SprintLedger Security Policy

1. Overview

FY Network Inc. ("FY Network") is committed to maintaining the security and integrity of SprintLedger and all data it interacts with. This Security Policy describes how we secure the application, handle security incidents, manage vulnerabilities, and protect our users.

2. Architecture and Data Isolation

SprintLedger is built on Atlassian's Forge platform, which provides a secure, sandboxed execution environment:

• No external servers: SprintLedger does not operate any servers, databases, or infrastructure outside of Atlassian. All code executes within Atlassian's Forge runtime.
• No outbound data transfers: The application does not make external API calls, send data to third-party services, or transmit any information outside of Atlassian's infrastructure.
• Forge Storage only: All configuration data is stored in Forge Storage, managed and encrypted by Atlassian. FY Network cannot access Forge Storage contents directly.
• Atlassian authentication: SprintLedger relies entirely on Atlassian's authentication and authorization mechanisms. No separate credentials are required or stored.

3. Security Controls

• Least-privilege permissions: SprintLedger requests only the minimum Forge API permissions required for its functionality: reading issue data, sprint information, and storing configuration settings.
• No sensitive data handling: SprintLedger does not process, store, or access passwords, authentication tokens, personal identifiable information (PII), or financial data. The only user-provided data is configuration settings (hourly rates and budget targets).
• Code review and testing: All code changes undergo review before deployment. Automated testing is run on every build to catch regressions.
• Dependency management: We monitor dependencies for known vulnerabilities and apply security patches promptly. SprintLedger uses minimal dependencies to reduce the attack surface.
• Secure development practices: We follow secure coding practices including input validation, output encoding, and adherence to Atlassian's Forge security guidelines.

4. Vulnerability Management

We take the following steps to identify and address vulnerabilities:

• Regular review of dependencies using automated vulnerability scanning tools
• Prompt application of security patches to dependencies and platform updates
• Monitoring of Atlassian security advisories for Forge platform changes
• Periodic review of application code for security issues

5. Incident Response

In the event of a security incident affecting SprintLedger, we follow this process:

• Identification: Upon becoming aware of a potential security issue, we immediately assess its scope and impact.
• Containment: We take immediate steps to contain the issue, which may include disabling affected functionality or publishing an emergency update.
• Notification: We notify affected users and Atlassian within 72 hours of confirming a security incident that impacts user data.
• Remediation: We develop and deploy a fix as quickly as possible, prioritizing security patches above all other work.
• Post-incident review: After resolution, we conduct a review to identify root causes and implement measures to prevent recurrence.

6. Reporting Security Issues

If you discover a security vulnerability in SprintLedger, please report it to us immediately:

• Email: admin@fynetwork.com with the subject line "SprintLedger Security Report"
• Include a description of the vulnerability, steps to reproduce, and the potential impact

We will acknowledge receipt within 2 business days and provide an initial assessment within 5 business days. We ask that you give us reasonable time to address the issue before any public disclosure.

7. Atlassian Platform Security

SprintLedger benefits from Atlassian's enterprise-grade security infrastructure, including encryption at rest and in transit, SOC 2 Type II compliance, and ISO 27001 certification. For details on Atlassian's security practices, see Atlassian's Trust Center.

8. Changes to This Policy

We may update this Security Policy as our practices evolve. Changes will be posted on this page with an updated effective date.

9. Contact Us

For security-related questions or concerns, contact us:

• Email: admin@fynetwork.com
• Phone: +1 (973) 649-9368
• Location: Newark, NJ