As part of a privacy and security review, I'm trying to understand what data gets transferred and stored by Adapatavist when we use the addon for Jira Cloud.
Is there any documentation to what data ScriptRunner collects and what Adapativist stores?
When I try to interact with their support, they point to their general documentation for data storage and privacy policy, not for ScriptRunner itself.
I would like to create some controls (even if it's just process controls where we as admins make sure we don't put certain data into ScriptRunner or ask ScriptRunner to log certain data). But I'm not able to find any documentation on the boundaries of what ScriptRunner will and will not access/store.
Does any admins have any experience with this?
Hello @warrencai
Welcome to the Atlassian community.
I see that you said you've been directed to their general documentation. Does that include the information referenced here, and the documents referenced in that page?
Hi Trudy,
Yes. Specifically, I'm was trying to understand the line "Content posted, received or shared in the app by end-users". I asked their support what constitutes in the app but could not get a clear answer.
Thank you,
Warren
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Warren,
I'm reaching out to contacts at Adaptavist to see if they have any more specific reference materials publicly available.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'll ask internally for more information, but my first sense is that what is accessed and stored can change from release to release, and no vendors wants to have to document to that level. Nor change legal agreements with that frequency.
warrencai - do you have some examples of the kind of data you don't want to go to ScriptRunner for Jira Cloud? And what should not be logged?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The legal document I was thinking of is under
https://marketplace.atlassian.com/apps/6820/scriptrunner-for-jira?hosting=cloud&tab=privacy-and-security
and in the area named "Expand all data storage and management details"
The link to the doc is then
https://wwwadaptavistcom.cdn.prismic.io/wwwadaptavistcom/a47b2d42-7b68-485c-a84b-a28d5d2972e6_DataProcessingAddendum_Adaptavist_Nov2022.pdf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Matt Doar _Adaptavist_ we're looking to use Jira to manage PII/PHI and other sensitive data. As stated in Adaptavist EULA Section 9.2, we're responsible for making sure no sensitive data ends up with Adaptavist.
So the question I have is what data does ScriptRunner collect and how do we make sure none of it ends up with Adapativist? Feels like we'd need a well documented list of fields/data that ScriptRunner collects to comply with the EULA. Or is that any data on our site is fair game and the only way to comply is to make sure none of this data ends up on our site?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is a long-standing question around Atlassian tools, Jira in particular. Jira doesn't do much in the way of field-level security, so making a few fields more secure is not an out of the box thing. At a previous job, we changed the Jira governance to say that Jira was not an appropriate tool for the PII that we kept about our customers. That worked somewhat but there was a lot of legacy info.
I'll wait for a response from Adaptavist Support but for now I think any feature of ScriptRunner that allows access to fields that contain PII is going to be of concern to you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's a fair point and I think that may be where our privacy/security team require we do. It'd be good to get an understanding of this though.
Even in the absence of PII, I think this question for ScriptRunner is still valid. I'm sure we all have business sensitive and proprietary data in Jira. That's the intended use case for Jira. So I'm sure our security team would want to know what the attack surface and risk profile for this is with regards to ScriptRunner.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Due to the nature of ScriptRunner allowing users to create their own scripts and queries, it is not possible to give an exhaustive list of what information could be accessed, processed or stored by ScriptRunner, as this can be affected by unique inputs by the end user.
ScriptRunner processes and stores webhook event information sent by Atlassian, customer scripts and enhanced search queries. It may store error responses from Atlassian REST APIs in order to show customers how to correct any queries. ScriptRunner stores the base url of the customer instance but uses unique IDs when referencing end users, filters and issues where possible. However, if an end user decides to log PII in a script or writes this in an Enhanced Search query it will appear in logs and potentially be stored long term.
ScriptRunner only stores audit logs indefinitely for customers to view in the app - it stores all other logs for up to 4 weeks. The logs are only used to help debug issues with the app as and when necessary. Other than the customer accessible audit logs, the logs can only be accessed by the engineers directly working on and supporting the app.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@warrencai You might also check here: https://docs.adaptavist.com/sr4js/latest and on the provider support site.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Unfortunately, the ScriptRunner cloud documentation does not go into detail on what data the addon accesses and stores and when.
Thank you,
Warren
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Additionally that link leads to the documentation for ScriptRunner for Jira Data Center, not Jira Cloud
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.