Security

How we protect your data.

Security is foundational to how TrueStory is built. As a tool that connects to your Jira and Salesforce environments, we take data protection seriously. This page outlines our security architecture, data handling practices, and the controls we have in place.

Architecture

TrueStory is built on Atlassian Forge, a serverless compute platform that runs inside Atlassian's infrastructure. This means:

No external servers: TrueStory code executes within Forge's sandboxed runtime. For the Jira app, we do not operate separate servers or databases that process your Jira or Salesforce data outside of Atlassian Forge. The Pro tier's optional AI feature sends story context to your chosen AI provider (Anthropic, OpenAI, or Google) using your own API key (BYOK). This is opt-in and no AI processing occurs without explicit configuration.
Data residency: All application data is stored in Forge Storage, which inherits Atlassian's data residency and compliance controls.
Network isolation: Forge apps run in isolated containers with controlled egress. TrueStory is designed to communicate only with Atlassian and your authorized Salesforce org. Any additional egress destinations would be disclosed in our documentation and subprocessors list.

Authentication & Authorization

Salesforce Connection

TrueStory connects to Salesforce via OAuth 2.0 authorization code flow
We never see or store your Salesforce username or password
OAuth tokens are stored encrypted in Forge Storage, scoped to your Jira site
Token refresh is handled automatically; tokens are not shared across sites
You can revoke access at any time from Salesforce Setup → Connected Apps

Jira Permissions

TrueStory requests only the Jira scopes needed to read issue descriptions and display panels
Access is governed by your Jira project permissions. Users can only verify stories they can view
Admin installation is required; individual users cannot install TrueStory independently

Data Handling

What We Process

Data Type	Processing	Storage
Jira issue descriptions	Parsed in-memory to extract AC text	Not intentionally stored (processed transiently in the Forge runtime)
Salesforce metadata	Queried via Tooling API for verification	Metadata index cached in Forge Storage
Behavioral test records	Created temporarily, then deleted on a best-effort basis	Not stored in Forge Storage (exist only in your Salesforce org during testing)
Verification results	Requirement identifiers, outcomes, and minimal diagnostic metadata	Up to 50 runs per Jira issue in Forge Storage
OAuth tokens	Used for API authentication	Encrypted in Forge Storage

What We Do NOT Access

TrueStory does not intentionally read or process existing Salesforce business records (opportunities, contacts, accounts, etc.). However, inserting test records may trigger customer-configured automations (Flows, Apex triggers) that interact with existing data
We do not access Salesforce files, attachments, or documents
We do not access other Jira data beyond the specific issue being verified
We do not export or transmit your data to third-party services outside of Atlassian Forge and your connected Salesforce org

Behavioral Test Safety

TrueStory's behavioral tests create temporary records to verify that validation rules fire correctly. These tests follow strict safety protocols:

Where supported by the object, test records include a [TRUESTORY-TEST] marker in the Name field or another standard text field. This marker is applied on a best-effort basis and may not be available for every object type
TrueStory attempts to delete every test record after the test completes, regardless of pass/fail result. If deletion fails, we attempt to report cleanup failures when detected
Tests target only the specific object and fields referenced in the acceptance criteria
Test operations respect your org's field-level security and sharing rules
We strongly recommend connecting a Salesforce sandbox environment. Test record creation may trigger customer-configured automations (Flows, Apex triggers, Process Builder rules)

Infrastructure Security

Encryption in transit: All communication between TrueStory, Jira, and Salesforce uses TLS 1.2+
Encryption at rest: Forge Storage data is encrypted at rest using Atlassian's encryption standards
No persistent compute: Forge functions are stateless and ephemeral. No long-running processes or persistent connections
Execution timeout: Forge resolvers have short execution timeouts enforced by the platform, preventing runaway processes
Storage limits: Forge Storage enforces per-key size limits, naturally constraining data accumulation
Access controls: Access to our internal systems (support email, admin accounts) is restricted to authorized personnel and protected by MFA

Compliance

TrueStory inherits the compliance posture of the Atlassian Forge platform, which includes:

SOC 2 Type II (Atlassian Cloud)
ISO 27001 (Atlassian Cloud)
Atlassian Cloud supports GDPR requirements and offers data residency controls. TrueStory runs on Forge and inherits those controls.

For details on Atlassian's compliance certifications and security practices, refer to Atlassian's compliance documentation. Revenue Mechanics LLC is committed to maintaining appropriate security controls and will pursue independent certifications as the product matures.

Vulnerability Reporting

If you discover a security vulnerability in TrueStory, please report it responsibly by emailing security@revmech.ai with the subject line “Security Vulnerability Report.” Please include a description of the vulnerability, steps to reproduce, and any relevant screenshots or logs. We will acknowledge receipt within 48 hours and provide a remediation timeline.

We support good-faith security research and will not pursue legal action against researchers who report vulnerabilities responsibly and in accordance with this policy.

Questions

For security-related questions or to request additional information about our security practices, contact security@revmech.ai.