Security

Last updated: April 2026

At ScrumJam we take the security of your data seriously. This page outlines the technical and organisational measures we have in place to protect your information.

INFRASTRUCTURE

ScrumJam is built on Google Cloud Platform using Firebase and Firestore. All data is stored and processed within Google's secure infrastructure.

  • Encryption at rest: AES-256 encryption by default on all stored data via Google Cloud
  • Encryption in transit: TLS 1.2 or above enforced on all network communications
  • Authentication: Firebase Authentication handles all user identity and session management

OAUTH SECURITY

ScrumJam connects to Jira via OAuth 2.0. We never ask for or store your Jira password or Personal Access Tokens.

  • OAuth state parameter is a cryptographically random nonce generated per request
  • State is stored server-side in Firestore with a short expiry window
  • State is validated on callback and immediately deleted after use to prevent replay attacks
  • Jira OAuth tokens are stored encrypted and deleted immediately when you disconnect Jira

ACCESS CONTROL

  • Role-based access enforced via Firebase Authentication
  • Team sessions are private and accessible only to invited team members
  • Public sessions are isolated and expire after 24 hours of inactivity
  • Developer accounts are protected with multi-factor authentication

DEPENDENCY MANAGEMENT

  • Automated dependency vulnerability scanning via GitHub Dependabot
  • All code changes go through pull request review before merging to production

SUB-PROCESSORS

ScrumJam uses the following third-party services to deliver its product:

  • Google Firebase / Firestore — authentication and data storage (United States)
  • PostHog — product analytics, anonymised usage events (United States / EU)
  • Stripe — payment processing (United States)

All sub-processors maintain Standard Contractual Clauses (SCCs) for GDPR-compliant data transfers from the EEA.

DATA RETENTION

  • Public session data is deleted after 24 hours of inactivity
  • Jira OAuth tokens are deleted immediately on disconnection
  • Team session data is retained for the duration of the subscription
  • User account data is retained until deletion is requested

REPORTING A SECURITY ISSUE

If you discover a security vulnerability in ScrumJam, please report it responsibly by emailing info@scrumjam.app.

We will acknowledge your report and investigate promptly. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it.

DATA PROCESSING AGREEMENT

Enterprise customers and teams requiring a formal Data Processing Agreement (DPA) can review our DPA at scrumjam.app/dpa.

View our Data Processing Agreement →

QUESTIONS

For any security-related questions contact info@scrumjam.app.