warrencai
Contributor
July 29, 2024

Thank you so much!

Like
Matt Doar _Adaptavist_
Matt Doar _Adaptavist_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 29, 2024 edited

I'll ask internally for more information, but my first sense is that what is accessed and stored can change from release to release, and no vendors wants to have to document to that level. Nor change legal agreements with that frequency.

warrencai - do you have some examples of the kind of data you don't want to go to ScriptRunner for Jira Cloud? And what should not be logged?

Like
Matt Doar _Adaptavist_
Matt Doar _Adaptavist_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 29, 2024

The legal document I was thinking of is under
https://marketplace.atlassian.com/apps/6820/scriptrunner-for-jira?hosting=cloud&tab=privacy-and-security
and in the area named "Expand all data storage and management details"

The link to the doc is then 
https://wwwadaptavistcom.cdn.prismic.io/wwwadaptavistcom/a47b2d42-7b68-485c-a84b-a28d5d2972e6_DataProcessingAddendum_Adaptavist_Nov2022.pdf

Like
warrencai
warrencai
Contributor
July 29, 2024

@Matt Doar _Adaptavist_ we're looking to use Jira to manage PII/PHI and other sensitive data. As stated in Adaptavist EULA Section 9.2, we're responsible for making sure no sensitive data ends up with Adaptavist.

So the question I have is what data does ScriptRunner collect and how do we make sure none of it ends up with Adapativist? Feels like we'd need a well documented list of fields/data that ScriptRunner collects to comply with the EULA. Or is that any data on our site is fair game and the only way to comply is to make sure none of this data ends up on our site?

Like • Matt Doar _Adaptavist_ likes this
Matt Doar _Adaptavist_
Matt Doar _Adaptavist_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 29, 2024

This is a long-standing question around Atlassian tools, Jira in particular. Jira doesn't do much in the way of field-level security, so making a few fields more secure is not an out of the box thing. At a previous job, we changed the Jira governance to say that Jira was not an appropriate tool for the PII that we kept about our customers. That worked somewhat but there was a lot of legacy info.

I'll wait for a response from Adaptavist Support but for now I think any feature of ScriptRunner that allows access to fields that contain PII is going to be of concern to you.

Like • warrencai likes this
warrencai
warrencai
Contributor
July 29, 2024

That's a fair point and I think that may be where our privacy/security team require we do. It'd be good to get an understanding of this though.

Even in the absence of PII, I think this question for ScriptRunner is still valid. I'm sure we all have business sensitive and proprietary data in Jira. That's the intended use case for Jira. So I'm sure our security team would want to know what the attack surface and risk profile for this is with regards to ScriptRunner.

Like • Ralf Münch likes this
Reply
1 vote
Romy Greenfield
Romy Greenfield
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 5, 2024

Due to the nature of ScriptRunner allowing users to create their own scripts and queries, it is not possible to give an exhaustive list of what information could be accessed, processed or stored by ScriptRunner, as this can be affected by unique inputs by the end user.

ScriptRunner processes and stores webhook event information sent by Atlassian, customer scripts and enhanced search queries. It may store error responses from Atlassian REST APIs in order to show customers how to correct any queries. ScriptRunner stores the base url of the customer instance but uses unique IDs when referencing end users, filters and issues where possible. However, if an end user decides to log PII in a script or writes this in an Enhanced Search query it will appear in logs and potentially be stored long term.

ScriptRunner only stores audit logs indefinitely for customers to view in the app - it stores all other logs for up to 4 weeks. The logs are only used to help debug issues with the app as and when necessary. Other than the customer accessible audit logs, the logs can only be accessed by the engineers directly working on and supporting the app.

Reply
0 votes
Nicolas Grossi
Nicolas Grossi
Banned
July 29, 2024

@warrencai You might also check here: https://docs.adaptavist.com/sr4js/latest and on the provider support site.

 

 

View More Comments
warrencai
warrencai
Contributor
July 29, 2024

HI @Nicolas Grossi 

Unfortunately, the ScriptRunner cloud documentation does not go into detail on what data the addon accesses and stores and when.

Thank you,

Warren

Like
Trudy Claspill
Trudy Claspill
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 29, 2024

Additionally that link leads to the documentation for ScriptRunner for Jira Data Center, not Jira Cloud

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
atlassian, team '25, conference, certifications, bootcamps, training experience, anaheim ca,

Want to make the most of Team ‘25?

Spend the day sharpening your skills in Atlassian Cloud Organization Admin or Jira Administration, then take the exam onsite. Already ready? Take one - or more - of 12 different certification exams while you’re in Anaheim at Team' 25.

Learn more
AUG Leaders

Upcoming Jira Events