miniOrange Atlassian Cloud Apps Privacy Policy

Effective Date: October 10, 2025

Last Updated: October 10, 2025

1. Introduction

At miniOrange, we never compromise Security – We secure IT Right! Our primary goal is to have a secure connection between people and technology. miniOrange believes in creating products and services that are secure, resilient, and assured. miniOrange ("We", "Us", "Company") is committed to protecting your privacy and ensuring the security of your personal information.

This privacy policy will let you know all the security policies and measures taken to protect personally Identifiable Information. We have implemented various security measures to protect all personal information in accordance with industry standards.This Privacy Policy also explains how we collect, use, store, and safeguard your personal data ("Personal Data") when you interact with our services, including:

• miniOrange Atlassian Cloud Apps, and downloadable products ("Apps")
• Websites and support portals
• Any other interactions with miniOrange, including email, chat, or video communications

Your privacy rights are important to us. If you do not agree to this Privacy Policy, please reach out to us. This Policy is designed in alignment with global privacy regulations, including the General Data Protection Regulation (GDPR) and other applicable local privacy laws.

While miniOrange is not yet formally certified under the GDPR compliance framework, we adhere to the principles, rights, and obligations outlined in GDPR and implement equivalent safeguards across all Atlassian Cloud Apps and related services.

Note: Since in Data Center or on-premise apps, all data is stored and processed within your environment, this Privacy Policy is applicable only to miniOrange Cloud Apps. Data for on-premise apps remains fully under your control, and miniOrange does not access, store, or process it externally.

2. Who We Are

miniOrange is a global provider of identity and access management solutions, offering secure solutions on the Atlassian Marketplace for both Data Center and Cloud, and other enterprise platforms.

Registered Office:
1621 Central Ave,
Cheyenne, WY 82001

Contact Email: atlassiansupport@xecurify.com

We ensure compliance by maintaining a high standard of data protection and transparency.

3. Roles and Responsibilities

miniOrange acts as both:

• Data Processor: For organizational customers using our Apps through their Atlassian instances.
• Data Controller: For personal interactions, direct subscriptions, or support requests submitted directly to miniOrange.

Your privacy is important to us. Your personal information will only be used to update you on our products and services.

4. Data Handling

General principles that apply to all listed cloud apps:

• miniOrange adheres to data minimization: each app collects only the minimal fields required for operation.
• All cloud apps execute and store data within Atlassian Cloud or the Forge runtime. However, for some apps built on Connect or Forge remote architecture, limited processing and storage may occur on secure miniOrange servers (AWS) outside the Atlassian Cloud.
• Only minimal configuration data - such as service account emails, API tokens, or SSO/SCIM configurations - is encrypted and securely stored for functional purposes. No Atlassian-hosted customer content (issues, attachments, or workspace data) is replicated externally.
• Administrators of the customer’s Atlassian instance control most end-user data via Atlassian’s admin console; miniOrange cannot read or export issue/page content beyond the scopes granted for app functionality.
• Default retention windows, encryption, access and deletion behaviors are specified for each app below. Where an app includes configurable retention or logging options, the admin can reduce or extend retention within the app’s settings (if provided).

Data types stored:

• Certain apps may store admin or service account emails and API tokens and credentials to enable secure integration and operations.
• Some apps may process user identifiers (email or account IDs) in audit logs to trace operations, generate reports, or support workflows.
• Some apps retain SSO configuration data, where applicable.
• Operational or production logs may include timestamps or IP addresses when required for troubleshooting; these are typically retained for short periods (e.g., 30 - 90 days) and purged thereafter.
• Audit logs generally record minimal identifiers (e.g., account IDs) rather than full personal data.
• Some functionality may process minimal external user data (such as email addresses) outside Atlassian for notifications or communications, where required.
• Other configuration or admin data may be temporarily stored outside Atlassian Forge for integration purposes with third-party services (e.g., Okta, Entra ID).

Common operational & security practices for all cloud apps

• Temporary credential handling (API tokens / service accounts)
• Encryption: All tokens and credentials required by cloud apps are encrypted at rest (AES-256) in Forge storage and are only accessible to the app runtime.
• Forge - all data stored and process within in atlassian environment and connect - encryption
• Minimal scope & least privilege: Administrators are guided to create service accounts with the smallest scope necessary for the app’s functions. In cases where API token scoping is not fully supported, administrators are advised to follow best practices by using tokens securely and limiting access through other available controls.
• Rotation & revocation: Admins are encouraged to rotate tokens periodically. If an admin revokes a token or removes configuration.
• Support access: miniOrange does not access your tokens during routine support activities. Tokens are used strictly for their intended and predefined purposes.
• Retention defaults & uninstall behavior
• Temporary operation data (staging buffers): Purged automatically after job completion or within 24 hours to permit retries.
• Audit & operational logs: Retained by default for 30–90 days depending on severity and app; retention is configurable where the app provides admin settings.
• Uninstall retention window: Default post-uninstall retention for any remaining app data (audit logs, minimal config metadata) is 90 days for recovery purposes unless the admin requests immediate purge.This allows customers to reinstall without losing essential configurations. Customers may request immediate deletion via support.
• Permanent deletion: Where requested and when no legal obligation requires retention, miniOrange will delete stored app configuration and logs and confirm deletion.
• Automatic deletion: Certain apps may automatically delete stored data upon uninstallation, while others require explicit admin requests to remove retained information.
• Access control, least privilege & admin roles
• Apps integrate with Atlassian’s permission model - only users who are site admins or hold authorized roles can configure or run admin operations.
• miniOrange minimizes any elevated access: app scopes are restricted to those required for the app operations and are visible during installation/authorization.
• Logging, monitoring & auditing
• All configuration changes, token usage, and admin actions are logged by most of the apps. Logs may include timestamps, minimal user identifiers (account IDs), or admin actions to support troubleshooting and compliance.
• Logs are retained for the configured interval and are available to admins for review and to support compliance requests. Where required for legal obligations or incident response, logs may be retained longer.
• Encryption & key management
• Transport: All API calls and browser interactions use TLS 1.2+ (TLS 1.3 where available).
• All sensitive credentials, tokens, and configuration data stored for apps built on the Atlassian Connect Framework are encrypted using AES-256 encryption.
• Data stored within Atlassian Forge resides securely within Atlassian’s cloud environment. It is managed and protected according to Atlassian’s own security and compliance standards.
• Subprocessors and third-party integrations
• The primary runtime / storage subprocessor for these cloud apps is Atlassian Forge (the environment in which the apps execute and store ephemeral state).
• Some apps may rely on third-party utility services; such external calls are only used when explicitly required and are governed by contracts that include data protection clauses. miniOrange documents subprocessors and will provide details on request.
• miniOrange requires subprocessors to adhere to equivalent security and contractual obligations (DPA, SCCs where relevant).
• Support, troubleshooting & limited access
• When customers request support that requires diagnostic access, miniOrange will request explicit consent and time-limited access to relevant logs or configurations. All such access is logged and auditable.
• Data subject requests & how to exercise rights
• Data that resides in the customer’s Atlassian instance (issues, pages, attachments): Customers/admins should use Atlassian UI and APIs to access, export or delete user content. miniOrange does not have the ability to delete content stored in the customer’s Atlassian tenancy except for app-specific configuration and logs described above.
• App configuration data or credentials stored by miniOrange in Forge: Data subject requests (access, rectification, deletion) related to these items can be submitted to atlassiansupport@xecurify.com; miniOrange will verify the requestor and process requests promptly and in accordance with GDPR timelines.
• For cross-tenant data or account-level exports, miniOrange will work with the customer (controller) to facilitate responses to user rights requests.
• Incident response, breach notifications & cooperation
• miniOrange maintains an incident response plan. In the unlikely event of a security incident affecting customer data stored by the app, miniOrange will:
• Triage and contain the incident immediately.
• Notify the affected customer contact(s) and, if required by law, supervisory authorities within the timelines mandated by applicable law (e.g., GDPR 72-hour notification standard where applicable).
• Provide remediation details, impact assessment, and mitigation steps.
• Cooperate with Atlassian and other relevant subprocessors in forensic investigation.
• Customers are notified via the contact method on file; urgent incidents are also escalated via phone if available.
• Security testing & vulnerability disclosure
• miniOrange performs code reviews, dependency management, and scheduled vulnerability scans for the apps. Critical vulnerabilities are fixed according to an established SLA.
• A vulnerability disclosure process (contactable via atlassiansupport@xecurify.com or the support channel) allows external researchers or customers to report security issues; miniOrange provides coordinated disclosure and remediation steps.
• Privacy by design & DPIA (Data Protection Impact Assessment)
• For apps that perform broader scanning (e.g., DLP), miniOrange performs DPIAs to evaluate privacy risks and implement mitigation (redaction, minimizing scans to metadata, admin controls) and documents outcomes on request.

Data Collection Methods:

• Direct interactions when downloading or configuring Apps
• Subscriptions or service requests
• Marketing requests and communications
• Emails, chat, video calls, or phone conversations
• Feedback, surveys, or polls

5. Information We Collect

5.1 Information You Provide

We may collect:

• Name, email, company, role, and location
• Billing and subscription information
• API tokens and SSO configuration
• Communications via support portal, email, or other channels

5.2 Information Collected Automatically

• IP addresses
• App usage metrics, feature interactions, timestamps
• Cookies

5.3 Information from Atlassian Platforms

• License and subscription information
• Administrator contact details collected via Atlassian Marketplace

All data collected is limited to what is necessary for the functionality and support of our Services.

6. Purposes of Data Collection

miniOrange processes your Personal Data for:

• Service Delivery: Delivering, maintaining, and improving Apps and Services
• User Authentication: Enabling SSO and secure login
• Subscription Management: Billing, license verification, and renewals
• Security and Compliance: Audit logs, monitoring, and threat detection
• Customer Support: Responding to inquiries, troubleshooting, and resolving issues
• Product Updates: Sending updates, newsletters, and promotions (with consent)
• Legal Obligations: Complying with applicable laws, regulations, or requests

7. Legal Basis for Processing

miniOrange relies on the following legal bases for processing Personal Data:

• Consent (GDPR Art. 6.1(a)): When you voluntarily opt-in to communications or data collection
• Contractual Necessity (GDPR Art. 6.1(b)): To perform obligations under your subscription or app license
• Legal Obligations (GDPR Art. 6.1(c)): To comply with applicable laws or regulatory requirements
• Security and Compliance: Audit logs, monitoring, and threat detection
• Legitimate Interests (GDPR Art. 6.1(f)): To improve Services, ensure security, and protect user rights

When acting as a data processor, miniOrange only processes Personal Data on behalf of our customers. While miniOrange currently follows GDPR-aligned practices, formal certification or registration under GDPR or similar frameworks is in progress.

8. Data Sharing

miniOrange only shares Personal Data in limited circumstances:

• Legal Requirement: When required by law, court order, or government authority
• Safety and Security: To protect rights, property, or personal safety of users or others
• Third-Party Service Providers: Only under strict contractual obligations for processing services
• Corporate Changes: Mergers, acquisitions, or asset sales, ensuring Personal Data remains protected

International Transfers:

Data primarily remains within its designated region, and any cross-border transfers (if applicable) are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Data Storage, Retention, and Deletion

• On-Premise / Downloadable Apps: All data remains within the user’s systems. miniOrange does not access or transfer this data externally.
• Atlassian Cloud Apps:: For Atlassian Marketplace Cloud Apps, customer data is processed within the Atlassian Cloud environment (Forge Apps) or, where required, in miniOrange-managed cloud infrastructure (e.g., AWS) for Connect Apps. Data is stored only as long as necessary to provide app functionality, support user subscriptions, ensure business continuity, and meet legal or security obligations.
• Third-Party Service Providers: Only under strict contractual obligations for processing services
• Support Tickets: Support tickets and related correspondence are handled via Atlassian Cloud (Jira Service Management) and Google Workspace (Gmail). These systems store information in line with their respective privacy and retention policies. Support-related data is retained only until issue resolution, closure, or as legally required.
• Data Retention: Retention periods vary based on data type and app functionality:
• Admin/service credentials and SSO configurations: Stored securely (encrypted) and retained until explicitly deleted or app uninstallation.
• Audit and operational logs: Retained typically for 30 days, with some apps allowing configurable retention up to 90 days.
• External communication data: Certain user identifiers (e.g., email addresses) may be processed temporarily outside Atlassian environments for notifications and securely deleted thereafter.
• Uninstallation & Backups: Upon uninstallation, most apps automatically purge stored data; others retain minimal configuration or logs until explicit deletion is requested. Encrypted system-level backups are maintained solely for operational continuity and disaster recovery, retained for up to 7 days, and automatically purged. Backup data is excluded from analytics or operational use.
• Data Deletion Requests: Users may request deletion of their personal data under GDPR’s “right to erasure.” Upon verification, miniOrange deletes or anonymizes data within its control and coordinates with relevant third-party processors (e.g., Atlassian, Google) to the extent technically feasible.
• miniOrange stores data only as long as necessary for:
• App functionality and user subscriptions
• Compliance with legal obligations
• Security audits and business continuity

10. Cookies and Tracking

Information We Collect

Information You Provide:
You may voluntarily share information such as your name, email address, or credentials when using our websites or services. This information is only required to access specific resources, pages, or user groups. Most areas of our websites remain accessible without providing personal details.

Automatically Collected Information:
During your visit, our websites may automatically collect technical data such as browser type, operating system, pages visited, clicked links, and IP address. This helps us understand website performance and improve usability. You can choose to accept or decline cookies in your browser settings.

Use of Information

We use collected information to:

• Provide and improve our products and services
• Enhance user experience and website functionality
• Communicate updates, features, or relevant product information

Cookies in Our Apps

Our Atlassian Marketplace apps create and process only essential cookies required for core app functionality.

• No marketing, advertising, or behavioral tracking cookies are used.
• Any cookies on our public websites (outside the apps) are set only with user consent.

Managing and Withdrawing Consent

You can delete or block cookies anytime using your browser settings.

If you wish to withdraw consent, simply clear cookies from your browser and adjust settings to block future cookies. Cookies help identify general user activity but do not provide access to your computer or personal files.

Data Retention and Deletion

We comply with the GDPR Right to Erasure. Users can request deletion or access to their data at any time by contacting us. Requests are processed promptly and in accordance with applicable laws.

Third-Party Links and Usage

Our websites may contain links to third-party platforms. We do not store user data on these platforms. Limited data (e.g., email, profile identifiers) may be processed temporarily to facilitate support or communication. We may track aggregate interaction data such as features accessed, files uploaded, and links clicked to improve product functionality.

Testimonials

We may publish customer testimonials that include personal data (e.g., name, feedback). Consent is always obtained via email prior to posting, and users may withdraw consent at any time without affecting the lawfulness of prior processing.

Surveys and Feedback

We may occasionally invite users to participate in surveys or feedback programs. Participation is completely voluntary. Contact information (such as email or phone number) may be requested solely to share updates or improvements based on user feedback.

11. Third-Party Links and Services

miniOrange Apps or Websites may integrate with third-party services, platforms, or tools.

• Integration Purposes: To enable features such as SSO, analytics, notifications, backups, and automation.
• Data Handling: Personal Data is not shared externally unless necessary for the app functionality or service operation.
• Testimonials & Reviews: may publish customer testimonials or reviews on our website and related pages. If you wish for your testimonial or personal information to be removed, please contact us, and we will promptly take the necessary action.
• Surveys, Contests, and Feedback: Participation is voluntary; collected data is used solely to improve Services.
• External Links: Our Websites or Apps may contain links to third-party sites. miniOrange is not responsible for the privacy practices of these sites; please review their policies independently.

12. Security Measures

miniOrange implements robust security practices to protect Personal Data:

• Access Control: Only authorized personnel with signed NDAs can access sensitive data.
• Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit.
• Monitoring & Audits: Regular vulnerability scans, penetration testing, and security audits.
• Backups & Disaster Recovery: Daily backups with tested recovery processes to prevent data loss.
• User Responsibilities: Users must keep credentials confidential. miniOrange is not liable for unauthorized access due to user negligence.

13. User Rights

miniOrange ensures users can exercise their legal rights under GDPR and other applicable laws:

GDPR Rights

• Right to Access: Request details of Personal Data we hold.
• Right to Rectification: Correct inaccurate or incomplete data within 72 hours.
• Right to Erasure (“Right to be Forgotten”): Request deletion of Personal Data if no legal reason exists to retain it.
• Right to Restrict Processing: Limit processing of your data; note this may affect App functionality.
• Right to Object: Object to processing for direct marketing, data aggregation, or analytics.
• Right to Withdraw Consent: Revoke previously given consent for communications or data collection.
• Right to Lodge Complaints: Contact miniOrange or supervisory authorities regarding data concerns.

Other Rights include:

• Right to Know: Learn categories and specific pieces of Personal Data collected.
• Right to Access: Obtain a copy of your Personal Data.
• Right to Correct: Request corrections to inaccurate data.
• Right to Delete: Request deletion of collected data.
• Right to Opt-Out: Choose not to have data sold (miniOrange does not sell Personal Data).

Submitting Requests:

Email atlassiansupport@xecurify.com. Identity verification may be required before fulfilling requests.

14. Acceptable Use

miniOrange Apps must be used in compliance with Atlassian’s Acceptable Use Policy and relevant laws:

Prohibited actions include:

• Disruption: Hacking, tampering, reverse engineering, or attempting unauthorized access.
• Wrongful Activities: Stalking, harassment, violating privacy, or using Services for illegal purposes.
• Inappropriate Communications: Spam, unsolicited marketing, threats, or offensive content.
• Inappropriate Content: Posting content that is illegal, defamatory, discriminatory, or harmful.
• AI Misuse: Misleading use of AI services, generating disinformation, or impersonation.

Violations may result in account suspension, data removal, or legal action.

15. Changes to This Privacy Policy

• miniOrange may update this Policy periodically to reflect changes in laws, services, or security practices.
• Substantial changes will be posted prominently and communicated to users when appropriate.
• Users should review this Policy regularly to stay informed of updates.

16. Contact Information

For privacy inquiries, requests, or complaints, contact:

Support and General Contact:
atlassiansupport@xecurify.com


Registered Office:
1621 Central Ave,
Cheyenne, WY 82001

17. Acknowledgement

By using miniOrange Apps, Websites, or Services, you acknowledge that:

• You have read and understood this Privacy Policy.
• You consent to the collection, use, and processing of your Personal Data as described.
• You will comply with the Acceptable Use Policy and applicable laws.