FirstTry Trust Center v4.4.2
Pack v4.4.2Rev 4.4.2OwnerFirstTry SolutionsLast Updated2026-02-26ReviewAnnual (Interim updates within 30 days of Atlassian publishing material change notices relevant to Forge hosting, security, or subprocessors)Doc IDFT-TRUST-012

Forge Platform Dependency

Forge Dependency Statement

FirstTry is not an independently hosted application. It is entirely dependent on Atlassian Forge as its hosting platform.

No independent infrastructure exists. The application:

  • Runs within Atlassian's Forge runtime (managed Node.js environment)
  • Accesses Jira Cloud exclusively via Atlassian's OAuth2-protected requestJira() API
  • Persists data using Atlassian's Forge Storage service (Atlassian-managed database)
  • Does not operate its own servers, databases, or network infrastructure

Consequence: ALL infrastructure, compliance, availability, and security guarantees are contingent on Atlassian Forge SLA and terms of service.

Forge CLI Version and Runtime Record

Evidence generation context:

  • Forge CLI version used for deployment and testing: See evidence bundle git history
  • Runtime: Atlassian Forge managed Node.js runtime
  • Deployment: Automated via forge deploy (Atlassian-hosted CI pipeline)

Note: Runtime version is controlled by Atlassian; patch and minor version updates are deployed transparently by Atlassian without explicit end-user control.

Encryption In Transit and At Rest

In Transit

  • Protocol: TLS 1.3 (Atlassian Forge default)
  • Enforcement: Forge platform enforces TLS for all API calls to Jira
  • Certificate validation: Delegated to Forge runtime
  • Reference: Atlassian security documentation (link to be pinned: https://www.atlassian.com/trust/security)

At Rest

  • Forge Storage encryption: AES-256 (Atlassian platform-provided)
  • Encryption key management: Atlassian-managed; keys not exposed to application
  • Caveat: Application assumes Atlassian encryption; no independent verification performed
  • Reference: Atlassian Forge Storage documentation (link to be pinned: https://developer.atlassian.com/cloud/forge/manifest-reference/storage/)

Data Residency

Residency statement (EXACT):

Processing follows the customer's Atlassian site region configuration; the app does not override residency.

Detail:

  • Jira Cloud site is configured by the customer to a specific region (US, EU, APAC, etc.) during setup
  • FirstTry app inherits this residency from Jira Cloud
  • Forge Storage persistence is in the same region as the Jira Cloud site
  • Application code does NOT implement region-selection logic; all data handling is region-agnostic

Customer responsibility: Selecting appropriate region during Atlassian Cloud account setup.

Availability and SLA Dependency

Guarantee by FirstTry: None.

Dependency on Atlassian Forge SLA:

  • Forge API availability target: See Atlassian Service Level Agreement (pinned URL: https://www.atlassian.com/legal/service-level-agreement)
  • If Forge is unavailable, FirstTry is unavailable
  • If Jira Cloud is unavailable, FirstTry cannot access data

Application responsibility: Fail-closed design (errors are explicit; no hidden failures).

Subprocessors and Third Parties

FirstTry subprocessors:

  • Atlassian Forge platform (primary)
  • Atlassian Jira Cloud (data source)

Atlassian's subprocessors (relevant to Forge):

  • See public list at: Pinned URL: https://www.atlassian.com/legal/subprocessors (note: specific CDNs, logging aggregators, DDoS providers documented there)

FirstTry caveat: We do not independently control or validate Atlassian's subprocessor list. Changes to Atlassian's subprocessors are outside our change management process.

Update Triggers

FirstTry documentation and evidence are updated under the following triggers:

Standard Review (Annual)

  • Once per calendar year, review this document for accuracy against Atlassian's published terms.

Material Change Interim Trigger

  • Within 30 days of Atlassian publishing a material change notice relevant to:
    • Forge hosting, runtime, or infrastructure security
    • Forge Storage encryption or key management
    • Regional availability or data residency
    • Subprocessor additions/changes affecting Forge
    • OAuth2 API security or scope definitions

Action: Update this document and regenerate evidence bundle via bash tools/generate_enterprise_evidence.sh.

Last Reviewed Date

This document reviewed against Atlassian terms: 2026-02-26

References